add default ledger api audience to all m2m apps (#2691)

Signed-off-by: Itai Segall <itai.segall@digitalasset.com>

Author: isegall-da

cluster/expected/infra/expected.json

@@ -3381,6 +3381,20 @@
     "provider": "urn:pulumi:test-stack::test-project::pulumi:providers:auth0::dev::undefined_id",
     "type": "auth0:index/clientGrant:ClientGrant"
   },
+  {
+    "custom": true,
+    "id": "",
+    "inputs": {
+      "audience": "https://canton.network.global",
+      "clientId": "SV1 SV Backend (Pulumi managed, test-stack)_id",
+      "scopes": [
+        "daml_ledger_api"
+      ]
+    },
+    "name": "sv1SvBackendAppLedgerGrant",
+    "provider": "urn:pulumi:test-stack::test-project::pulumi:providers:auth0::dev::undefined_id",
+    "type": "auth0:index/clientGrant:ClientGrant"
+  },
   {
     "custom": true,
     "id": "",
@@ -3475,6 +3489,20 @@
     "provider": "urn:pulumi:test-stack::test-project::pulumi:providers:auth0::dev::undefined_id",
     "type": "auth0:index/clientGrant:ClientGrant"
   },
+  {
+    "custom": true,
+    "id": "",
+    "inputs": {
+      "audience": "https://canton.network.global",
+      "clientId": "SV1 Validator Backend (Pulumi managed, test-stack)_id",
+      "scopes": [
+        "daml_ledger_api"
+      ]
+    },
+    "name": "sv1ValidatorBackendAppLedgerGrant",
+    "provider": "urn:pulumi:test-stack::test-project::pulumi:providers:auth0::dev::undefined_id",
+    "type": "auth0:index/clientGrant:ClientGrant"
+  },
   {
     "custom": true,
     "id": "",
@@ -3513,6 +3541,20 @@
     "provider": "urn:pulumi:test-stack::test-project::pulumi:providers:auth0::dev::undefined_id",
     "type": "auth0:index/clientGrant:ClientGrant"
   },
+  {
+    "custom": true,
+    "id": "",
+    "inputs": {
+      "audience": "https://canton.network.global",
+      "clientId": "SVDA1 SV Backend (Pulumi managed, test-stack)_id",
+      "scopes": [
+        "daml_ledger_api"
+      ]
+    },
+    "name": "svda1SvBackendAppLedgerGrant",
+    "provider": "urn:pulumi:test-stack::test-project::pulumi:providers:auth0::dev::undefined_id",
+    "type": "auth0:index/clientGrant:ClientGrant"
+  },
   {
     "custom": true,
     "id": "",
@@ -3607,6 +3649,20 @@
     "provider": "urn:pulumi:test-stack::test-project::pulumi:providers:auth0::dev::undefined_id",
     "type": "auth0:index/clientGrant:ClientGrant"
   },
+  {
+    "custom": true,
+    "id": "",
+    "inputs": {
+      "audience": "https://canton.network.global",
+      "clientId": "SVDA1 Validator Backend (Pulumi managed, test-stack)_id",
+      "scopes": [
+        "daml_ledger_api"
+      ]
+    },
+    "name": "svda1ValidatorBackendAppLedgerGrant",
+    "provider": "urn:pulumi:test-stack::test-project::pulumi:providers:auth0::dev::undefined_id",
+    "type": "auth0:index/clientGrant:ClientGrant"
+  },
   {
     "custom": true,
     "id": "",

cluster/pulumi/infra/src/auth0.ts

@@ -137,6 +137,22 @@ function newM2MApp(
       }
     );
 
+    if (ledgerApiAudValue !== 'https://canton.network.global') {
+      // TODO(DACH-NY/canton-network-internal#2206): For now, we also grant all apps access to the old default ledger API
+      // audience, to un-break it until we clean up the audiences we use.
+      new auth0.ClientGrant(
+        `${resourceName}LedgerGrant`,
+        {
+          clientId: ret.id,
+          audience: 'https://canton.network.global',
+          scopes: ['daml_ledger_api'],
+        },
+        {
+          provider: auth0DomainProvider,
+        }
+      );
+    }
+
     if (ledgerApiAudValue !== appAudValue) {
       new auth0.ClientGrant(
         `${resourceName}AppGrant`,