Merge branch 'main' into renovate/github-actions

Author: KT-Doan

docs/resources/custom_domain.md

@@ -0,0 +1,75 @@
+---
+page_title: "ory_custom_domain Resource - ory"
+subcategory: ""
+description: |-
+  Manages an Ory Network custom domain.
+---
+
+# ory_custom_domain (Resource)
+
+Manages an Ory Network custom domain.
+
+Custom domains allow you to expose Ory APIs on your own domain (e.g., `auth.example.com`) instead of the default
+`{slug}.projects.oryapis.com` domain. This is the correct way to configure session cookie domains on Ory Network —
+the reverse proxy rewrites cookies to use the `cookie_domain` you specify.
+
+-> **Plan:** Custom domains may require specific Ory Network plan features. Check your plan's quota for available custom domains.
+
+~> **DNS Required:** After creating a custom domain, you must add a CNAME record pointing your hostname to Ory.
+Monitor the `verification_status` attribute to track DNS verification progress.
+
+## Example Usage
+
+```terraform
+# Basic custom domain
+resource "ory_custom_domain" "auth" {
+  hostname      = "auth.example.com"
+  cookie_domain = "example.com"
+}
+
+# Custom domain with CORS and custom UI
+resource "ory_custom_domain" "full" {
+  hostname      = "auth.example.com"
+  cookie_domain = "example.com"
+
+  cors_enabled         = true
+  cors_allowed_origins = ["https://app.example.com", "https://admin.example.com"]
+  custom_ui_base_url   = "https://app.example.com/auth"
+}
+```
+
+## Import
+
+Custom domains can be imported using either format:
+
+```shell
+# Import with explicit project ID
+terraform import ory_custom_domain.auth <project-id>/<custom-domain-id>
+
+# Import using provider-level project_id
+terraform import ory_custom_domain.auth <custom-domain-id>
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `hostname` (String) The custom hostname where the API will be exposed (e.g., 'auth.example.com').
+
+### Optional
+
+- `cookie_domain` (String) The domain where session cookies will be set. Must be a parent domain of the hostname (e.g., 'example.com' for hostname 'auth.example.com').
+- `cors_allowed_origins` (List of String) CORS allowed origins for the custom hostname (max 50).
+- `cors_enabled` (Boolean) Whether CORS is enabled for the custom hostname.
+- `custom_ui_base_url` (String) The base URL where the custom user interface is exposed (e.g., 'https://app.example.com/auth').
+- `project_id` (String) The project ID. If not set, uses the provider's project_id.
+
+### Read-Only
+
+- `created_at` (String) Timestamp when the custom domain was created.
+- `id` (String) The unique identifier of the custom domain.
+- `ssl_status` (String) SSL certificate status of the custom domain.
+- `updated_at` (String) Timestamp when the custom domain was last updated.
+- `verification_errors` (List of String) DNS verification errors, if any.
+- `verification_status` (String) DNS verification status of the custom domain (e.g., 'pending', 'active').

docs/resources/social_provider.md

@@ -33,6 +33,18 @@ The `provider_type` attribute determines which OAuth2/OIDC integration to use:
 
 ~> **Note:** When using `provider_type = "generic"`, you **must** set `issuer_url` to the OIDC issuer URL. The provider uses OIDC discovery to find authorization and token endpoints automatically.
 
+## Apple Sign-In
+
+Apple uses a non-standard authentication flow. Instead of a static `client_secret`, Apple requires:
+
+- **`apple_team_id`** — Your Apple Developer Team ID (e.g., `KP76DQS54M`)
+- **`apple_private_key_id`** — The key ID from the Apple Developer portal (e.g., `UX56C66723`)
+- **`apple_private_key`** — The private key in PEM format (the contents of your `.p8` file)
+
+Ory uses these to automatically generate the JWT `client_secret` required by Apple's OAuth2 flow. You do **not** need to set `client_secret` when using Apple-specific fields.
+
+Alternatively, you may provide a pre-generated `client_secret` directly if you prefer to manage the JWT yourself.
+
 ## Example Usage
 
 ```terraform
@@ -64,13 +76,15 @@ resource "ory_social_provider" "microsoft" {
   scope         = ["openid", "profile", "email"]
 }
 
-# Apple Sign-In
+# Apple Sign-In (using Apple-specific credentials)
 resource "ory_social_provider" "apple" {
-  provider_id   = "apple"
-  provider_type = "apple"
-  client_id     = var.apple_client_id
-  client_secret = var.apple_client_secret
-  scope         = ["email", "name"]
+  provider_id          = "apple"
+  provider_type        = "apple"
+  client_id            = var.apple_service_id
+  apple_team_id        = var.apple_team_id
+  apple_private_key_id = var.apple_private_key_id
+  apple_private_key    = var.apple_private_key
+  scope                = ["email", "name"]
 }
 
 # Generic OIDC Provider with custom claims mapping
@@ -129,13 +143,25 @@ variable "azure_tenant_id" {
   type = string
 }
 
-variable "apple_client_id" {
-  type = string
+variable "apple_service_id" {
+  description = "Apple Service ID (e.g., com.example.auth)"
+  type        = string
 }
 
-variable "apple_client_secret" {
-  type      = string
-  sensitive = true
+variable "apple_team_id" {
+  description = "Apple Developer Team ID"
+  type        = string
+}
+
+variable "apple_private_key_id" {
+  description = "Apple private key ID from the Developer portal"
+  type        = string
+}
+
+variable "apple_private_key" {
+  description = "Apple private key in PEM format (.p8 file contents)"
+  type        = string
+  sensitive   = true
 }
 
 variable "sso_client_id" {
@@ -173,6 +199,7 @@ If not set, the provider uses a default mapper that extracts the email claim.
 - **`provider_id` and `provider_type` cannot be changed** after creation. Changing either forces a new resource.
 - **`client_secret` is write-only.** The API does not return secrets on read, so Terraform cannot detect external changes to the secret.
 - **`tenant` maps to `microsoft_tenant`** in the Ory API. This is only used with `provider_type = "microsoft"`.
+- **Apple-specific fields** (`apple_team_id`, `apple_private_key_id`, `apple_private_key`) are only valid with `provider_type = "apple"`. The `apple_private_key` is write-only (not returned by API).
 - **Deleting the last provider** resets the entire OIDC configuration to a disabled state with an empty providers array.
 
 ## Import
@@ -183,21 +210,27 @@ Import using the provider ID:
 terraform import ory_social_provider.google google
 ```
 
-The `provider_id` is the unique identifier you chose when creating the provider. After import, you must provide `client_secret` in your configuration since it cannot be read from the API.
+The `provider_id` is the unique identifier you chose when creating the provider. After import, you must provide write-only credentials in your configuration since they cannot be read from the API:
+
+- **Non-Apple providers:** Set `client_secret`.
+- **Apple providers:** Set either `client_secret` (pre-generated JWT) or all three Apple-specific fields (`apple_team_id`, `apple_private_key_id`, and `apple_private_key`).
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
 ### Required
 
 - `client_id` (String) OAuth2 client ID from the provider.
-- `client_secret` (String, Sensitive) OAuth2 client secret from the provider.
 - `provider_id` (String) Unique identifier for the provider (used in callback URLs).
 - `provider_type` (String) Provider type (google, github, microsoft, apple, generic, etc.).
 
 ### Optional
 
+- `apple_private_key` (String, Sensitive) Apple private key in PEM format (contents of the .p8 file). Required when provider_type is "apple" and client_secret is not set. Ory uses this to generate the JWT client secret automatically.
+- `apple_private_key_id` (String) Apple private key ID from the Apple Developer portal (e.g., "UX56C66723"). Required when provider_type is "apple" and client_secret is not set.
+- `apple_team_id` (String) Apple Developer Team ID (e.g., "KP76DQS54M"). Required when provider_type is "apple" and client_secret is not set.
 - `auth_url` (String) Custom authorization URL (for non-standard providers).
+- `client_secret` (String, Sensitive) OAuth2 client secret from the provider. Required for all providers except Apple (where Ory generates the secret from apple_team_id, apple_private_key_id, and apple_private_key).
 - `issuer_url` (String) OIDC issuer URL (required for generic providers).
 - `mapper_url` (String) Jsonnet mapper URL for claims mapping. Can be a URL or base64-encoded Jsonnet (base64://...). If not set, a default mapper that extracts email from claims will be used.
 - `project_id` (String) Project ID. If not set, uses provider's project_id.

examples/resources/ory_custom_domain/resource.tf

@@ -0,0 +1,15 @@
+# Basic custom domain
+resource "ory_custom_domain" "auth" {
+  hostname      = "auth.example.com"
+  cookie_domain = "example.com"
+}
+
+# Custom domain with CORS and custom UI
+resource "ory_custom_domain" "full" {
+  hostname      = "auth.example.com"
+  cookie_domain = "example.com"
+
+  cors_enabled         = true
+  cors_allowed_origins = ["https://app.example.com", "https://admin.example.com"]
+  custom_ui_base_url   = "https://app.example.com/auth"
+}

examples/resources/ory_social_provider/resource.tf

@@ -26,13 +26,15 @@ resource "ory_social_provider" "microsoft" {
   scope         = ["openid", "profile", "email"]
 }
 
-# Apple Sign-In
+# Apple Sign-In (using Apple-specific credentials)
 resource "ory_social_provider" "apple" {
-  provider_id   = "apple"
-  provider_type = "apple"
-  client_id     = var.apple_client_id
-  client_secret = var.apple_client_secret
-  scope         = ["email", "name"]
+  provider_id          = "apple"
+  provider_type        = "apple"
+  client_id            = var.apple_service_id
+  apple_team_id        = var.apple_team_id
+  apple_private_key_id = var.apple_private_key_id
+  apple_private_key    = var.apple_private_key
+  scope                = ["email", "name"]
 }
 
 # Generic OIDC Provider with custom claims mapping
@@ -91,13 +93,25 @@ variable "azure_tenant_id" {
   type = string
 }
 
-variable "apple_client_id" {
-  type = string
+variable "apple_service_id" {
+  description = "Apple Service ID (e.g., com.example.auth)"
+  type        = string
 }
 
-variable "apple_client_secret" {
-  type      = string
-  sensitive = true
+variable "apple_team_id" {
+  description = "Apple Developer Team ID"
+  type        = string
+}
+
+variable "apple_private_key_id" {
+  description = "Apple private key ID from the Developer portal"
+  type        = string
+}
+
+variable "apple_private_key" {
+  description = "Apple private key in PEM format (.p8 file contents)"
+  type        = string
+  sensitive   = true
 }
 
 variable "sso_client_id" {