Merge pull request #77 from ory/feat/session-cookie-domain-path

feat: add ory_custom_domain resource for managing custom domains

Author: KT-Doan

docs/resources/custom_domain.md

@@ -0,0 +1,75 @@
+---
+page_title: "ory_custom_domain Resource - ory"
+subcategory: ""
+description: |-
+  Manages an Ory Network custom domain.
+---
+
+# ory_custom_domain (Resource)
+
+Manages an Ory Network custom domain.
+
+Custom domains allow you to expose Ory APIs on your own domain (e.g., `auth.example.com`) instead of the default
+`{slug}.projects.oryapis.com` domain. This is the correct way to configure session cookie domains on Ory Network —
+the reverse proxy rewrites cookies to use the `cookie_domain` you specify.
+
+-> **Plan:** Custom domains may require specific Ory Network plan features. Check your plan's quota for available custom domains.
+
+~> **DNS Required:** After creating a custom domain, you must add a CNAME record pointing your hostname to Ory.
+Monitor the `verification_status` attribute to track DNS verification progress.
+
+## Example Usage
+
+```terraform
+# Basic custom domain
+resource "ory_custom_domain" "auth" {
+  hostname      = "auth.example.com"
+  cookie_domain = "example.com"
+}
+
+# Custom domain with CORS and custom UI
+resource "ory_custom_domain" "full" {
+  hostname      = "auth.example.com"
+  cookie_domain = "example.com"
+
+  cors_enabled         = true
+  cors_allowed_origins = ["https://app.example.com", "https://admin.example.com"]
+  custom_ui_base_url   = "https://app.example.com/auth"
+}
+```
+
+## Import
+
+Custom domains can be imported using either format:
+
+```shell
+# Import with explicit project ID
+terraform import ory_custom_domain.auth <project-id>/<custom-domain-id>
+
+# Import using provider-level project_id
+terraform import ory_custom_domain.auth <custom-domain-id>
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `hostname` (String) The custom hostname where the API will be exposed (e.g., 'auth.example.com').
+
+### Optional
+
+- `cookie_domain` (String) The domain where session cookies will be set. Must be a parent domain of the hostname (e.g., 'example.com' for hostname 'auth.example.com').
+- `cors_allowed_origins` (List of String) CORS allowed origins for the custom hostname (max 50).
+- `cors_enabled` (Boolean) Whether CORS is enabled for the custom hostname.
+- `custom_ui_base_url` (String) The base URL where the custom user interface is exposed (e.g., 'https://app.example.com/auth').
+- `project_id` (String) The project ID. If not set, uses the provider's project_id.
+
+### Read-Only
+
+- `created_at` (String) Timestamp when the custom domain was created.
+- `id` (String) The unique identifier of the custom domain.
+- `ssl_status` (String) SSL certificate status of the custom domain.
+- `updated_at` (String) Timestamp when the custom domain was last updated.
+- `verification_errors` (List of String) DNS verification errors, if any.
+- `verification_status` (String) DNS verification status of the custom domain (e.g., 'pending', 'active').

examples/resources/ory_custom_domain/resource.tf

@@ -0,0 +1,15 @@
+# Basic custom domain
+resource "ory_custom_domain" "auth" {
+  hostname      = "auth.example.com"
+  cookie_domain = "example.com"
+}
+
+# Custom domain with CORS and custom UI
+resource "ory_custom_domain" "full" {
+  hostname      = "auth.example.com"
+  cookie_domain = "example.com"
+
+  cors_enabled         = true
+  cors_allowed_origins = ["https://app.example.com", "https://admin.example.com"]
+  custom_ui_base_url   = "https://app.example.com/auth"
+}

internal/client/client.go

@@ -1,12 +1,14 @@
 package client
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"strings"
 	"sync"
 	"time"
@@ -15,6 +17,9 @@ import (
 	"github.com/ory/x/urlx"
 )
 
+// ErrCustomDomainNotFound is returned when a custom domain ID is not found in the project's domain list.
+var ErrCustomDomainNotFound = errors.New("custom domain not found")
+
 const (
 	// maxRetries is the maximum number of retry attempts for rate-limited requests.
 	maxRetries = 3
@@ -1282,6 +1287,148 @@ func (c *OryClient) ListIdentitySchemas(ctx context.Context) ([]ory.IdentitySche
 	return schemas, nil
 }
 
+// Custom Domain (CNAME) operations
+// The Ory SDK does not generate API methods for custom domains,
+// so we use raw HTTP calls against the console API.
+
+// consoleHTTPDo executes a raw HTTP request against the console API.
+func (c *OryClient) consoleHTTPDo(ctx context.Context, method, path string, body io.Reader) (*http.Response, error) {
+	if c.config.WorkspaceAPIKey == "" || c.config.ConsoleAPIURL == "" {
+		return nil, fmt.Errorf("workspace_api_key and console_api_url must be configured for custom domain operations")
+	}
+	baseURL, err := url.Parse(c.config.ConsoleAPIURL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid console_api_url %q: %w", c.config.ConsoleAPIURL, err)
+	}
+	requestURL := baseURL.JoinPath(path)
+	req, err := http.NewRequestWithContext(ctx, method, requestURL.String(), body)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Authorization", "Bearer "+c.config.WorkspaceAPIKey)
+	if body != nil {
+		req.Header.Set("Content-Type", "application/json")
+	}
+	httpClient := http.DefaultClient
+	if c.consoleClient != nil {
+		if cfg := c.consoleClient.GetConfig(); cfg.HTTPClient != nil {
+			httpClient = cfg.HTTPClient
+		}
+	}
+	return httpClient.Do(req) // #nosec G704 -- URL is constructed from trusted provider configuration
+}
+
+// ListCustomDomains lists all custom domains for a project.
+func (c *OryClient) ListCustomDomains(ctx context.Context, projectID string) ([]ory.CustomDomain, error) {
+	httpResp, err := c.consoleHTTPDo(ctx, http.MethodGet, "/projects/"+projectID+"/cname", nil)
+	if err != nil {
+		return nil, wrapAPIError(err, "listing custom domains")
+	}
+	defer httpResp.Body.Close()
+
+	if httpResp.StatusCode != http.StatusOK {
+		respBody, _ := io.ReadAll(httpResp.Body)
+		return nil, wrapAPIError(
+			fmt.Errorf("unexpected status %d: %s", httpResp.StatusCode, string(respBody)),
+			"listing custom domains",
+		)
+	}
+
+	var domains []ory.CustomDomain
+	if err := json.NewDecoder(httpResp.Body).Decode(&domains); err != nil {
+		return nil, fmt.Errorf("listing custom domains: decoding response: %w", err)
+	}
+	return domains, nil
+}
+
+// GetCustomDomain gets a custom domain by ID from the list.
+func (c *OryClient) GetCustomDomain(ctx context.Context, projectID, domainID string) (*ory.CustomDomain, error) {
+	domains, err := c.ListCustomDomains(ctx, projectID)
+	if err != nil {
+		return nil, err
+	}
+	for i := range domains {
+		if domains[i].GetId() == domainID {
+			return &domains[i], nil
+		}
+	}
+	return nil, fmt.Errorf("%w: %s in project %s", ErrCustomDomainNotFound, domainID, projectID)
+}
+
+// CreateCustomDomain creates a new custom domain for a project.
+func (c *OryClient) CreateCustomDomain(ctx context.Context, projectID string, body ory.CreateCustomDomainBody) (*ory.CustomDomain, error) {
+	bodyBytes, err := json.Marshal(body)
+	if err != nil {
+		return nil, fmt.Errorf("creating custom domain: marshaling body: %w", err)
+	}
+
+	httpResp, err := c.consoleHTTPDo(ctx, http.MethodPost, "/projects/"+projectID+"/cname", bytes.NewReader(bodyBytes))
+	if err != nil {
+		return nil, wrapAPIError(err, "creating custom domain")
+	}
+	defer httpResp.Body.Close()
+
+	if httpResp.StatusCode != http.StatusCreated {
+		respBody, _ := io.ReadAll(httpResp.Body)
+		return nil, wrapAPIError(
+			fmt.Errorf("unexpected status %d: %s", httpResp.StatusCode, string(respBody)),
+			"creating custom domain",
+		)
+	}
+
+	var domain ory.CustomDomain
+	if err := json.NewDecoder(httpResp.Body).Decode(&domain); err != nil {
+		return nil, fmt.Errorf("creating custom domain: decoding response: %w", err)
+	}
+	return &domain, nil
+}
+
+// UpdateCustomDomain updates an existing custom domain.
+func (c *OryClient) UpdateCustomDomain(ctx context.Context, projectID, domainID string, body ory.SetCustomDomainBody) (*ory.CustomDomain, error) {
+	bodyBytes, err := json.Marshal(body)
+	if err != nil {
+		return nil, fmt.Errorf("updating custom domain: marshaling body: %w", err)
+	}
+
+	httpResp, err := c.consoleHTTPDo(ctx, http.MethodPut, "/projects/"+projectID+"/cname/"+domainID, bytes.NewReader(bodyBytes))
+	if err != nil {
+		return nil, wrapAPIError(err, "updating custom domain")
+	}
+	defer httpResp.Body.Close()
+
+	if httpResp.StatusCode != http.StatusOK {
+		respBody, _ := io.ReadAll(httpResp.Body)
+		return nil, wrapAPIError(
+			fmt.Errorf("unexpected status %d: %s", httpResp.StatusCode, string(respBody)),
+			"updating custom domain",
+		)
+	}
+
+	var domain ory.CustomDomain
+	if err := json.NewDecoder(httpResp.Body).Decode(&domain); err != nil {
+		return nil, fmt.Errorf("updating custom domain: decoding response: %w", err)
+	}
+	return &domain, nil
+}
+
+// DeleteCustomDomain deletes a custom domain.
+func (c *OryClient) DeleteCustomDomain(ctx context.Context, projectID, domainID string) error {
+	httpResp, err := c.consoleHTTPDo(ctx, http.MethodDelete, "/projects/"+projectID+"/cname/"+domainID, nil)
+	if err != nil {
+		return wrapAPIError(err, "deleting custom domain")
+	}
+	defer httpResp.Body.Close()
+
+	if httpResp.StatusCode != http.StatusNoContent {
+		respBody, _ := io.ReadAll(httpResp.Body)
+		return wrapAPIError(
+			fmt.Errorf("unexpected status %d: %s", httpResp.StatusCode, string(respBody)),
+			"deleting custom domain",
+		)
+	}
+	return nil
+}
+
 // ListWorkspaces lists all workspaces.
 func (c *OryClient) ListWorkspaces(ctx context.Context) ([]ory.Workspace, error) {
 	resp, httpResp, err := c.consoleClient.WorkspaceAPI.ListWorkspaces(ctx).Execute()

internal/provider/provider.go

@@ -19,6 +19,7 @@ import (
 	projectds "github.com/ory/terraform-provider-ory/internal/datasources/project"
 	workspaceds "github.com/ory/terraform-provider-ory/internal/datasources/workspace"
 	"github.com/ory/terraform-provider-ory/internal/resources/action"
+	"github.com/ory/terraform-provider-ory/internal/resources/customdomain"
 	"github.com/ory/terraform-provider-ory/internal/resources/emailtemplate"
 	"github.com/ory/terraform-provider-ory/internal/resources/eventstream"
 	"github.com/ory/terraform-provider-ory/internal/resources/identity"
@@ -289,6 +290,7 @@ func (p *OryProvider) Resources(ctx context.Context) []func() resource.Resource
 		eventstream.NewResource,
 		trustedjwtissuer.NewResource,
 		oidcdynamicclient.NewResource,
+		customdomain.NewResource,
 	}
 }