Managed groups (#129)

* docs: update host catalog resource with correct value for type attribute

* build: add Makefile target for auto-generating docs

* bugfix: make OIDC account attribute for subject ForceNew

* docs: update auto-generated docs

* Add credential library resource for Vault (#114)

* Integrate with Vault to retrieve and manage per session credentials

Co-authored-by: Louis Ruch <[email protected]>

* Update token/clientKey on hmac change (#125)

* Update token/clientKey on hmac change

* Update changelog

* Update docs

* Prep for 1.0.3

* v1.0.3

* Update terraform-plugin-sdk

* Fix Typo

* Adopt American spelling

* fix the parameter that is actually being sent as the auth method id

Co-authored-by: Jeff Malnick <[email protected]>
Co-authored-by: Louis Ruch <[email protected]>
Co-authored-by: Jeff Mitchell <[email protected]>
Co-authored-by: tf-release-bot <[email protected]>
Co-authored-by: Lewis Cowper <[email protected]>

CHANGELOG.md

@@ -1,17 +1,45 @@
+## 1.0.3 (June 30, 2021)
+
+### New and Improved
+
+* Adds credential library resource for Vault
+  ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/114)).
+* Adds credential store resource for Vault
+  ([PR 1](https://github.com/hashicorp/terraform-provider-boundary/pull/114)),
+  ([PR 2](https://github.com/hashicorp/terraform-provider-boundary/pull/125)).
+* Adds claim scopes attribute to OIDC auth method
+  ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/112)).
+* Adds account claim maps attribute to OIDC auth method
+  ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/111)).
+
+### Bug Fixes
+
+* Make OIDC account attribute for subject ForceNew
+  ([Issue](https://github.com/hashicorp/terraform-provider-boundary/issues/119)),
+  ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/122)).
+* Update static type attribute for host catalog resource
+  ([Issue](https://github.com/hashicorp/terraform-provider-boundary/issues/115)),
+  ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/121)).
+
 ## 1.0.2 (May 06, 2021)
 
+### New and Improved
+
 * Adds OIDC account resource
-([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/105))
+([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/105)).
 * Adds OIDC auth method resource
-([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/105))
+([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/105)).
+
+### Deprecations/Changes
+
 * Deprecates fields on `resource_auth_method` that will be replaced in the future with generic `attributes` attribute.
 
 ## 1.0.1 (February 02, 2021)
 
 ### New and Improved
 
 * Adds worker filter to target resource
-  ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/76))
+  ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/76)).
 
 ## 1.0.0 (January 20, 2021)
 
@@ -20,14 +48,14 @@ We are bumping the version of the Boundary Terraform provider to v1.0.0 and will
 ### Bug Fixes
 
 * During `terraform apply`, do not update existing user account passwords when the password field is updated in the tf file.
-  ([Issue](https://github.com/hashicorp/terraform-provider-boundary/issues/71))
-  ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/70))
+  ([Issue](https://github.com/hashicorp/terraform-provider-boundary/issues/71)),
+  ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/70)).
 
 ## 0.1.4 (January 14, 2021)
 
 ### New and Improved
 
-Update provider to handle new domain errors ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/63))
+Update provider to handle new domain errors ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/63)).
 
 ## 0.1.0 (October 14, 2020)
 

Makefile

@@ -41,7 +41,10 @@ all:
 	GOOS=windows go build -o $(BUILD_ALL_PATH)/terraform-provider-boundary_windows-amd64 main.go
 	GOOS=linux go build -o $(BUILD_ALL_PATH)/terraform-provider-boundary_linux-amd64 main.go
 
+docs: 
+	go run github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs
+
 rm-id-flag-from-docs:
 	find docs/ -name "*.md" -type f | xargs sed -i -e '/- \*\*id\*\*/d'
 
-.PHONY: testacc tools
+.PHONY: testacc tools docs

README.md

@@ -129,7 +129,7 @@ resource "boundary_user" "users" {
   scope_id    = boundary_scope.corp.id
 }
 
-// organiation level group for readonly users 
+// organization level group for readonly users 
 resource "boundary_group" "readonly" {
   name        = "readonly"
   description = "Organization group for readonly users"

docs/resources/auth_method_oidc.md

@@ -21,9 +21,11 @@ The OIDC auth method resource allows you to configure a Boundary auth_method_oid
 
 ### Optional
 
+- **account_claim_maps** (List of String) Account claim maps for the to_claim of sub.
 - **allowed_audiences** (List of String) Audiences for which the provider responses will be allowed
 - **api_url_prefix** (String) The API prefix to use when generating callback URLs for the provider. Should be set to an address at which the provider can reach back to the controller.
 - **callback_url** (String) The URL that should be provided to the IdP for callbacks.
+- **claims_scopes** (List of String) Claims scopes.
 - **client_id** (String) The client ID assigned to this auth method from the provider.
 - **client_secret** (String) The secret key assigned to this auth method from the provider. Once set, only the hash will be kept and the original value can be removed from configuration.
 - **client_secret_hmac** (String) The HMAC of the client secret returned by the Boundary controller, which is used for comparison after initial setting of the value.

docs/resources/credential_library_vault.md

@@ -0,0 +1,86 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "boundary_credential_library_vault Resource - terraform-provider-boundary"
+subcategory: ""
+description: |-
+  The credential library for Vault resource allows you to configure a Boundary credential library for Vault.
+---
+
+# boundary_credential_library_vault (Resource)
+
+The credential library for Vault resource allows you to configure a Boundary credential library for Vault.
+
+## Example Usage
+
+```terraform
+resource "boundary_scope" "org" {
+  name                     = "organization_one"
+  description              = "My first scope!"
+  scope_id                 = "global"
+  auto_create_admin_role   = true
+  auto_create_default_role = true
+}
+
+resource "boundary_scope" "project" {
+  name                   = "project_one"
+  description            = "My first scope!"
+  scope_id               = boundary_scope.org.id
+  auto_create_admin_role = true
+}
+
+resource "boundary_credential_store_vault" "foo" {
+  name        = "foo"
+  description = "My first Vault credential store!"
+  address     = "http://127.0.0.1:8200"      # change to Vault address
+  token       = "s.0ufRo6XEGU2jOqnIr7OlFYP5" # change to valid Vault token
+  scope_id    = boundary_scope.project.id
+}
+
+resource "boundary_credential_library_vault" "foo" {
+  name                = "foo"
+  description         = "My first Vault credential library!"
+  credential_store_id = boundary_credential_store_vault.foo.id
+  path                = "my/secret/foo" # change to Vault backend path
+  http_method         = "GET"
+}
+
+resource "boundary_credential_library_vault" "bar" {
+  name                = "bar"
+  description         = "My second Vault credential library!"
+  credential_store_id = boundary_credential_store_vault.foo.id
+  path                = "my/secret/bar" # change to Vault backend path
+  http_method         = "POST"
+  request_body        = <<EOT
+{
+  "key": "Value",
+}
+EOT
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- **credential_store_id** (String) The ID of the credential store that this library belongs to.
+- **path** (String) The path in Vault to request credentials from.
+
+### Optional
+
+- **description** (String) The Vault credential library description.
+- **http_method** (String) The HTTP method the library uses when requesting credentials from Vault. Defaults to 'GET'
+- **http_request_body** (String) The body of the HTTP request the library sends to Vault when requesting credentials. Only valid if `http_method` is set to `POST`.
+- **name** (String) The Vault credential library name. Defaults to the resource name.
+
+### Read-Only
+
+- **id** (String) The ID of the Vault credential library.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import boundary_credential_library_vault.foo <my-id>
+```

docs/resources/credential_store_vault.md

@@ -0,0 +1,72 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "boundary_credential_store_vault Resource - terraform-provider-boundary"
+subcategory: ""
+description: |-
+  The credential store for Vault resource allows you to configure a Boundary credential store for Vault.
+---
+
+# boundary_credential_store_vault (Resource)
+
+The credential store for Vault resource allows you to configure a Boundary credential store for Vault.
+
+## Example Usage
+
+```terraform
+resource "boundary_scope" "org" {
+  name                     = "organization_one"
+  description              = "My first scope!"
+  scope_id                 = "global"
+  auto_create_admin_role   = true
+  auto_create_default_role = true
+}
+
+resource "boundary_scope" "project" {
+  name                   = "project_one"
+  description            = "My first scope!"
+  scope_id               = boundary_scope.org.id
+  auto_create_admin_role = true
+}
+
+resource "boundary_credential_store_vault" "example" {
+  name        = "foo"
+  description = "My first Vault credential store!"
+  address     = "http://127.0.0.1:8200"      # change to Vault address
+  token       = "s.0ufRo6XEGU2jOqnIr7OlFYP5" # change to valid Vault token
+  scope_id    = boundary_scope.project.id
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- **address** (String) The address to Vault server. This should be a complete URL such as 'https://127.0.0.1:8200'
+- **scope_id** (String) The scope for this credential store.
+- **token** (String, Sensitive) A token used for accessing Vault.
+
+### Optional
+
+- **ca_cert** (String) A PEM-encoded CA certificate to verify the Vault server's TLS certificate.
+- **client_certificate** (String) A PEM-encoded client certificate to use for TLS authentication to the Vault server.
+- **client_certificate_key** (String, Sensitive) A PEM-encoded private key matching the client certificate from 'client_certificate'.
+- **description** (String) The Vault credential store description.
+- **name** (String) The Vault credential store name. Defaults to the resource name.
+- **namespace** (String) The namespace within Vault to use.
+- **tls_server_name** (String) Name to use as the SNI host when connecting to Vault via TLS.
+- **tls_skip_verify** (Boolean) Whether or not to skip TLS verification.
+
+### Read-Only
+
+- **client_certificate_key_hmac** (String) The Vault client certificate key hmac.
+- **id** (String) The ID of the Vault credential store.
+- **token_hmac** (String) The Vault token hmac.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import boundary_credential_store_vault.foo <my-id>
+```

docs/resources/host_catalog.md

@@ -42,7 +42,7 @@ resource "boundary_host_catalog" "example" {
 ### Required
 
 - **scope_id** (String) The scope ID in which the resource is created.
-- **type** (String) The host catalog type. Only `Static` (yes, title case) is supported.
+- **type** (String) The host catalog type. Only `static` is supported.
 
 ### Optional
 

docs/resources/target.md

@@ -33,6 +33,22 @@ resource "boundary_scope" "project" {
   auto_create_admin_role = true
 }
 
+resource "boundary_credential_store_vault" "foo" {
+  name        = "vault_store"
+  description = "My first Vault credential store!"
+  address     = "http://127.0.0.1:8200"      # change to Vault address
+  token       = "s.0ufRo6XEGU2jOqnIr7OlFYP5" # change to valid Vault token
+  scope_id    = boundary_scope.project.id
+}
+
+resource "boundary_credential_library_vault" "foo" {
+  name                = "foo"
+  description         = "My first Vault credential library!"
+  credential_store_id = boundary_credential_store_vault.foo.id
+  path                = "my/secret/foo" # change to Vault backend path
+  http_method         = "GET"
+}
+
 resource "boundary_host_catalog" "foo" {
   name        = "test"
   description = "test catalog"
@@ -72,6 +88,9 @@ resource "boundary_target" "foo" {
   host_set_ids = [
     boundary_host_set.foo.id
   ]
+  application_credential_library_ids = [
+    boundary_credential_library_vault.foo.id
+  ]
 }
 ```
 
@@ -85,6 +104,7 @@ resource "boundary_target" "foo" {
 
 ### Optional
 
+- **application_credential_library_ids** (Set of String) A list of application credential library ID's.
 - **default_port** (Number) The default port for this target.
 - **description** (String) The target description.
 - **host_set_ids** (Set of String) A list of host set ID's.

examples/resources/boundary_credential_library_vault/import.sh

@@ -0,0 +1 @@
+terraform import boundary_credential_library_vault.foo <my-id>

examples/resources/boundary_credential_library_vault/resource.tf

@@ -0,0 +1,43 @@
+resource "boundary_scope" "org" {
+  name                     = "organization_one"
+  description              = "My first scope!"
+  scope_id                 = "global"
+  auto_create_admin_role   = true
+  auto_create_default_role = true
+}
+
+resource "boundary_scope" "project" {
+  name                   = "project_one"
+  description            = "My first scope!"
+  scope_id               = boundary_scope.org.id
+  auto_create_admin_role = true
+}
+
+resource "boundary_credential_store_vault" "foo" {
+  name        = "foo"
+  description = "My first Vault credential store!"
+  address     = "http://127.0.0.1:8200"      # change to Vault address
+  token       = "s.0ufRo6XEGU2jOqnIr7OlFYP5" # change to valid Vault token
+  scope_id    = boundary_scope.project.id
+}
+
+resource "boundary_credential_library_vault" "foo" {
+  name                = "foo"
+  description         = "My first Vault credential library!"
+  credential_store_id = boundary_credential_store_vault.foo.id
+  path                = "my/secret/foo" # change to Vault backend path
+  http_method         = "GET"
+}
+
+resource "boundary_credential_library_vault" "bar" {
+  name                = "bar"
+  description         = "My second Vault credential library!"
+  credential_store_id = boundary_credential_store_vault.foo.id
+  path                = "my/secret/bar" # change to Vault backend path
+  http_method         = "POST"
+  request_body        = <<EOT
+{
+  "key": "Value",
+}
+EOT
+}

examples/resources/boundary_credential_store_vault/import.sh

@@ -0,0 +1 @@
+terraform import boundary_credential_store_vault.foo <my-id>

examples/resources/boundary_credential_store_vault/resource.tf

@@ -0,0 +1,22 @@
+resource "boundary_scope" "org" {
+  name                     = "organization_one"
+  description              = "My first scope!"
+  scope_id                 = "global"
+  auto_create_admin_role   = true
+  auto_create_default_role = true
+}
+
+resource "boundary_scope" "project" {
+  name                   = "project_one"
+  description            = "My first scope!"
+  scope_id               = boundary_scope.org.id
+  auto_create_admin_role = true
+}
+
+resource "boundary_credential_store_vault" "example" {
+  name        = "foo"
+  description = "My first Vault credential store!"
+  address     = "http://127.0.0.1:8200"      # change to Vault address
+  token       = "s.0ufRo6XEGU2jOqnIr7OlFYP5" # change to valid Vault token
+  scope_id    = boundary_scope.project.id
+}