├── .copywrite.hcl ├── .github ├── CONTRIBUTING.md ├── ISSUE_TEMPLATE.md ├── SUPPORT.md ├── dependabot.yml └── workflows │ ├── actionlint.yml │ ├── jira.yml │ ├── make-gen-delta.yml │ ├── release.yml │ └── test.yml ├── .gitignore ├── .go-version ├── .goreleaser.yml ├── .release └── release-metadata.hcl ├── .vscode ├── launch.json ├── private.env └── settings.json ├── CHANGELOG.md ├── CODEOWNERS ├── CONTRIBUTING.md ├── Dockerfile ├── LICENSE ├── Makefile ├── README.md ├── boundary.png ├── docs ├── data-sources │ ├── account.md │ ├── auth_method.md │ ├── group.md │ ├── scope.md │ └── user.md ├── index.md └── resources │ ├── account.md │ ├── account_ldap.md │ ├── account_oidc.md │ ├── account_password.md │ ├── alias_target.md │ ├── auth_method.md │ ├── auth_method_ldap.md │ ├── auth_method_oidc.md │ ├── auth_method_password.md │ ├── credential_json.md │ ├── credential_library_vault.md │ ├── credential_library_vault_ssh_certificate.md │ ├── credential_ssh_private_key.md │ ├── credential_store_static.md │ ├── credential_store_vault.md │ ├── credential_username_password.md │ ├── group.md │ ├── host.md │ ├── host_catalog.md │ ├── host_catalog_plugin.md │ ├── host_catalog_static.md │ ├── host_set.md │ ├── host_set_plugin.md │ ├── host_set_static.md │ ├── host_static.md │ ├── managed_group.md │ ├── managed_group_ldap.md │ ├── policy_storage.md │ ├── role.md │ ├── scope.md │ ├── scope_policy_attachment.md │ ├── storage_bucket.md │ ├── target.md │ ├── user.md │ └── worker.md ├── examples ├── data-sources │ ├── boundary_account │ │ └── data-source.tf │ ├── boundary_auth_method │ │ └── data-source.tf │ ├── boundary_group │ │ └── data-source.tf │ ├── boundary_scope │ │ └── data-source.tf │ └── boundary_user │ │ └── data-source.tf ├── provider │ └── provider.tf └── resources │ ├── boundary_account_ldap │ ├── import.sh │ └── resource.tf │ ├── boundary_account_password │ ├── import.sh │ └── resource.tf │ ├── boundary_alias_target │ ├── import.sh │ └── resource.tf │ ├── boundary_auth_method │ ├── import.sh │ └── resource.tf │ ├── boundary_auth_method_ldap │ ├── import.sh │ └── resource.tf │ ├── boundary_auth_method_oidc │ ├── import.sh │ └── resource.tf │ ├── boundary_credential_json │ ├── import.sh │ └── resource.tf │ ├── boundary_credential_library_vault │ ├── import.sh │ └── resource.tf │ ├── boundary_credential_library_vault_ssh_certificate │ ├── import.sh │ └── resource.tf │ ├── boundary_credential_ssh_private_key │ ├── import.sh │ └── resource.tf │ ├── boundary_credential_store_static │ ├── import.sh │ └── resource.tf │ ├── boundary_credential_store_vault │ ├── import.sh │ └── resource.tf │ ├── boundary_credential_username_password │ ├── import.sh │ └── resource.tf │ ├── boundary_group │ ├── import.sh │ ├── project-specific │ │ └── resource.tf │ └── simple │ │ └── resource.tf │ ├── boundary_host │ ├── import.sh │ └── resource.tf │ ├── boundary_host_catalog │ ├── import.sh │ └── resource.tf │ ├── boundary_host_catalog_plugin │ ├── import.sh │ └── resource.tf │ ├── boundary_host_catalog_static │ ├── import.sh │ └── resource.tf │ ├── boundary_host_set │ ├── import.sh │ └── resource.tf │ ├── boundary_host_set_plugin │ ├── import.sh │ └── resource.tf │ ├── boundary_host_set_static │ ├── import.sh │ └── resource.tf │ ├── boundary_host_static │ ├── import.sh │ └── resource.tf │ ├── boundary_managed_group_ldap │ ├── import.sh │ └── resource.tf │ ├── boundary_policy │ └── resource.tf │ ├── boundary_role │ ├── import.sh │ ├── project-specific │ │ └── resource.tf │ ├── simple │ │ └── resource.tf │ ├── user-grants │ │ └── resource.tf │ └── user │ │ └── resource.tf │ ├── boundary_scope │ ├── global.tf │ ├── import.sh │ ├── organization.tf │ ├── project.tf │ └── role.tf │ ├── boundary_storage_bucket │ ├── import.sh │ └── resource.tf │ ├── boundary_target │ ├── import.sh │ └── resource.tf │ ├── boundary_user │ ├── import.sh │ └── resource.tf │ └── boundary_worker │ ├── controller_led.tf │ ├── import.sh │ └── worker_led.tf ├── go.mod ├── go.sum ├── internal └── provider │ ├── const.go │ ├── data_source_account.go │ ├── data_source_account_test.go │ ├── data_source_auth_method.go │ ├── data_source_auth_method_test.go │ ├── data_source_group.go │ ├── data_source_group_test.go │ ├── data_source_scope.go │ ├── data_source_scope_test.go │ ├── data_source_user.go │ ├── data_source_user_test.go │ ├── filter.go │ ├── pathorcontents.go │ ├── provider.go │ ├── provider_test.go │ ├── resource_account.go │ ├── resource_account_ldap.go │ ├── resource_account_ldap_test.go │ ├── resource_account_oidc.go │ ├── resource_account_oidc_test.go │ ├── resource_account_password.go │ ├── resource_account_password_test.go │ ├── resource_account_test.go │ ├── resource_alias_target.go │ ├── resource_alias_target_test.go │ ├── resource_auth_method.go │ ├── resource_auth_method_ldap.go │ ├── resource_auth_method_ldap_test.go │ ├── resource_auth_method_oidc.go │ ├── resource_auth_method_oidc_test.go │ ├── resource_auth_method_password.go │ ├── resource_auth_method_password_test.go │ ├── resource_auth_method_test.go │ ├── resource_credential_json.go │ ├── resource_credential_json_test.go │ ├── resource_credential_library_vault.go │ ├── resource_credential_library_vault_ssh_certificate.go │ ├── resource_credential_library_vault_ssh_certificate_test.go │ ├── resource_credential_library_vault_test.go │ ├── resource_credential_ssh_private_key.go │ ├── resource_credential_ssh_private_key_test.go │ ├── resource_credential_store_static.go │ ├── resource_credential_store_static_test.go │ ├── resource_credential_store_vault.go │ ├── resource_credential_store_vault_test.go │ ├── resource_credential_username_password.go │ ├── resource_credential_username_password_test.go │ ├── resource_group.go │ ├── resource_group_test.go │ ├── resource_host_catalog_plugin.go │ ├── resource_host_catalog_plugin_test.go │ ├── resource_host_catalog_static.go │ ├── resource_host_catalog_static_test.go │ ├── resource_host_set_plugin.go │ ├── resource_host_set_plugin_test.go │ ├── resource_host_set_static.go │ ├── resource_host_set_static_test.go │ ├── resource_host_static.go │ ├── resource_host_static_test.go │ ├── resource_managed_group.go │ ├── resource_managed_group_ldap.go │ ├── resource_managed_group_ldap_test.go │ ├── resource_managed_group_test.go │ ├── resource_policy_storage.go │ ├── resource_role.go │ ├── resource_role_grant_scope_ids_upgrade_test.go │ ├── resource_role_test.go │ ├── resource_scope.go │ ├── resource_scope_policy_attachment.go │ ├── resource_scope_test.go │ ├── resource_storage_bucket.go │ ├── resource_storage_bucket_test.go │ ├── resource_target.go │ ├── resource_target_test.go │ ├── resource_user.go │ ├── resource_user_test.go │ ├── scope.go │ ├── worker.go │ └── worker_test.go ├── main.go ├── plugins ├── README.md └── kms │ ├── assets.go │ ├── assets │ ├── darwin │ │ ├── amd64 │ │ │ └── README.md │ │ └── arm64 │ │ │ └── README.md │ ├── freebsd │ │ ├── 386 │ │ │ └── README.md │ │ ├── amd64 │ │ │ └── README.md │ │ └── arm │ │ │ └── README.md │ ├── linux │ │ ├── 386 │ │ │ └── README.md │ │ ├── amd64 │ │ │ └── README.md │ │ ├── arm │ │ │ └── README.md │ │ └── arm64 │ │ │ └── README.md │ └── windows │ │ ├── 386 │ │ └── README.md │ │ └── amd64 │ │ └── README.md │ ├── assets_darwin_amd64.go │ ├── assets_darwin_arm64.go │ ├── assets_freebsd_386.go │ ├── assets_freebsd_amd64.go │ ├── assets_freebsd_arm.go │ ├── assets_linux_386.go │ ├── assets_linux_amd64.go │ ├── assets_linux_arm.go │ ├── assets_linux_arm64.go │ ├── assets_windows_386.go │ ├── assets_windows_amd64.go │ ├── builtin.go │ ├── const.go │ └── mains │ ├── alicloudkms │ ├── go.mod │ ├── go.sum │ └── main.go │ ├── awskms │ ├── go.mod │ ├── go.sum │ └── main.go │ ├── azurekeyvault │ ├── go.mod │ ├── go.sum │ └── main.go │ ├── gcpckms │ ├── go.mod │ ├── go.sum │ └── main.go │ ├── ocikms │ ├── go.mod │ ├── go.sum │ └── main.go │ └── transit │ ├── go.mod │ ├── go.sum │ └── main.go ├── scripts ├── changelog-links.sh ├── plugins-all.sh └── plugins.sh ├── templates ├── data-sources │ └── scope.md.tmpl ├── index.md.tmpl └── resources │ ├── group.md.tmpl │ ├── role.md.tmpl │ ├── scope.md.tmpl │ └── worker.md.tmpl ├── terraform-registry-manifest.json └── tools └── tools.go /.copywrite.hcl: -------------------------------------------------------------------------------- 1 | schema_version = 1 2 | 3 | project { 4 | license = "MPL-2.0" 5 | 6 | copyright_year = 2020 7 | 8 | # (OPTIONAL) A list of globs that should not have copyright or license headers. 9 | # Supports doublestar glob patterns for more flexibility in defining which 10 | # files or folders should be ignored 11 | # Default: [] 12 | header_ignore = [ 13 | "examples/**/*.tf", 14 | "examples/**/*.sh", 15 | ] 16 | } 17 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | Hi there, 2 | 3 | Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html. 4 | 5 | ### Terraform Version 6 | Run `terraform -v` to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed. 7 | 8 | ### Affected Resource(s) 9 | Please list the resources as a list, for example: 10 | - opc_instance 11 | - opc_storage_volume 12 | 13 | If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this. 14 | 15 | ### Terraform Configuration Files 16 | ```hcl 17 | # Copy-paste your Terraform configurations here - for large Terraform configs, 18 | # please use a service like Dropbox and share a link to the ZIP file. For 19 | # security, you can also encrypt the files using our GPG public key. 20 | ``` 21 | 22 | ### Debug Output 23 | Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist. 24 | 25 | ### Panic Output 26 | If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the `crash.log`. 27 | 28 | ### Expected Behavior 29 | What should have happened? 30 | 31 | ### Actual Behavior 32 | What actually happened? 33 | 34 | ### Steps to Reproduce 35 | Please list the steps required to reproduce the issue, for example: 36 | 1. `terraform apply` 37 | 38 | ### Important Factoids 39 | Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs? 40 | 41 | ### References 42 | Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example: 43 | - GH-1234 44 | -------------------------------------------------------------------------------- /.github/SUPPORT.md: -------------------------------------------------------------------------------- 1 | # Support 2 | 3 | Terraform is a mature project with a growing community. There are active, dedicated people willing to help you through various mediums. 4 | 5 | Take a look at those mediums listed at https://www.terraform.io/community.html 6 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | # See GitHub's docs for more information on this file: 5 | # https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates 6 | version: 2 7 | updates: 8 | # Maintain dependencies for GitHub Actions 9 | - package-ecosystem: "github-actions" 10 | directory: "/" 11 | schedule: 12 | # Check for updates to GitHub Actions every Sunday 13 | interval: "weekly" 14 | day: "sunday" 15 | groups: 16 | # Group all GitHub Actions updates into a single PR 17 | actions: 18 | patterns: 19 | - "*" 20 | 21 | - package-ecosystem: "gomod" 22 | directories: 23 | - "/" 24 | - "/plugins/kms/mains/alicloudkms" 25 | - "/plugins/kms/mains/awskms" 26 | - "/plugins/kms/mains/azurekeyvault" 27 | - "/plugins/kms/mains/gcpckms" 28 | - "/plugins/kms/mains/ocikms" 29 | - "/plugins/kms/mains/transit" 30 | schedule: 31 | # Check for updates to Go modules every Sunday 32 | interval: "weekly" 33 | day: "sunday" 34 | groups: 35 | # Group all Go module updates into one PR for version updates 36 | # and one for security updates. 37 | go: 38 | patterns: 39 | - "*" 40 | applies-to: "version-updates" 41 | go-security: 42 | patterns: 43 | - "*" 44 | applies-to: "security-updates" 45 | -------------------------------------------------------------------------------- /.github/workflows/actionlint.yml: -------------------------------------------------------------------------------- 1 | name: Lint GitHub Actions workflows 2 | on: push 3 | 4 | permissions: 5 | contents: read 6 | 7 | jobs: 8 | actionlint: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 12 | - name: Check workflow files 13 | uses: docker://docker.mirror.hashicorp.services/rhysd/actionlint@sha256:02ccb6d91e4cb4a7b21eb99d5274d257e81ae667688d730e89d7ea0d6d35db91 14 | with: 15 | args: -color 16 | -------------------------------------------------------------------------------- /.github/workflows/make-gen-delta.yml: -------------------------------------------------------------------------------- 1 | name: "make-gen-delta" 2 | on: 3 | - workflow_dispatch 4 | - push 5 | - pull_request 6 | - workflow_call 7 | 8 | permissions: 9 | contents: read 10 | 11 | jobs: 12 | make-gen-delta: 13 | name: "Check for uncommitted changes from make gen" 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 17 | with: 18 | fetch-depth: '0' 19 | - name: Determine Go version 20 | id: get-go-version 21 | # We use .go-version as our source of truth for current Go 22 | # version, because "goenv" can react to it automatically. 23 | run: | 24 | echo "Building with Go $(cat .go-version)" 25 | echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT" 26 | - name: Set up Go 27 | uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 28 | with: 29 | go-version: "${{ steps.get-go-version.outputs.go-version }}" 30 | - name: Running go mod tidy 31 | run: | 32 | go mod tidy 33 | - name: Install Dependencies 34 | run: | 35 | make tools 36 | - name: Running make gen 37 | run: | 38 | make gen 39 | - name: Check for changes 40 | run: | 41 | git diff --exit-code 42 | git status --porcelain 43 | test -z "$(git status --porcelain)" 44 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Release 2 | 3 | on: 4 | push: 5 | tags: 6 | - 'v[0-9]+.[0-9]+.[0-9]+*' 7 | 8 | permissions: 9 | contents: write 10 | 11 | jobs: 12 | go-version: 13 | runs-on: ubuntu-latest 14 | outputs: 15 | version: ${{ steps.go-version.outputs.go-version }} 16 | steps: 17 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 18 | - id: go-version 19 | # We use .go-version as our source of truth for current Go 20 | # version, because "goenv" can react to it automatically. 21 | run: | 22 | echo "Building with Go $(cat .go-version)" 23 | echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT" 24 | release-notes: 25 | runs-on: ubuntu-latest 26 | steps: 27 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 28 | with: 29 | fetch-depth: 0 30 | - name: Generate Release Notes 31 | run: sed -n -e "1{/# /d;}" -e "2{/^$/d;}" -e "/# $(git describe --abbrev=0 --exclude="$(git describe --abbrev=0 --match='v*.*.*' --tags)" --match='v*.*.*' --tags | tr -d v)/q;p" CHANGELOG.md > release-notes.txt 32 | - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 33 | with: 34 | name: release-notes 35 | path: release-notes.txt 36 | retention-days: 1 37 | terraform-provider-release: 38 | name: 'Terraform Provider Release' 39 | needs: [go-version, release-notes] 40 | uses: hashicorp/ghaction-terraform-provider-release/.github/workflows/hashicorp.yml@v5 41 | secrets: 42 | hc-releases-github-token: '${{ secrets.HASHI_RELEASES_GITHUB_TOKEN }}' 43 | hc-releases-host-staging: '${{ secrets.HC_RELEASES_HOST_STAGING }}' 44 | hc-releases-host-prod: '${{ secrets.HC_RELEASES_HOST_PROD }}' 45 | hc-releases-key-prod: '${{ secrets.HC_RELEASES_KEY_PROD }}' 46 | hc-releases-key-staging: '${{ secrets.HC_RELEASES_KEY_STAGING }}' 47 | hc-releases-terraform-registry-sync-token: '${{ secrets.TF_PROVIDER_RELEASE_TERRAFORM_REGISTRY_SYNC_TOKEN }}' 48 | setup-signore-github-token: '${{ secrets.HASHI_SIGNORE_GITHUB_TOKEN }}' 49 | signore-client-id: '${{ secrets.SIGNORE_CLIENT_ID }}' 50 | signore-client-secret: '${{ secrets.SIGNORE_CLIENT_SECRET }}' 51 | with: 52 | release-notes: true 53 | setup-go-version: '${{ needs.go-version.outputs.version }}' 54 | # Product Version (e.g. v1.2.3 or github.ref_name) 55 | product-version: '${{ github.ref_name }}' 56 | -------------------------------------------------------------------------------- /.github/workflows/test.yml: -------------------------------------------------------------------------------- 1 | name: test 2 | 3 | on: 4 | - push 5 | - pull_request 6 | - workflow_dispatch 7 | - workflow_call 8 | 9 | permissions: 10 | contents: read 11 | 12 | jobs: 13 | test: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 17 | - name: Determine go version 18 | id: get-go-version 19 | # We use .go-version as our source of truth for current Go 20 | # version, because "goenv" can react to it automatically. 21 | run: | 22 | echo "Building with Go $(cat .go-version)" 23 | echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT" 24 | - name: Set up Go 25 | uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 26 | with: 27 | go-version: "${{ steps.get-go-version.outputs.go-version }}" 28 | cache: false 29 | - name: Determine Go cache paths 30 | id: go-cache-paths 31 | run: | 32 | echo "go-build=$(go env GOCACHE)" >> "$GITHUB_OUTPUT" 33 | echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT" 34 | - name: Set up Go modules cache 35 | uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 36 | with: 37 | path: | 38 | ${{ steps.go-cache-paths.outputs.go-build }} 39 | ${{ steps.go-cache-paths.outputs.go-mod }} 40 | key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} 41 | restore-keys: | 42 | ${{ runner.os }}-go 43 | - name: Acceptance Tests 44 | run: | 45 | make testacc 46 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.dll 2 | *.exe 3 | .DS_Store 4 | example.tf 5 | terraform.tfplan 6 | terraform.tfstate 7 | bin/ 8 | dist/ 9 | modules-dev/ 10 | /pkg/ 11 | website/.vagrant 12 | website/.bundle 13 | website/build 14 | website/node_modules 15 | .vagrant/ 16 | *.backup 17 | ./*.tfstate 18 | .terraform/ 19 | *.log 20 | *.bak 21 | *~ 22 | .*.swp 23 | .idea 24 | *.iml 25 | *.test 26 | *.iml 27 | 28 | website/vendor 29 | 30 | # Test exclusions 31 | !command/test-fixtures/**/*.tfstate 32 | !command/test-fixtures/**/.terraform/ 33 | 34 | # Keep windows files with windows line endings 35 | *.winfile eol=crlf 36 | 37 | # Compilation outputs 38 | /plugins/kms/assets/*/*/boundary-plugin* 39 | -------------------------------------------------------------------------------- /.go-version: -------------------------------------------------------------------------------- 1 | 1.23.1 2 | -------------------------------------------------------------------------------- /.goreleaser.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | archives: 5 | - files: 6 | # Ensure only built binary is archived 7 | - 'none*' 8 | format: zip 9 | name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}' 10 | before: 11 | hooks: 12 | - 'go mod download' 13 | - './scripts/plugins-all.sh' 14 | builds: 15 | - # Binary naming only required for Terraform CLI 0.12 16 | binary: '{{ .ProjectName }}_v{{ .Version }}_x5' 17 | env: 18 | - CGO_ENABLED=0 19 | flags: 20 | - -trimpath 21 | goos: 22 | - darwin 23 | - freebsd 24 | - linux 25 | - windows 26 | goarch: 27 | - '386' 28 | - amd64 29 | - arm 30 | - arm64 31 | ignore: 32 | - goarch: arm 33 | goos: windows 34 | - goarch: arm64 35 | goos: freebsd 36 | - goarch: arm64 37 | goos: windows 38 | ldflags: 39 | - -s -w -X main.Version={{.Version}} 40 | mod_timestamp: '{{ .CommitTimestamp }}' 41 | checksum: 42 | algorithm: sha256 43 | extra_files: 44 | - glob: 'terraform-registry-manifest.json' 45 | name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json' 46 | name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS' 47 | publishers: 48 | - checksum: true 49 | # Terraform CLI 0.10 - 0.11 perform discovery via HTTP headers on releases.hashicorp.com 50 | # For providers which have existed since those CLI versions, exclude 51 | # discovery by setting the protocol version headers to 5. 52 | cmd: hc-releases upload -product {{ .ProjectName }} -version {{ .Version }} -file={{ .ArtifactPath }}={{ .ArtifactName }} -header=x-terraform-protocol-version=5 -header=x-terraform-protocol-versions=5.0 53 | env: 54 | - HC_RELEASES_HOST={{ .Env.HC_RELEASES_HOST }} 55 | - HC_RELEASES_KEY={{ .Env.HC_RELEASES_KEY }} 56 | extra_files: 57 | - glob: 'terraform-registry-manifest.json' 58 | name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json' 59 | name: upload 60 | signature: true 61 | release: 62 | extra_files: 63 | - glob: 'terraform-registry-manifest.json' 64 | name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json' 65 | ids: 66 | - none 67 | signs: 68 | - args: ["sign", "--dearmor", "--file", "${artifact}", "--out", "${signature}"] 69 | artifacts: checksum 70 | cmd: signore 71 | signature: ${artifact}.sig 72 | - args: ["sign", "--dearmor", "--file", "${artifact}", "--out", "${signature}"] 73 | artifacts: checksum 74 | cmd: signore 75 | id: key-id 76 | signature: ${artifact}.72D7468F.sig 77 | snapshot: 78 | name_template: "{{ .Tag }}-next" 79 | -------------------------------------------------------------------------------- /.release/release-metadata.hcl: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | url_source_repository = "https://github.com/hashicorp/terraform-provider-boundary" 5 | url_license = "https://github.com/hashicorp/terraform-provider-boundary/blob/main/LICENSE" 6 | -------------------------------------------------------------------------------- /.vscode/launch.json: -------------------------------------------------------------------------------- 1 | { 2 | // Use IntelliSense to learn about possible attributes. 3 | // Hover to view descriptions of existing attributes. 4 | // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 5 | "version": "0.2.0", 6 | "configurations": [ 7 | { 8 | "name": "Launch a test function", 9 | "type": "go", 10 | "request": "launch", 11 | "mode": "auto", 12 | "program": "${fileDirname}", 13 | "args": [ 14 | "-test.v", 15 | "-test.run", 16 | "^${selectedText}$" 17 | ], 18 | "showLog": true, 19 | "envFile": "${workspaceFolder}/.vscode/private.env" 20 | } 21 | ] 22 | } 23 | -------------------------------------------------------------------------------- /.vscode/private.env: -------------------------------------------------------------------------------- 1 | TF_ACC=1 2 | TF_LOG=INFO 3 | GOFLAGS='-mod=readonly' 4 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "go.testEnvVars": { 3 | "TF_ACC": "1" 4 | } 5 | } -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # These owners will be the default owners for everything in 2 | # the repo, unless a later match takes precedence. 3 | 4 | * @hashicorp/boundary 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to Boundary 2 | 3 | Thank you for contributing to Boundary! Here you can find common questions around reporting issues and opening 4 | pull requests to our project. 5 | 6 | When contributing in any way to the Boundary project (new issue, PR, etc), please be aware that our team identifies with many gender pronouns and to use non-binary pronouns when addressing our team. For more reading on our code of conduct, please see the [HashiCorp community guidelines](https://www.hashicorp.com/community-guidelines). 7 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | FROM golang:1.20 5 | 6 | WORKDIR /go/src/terraform-provider-boundary 7 | COPY . . 8 | 9 | RUN go get -d -v ./... 10 | RUN go install -v ./... 11 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | default: testacc 2 | GOOS=$(shell go env GOOS) 3 | GOARCH=$(shell go env GOARCH) 4 | INSTALL_PATH=~/.local/share/terraform/plugins/localhost/providers/boundary/0.0.1/linux_$(GOARCH) 5 | BUILD_ALL_PATH=${PWD}/bin 6 | 7 | ifeq ($(GOOS), darwin) 8 | INSTALL_PATH=~/Library/Application\ Support/io.terraform/plugins/localhost/providers/boundary/0.0.1/darwin_$(GOARCH) 9 | endif 10 | ifeq ($(GOOS), "windows") 11 | INSTALL_PATH=%APPDATA%/HashiCorp/Terraform/plugins/localhost/providers/boundary/0.0.1/windows_$(GOARCH) 12 | endif 13 | 14 | REGISTRY_NAME?=docker.io/hashicorpboundary 15 | IMAGE_NAME=postgres 16 | IMAGE_TAG ?= $(REGISTRY_NAME)/$(IMAGE_NAME):11-alpine 17 | DOCKER_ARGS ?= -d 18 | PG_OPTS ?= 19 | TEST_DB_PORT ?= 5432 20 | BOUNDARY_VERSION = $(shell go mod edit -json | jq -r '.["Require"][] | select(.Path=="github.com/hashicorp/boundary") | .["Version"]') 21 | GOPATH ?= $(abspath ~/go) 22 | GOMODCACHE ?= $(GOPATH)/pkg/mod 23 | 24 | tools: 25 | go generate -tags tools tools/tools.go 26 | go install github.com/hashicorp/copywrite@v0.15.0 27 | 28 | test: 29 | echo "Placeholder" 30 | 31 | # Run acceptance tests 32 | testacc: 33 | TF_ACC=1 go test ./... -v $(TESTARGS) -timeout 120m 34 | 35 | dev: 36 | GOOS=${GOOS} GOARCH=${GOARCH} ./scripts/plugins.sh 37 | mkdir -p $(INSTALL_PATH) 38 | go build -o $(INSTALL_PATH)/terraform-provider-boundary main.go 39 | 40 | dev-no-plugins: 41 | mkdir -p $(INSTALL_PATH) 42 | go build -o $(INSTALL_PATH)/terraform-provider-boundary main.go 43 | 44 | all: 45 | mkdir -p $(BUILD_ALL_PATH) 46 | GOOS=darwin go build -o $(BUILD_ALL_PATH)/terraform-provider-boundary_darwin-amd64 main.go 47 | GOOS=windows go build -o $(BUILD_ALL_PATH)/terraform-provider-boundary_windows-amd64 main.go 48 | GOOS=linux go build -o $(BUILD_ALL_PATH)/terraform-provider-boundary_linux-amd64 main.go 49 | 50 | docs: 51 | go run github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs 52 | 53 | rm-id-flag-from-docs: 54 | find docs/ -name "*.md" -type f | xargs sed -i -e '/- \*\*id\*\*/d' 55 | 56 | test-database-up: 57 | @echo "Using image: $(IMAGE_TAG)" 58 | @echo "Additional postgres configuration: $(PG_OPTS)" 59 | @echo "Using volume: $(GOMODCACHE)/github.com/hashicorp/boundary@$(BOUNDARY_VERSION)/internal/db/schema/migrations:/migrations" 60 | @docker run \ 61 | $(DOCKER_ARGS) \ 62 | --name boundary-sql-tests \ 63 | -p $(TEST_DB_PORT):5432 \ 64 | -e POSTGRES_PASSWORD=boundary \ 65 | -e POSTGRES_USER=boundary \ 66 | -e POSTGRES_DB=boundary \ 67 | -e PGDATA=/pgdata \ 68 | --mount type=tmpfs,destination=/pgdata \ 69 | -v "$(GOMODCACHE)/github.com/hashicorp/boundary@$(BOUNDARY_VERSION)/internal/db/schema/migrations":/migrations \ 70 | $(IMAGE_TAG) \ 71 | -c 'config_file=/etc/postgresql/postgresql.conf' \ 72 | $(PG_OPTS) 1> /dev/null 73 | @echo "Test database available at: 127.0.0.1:$(TEST_DB_PORT)" 74 | @echo "For database logs run:" 75 | @echo " docker logs boundary-sql-tests" 76 | 77 | test-database-down: 78 | docker stop boundary-sql-tests || true 79 | docker rm -v boundary-sql-tests || true 80 | 81 | .PHONY: testacc tools docs test-database-up test-database-down 82 | 83 | .PHONY: copywrite 84 | copywrite: 85 | copywrite headers 86 | 87 | .PHONY: fmt 88 | fmt: 89 | gofumpt -w $$(find . -name '*.go') 90 | 91 | .PHONY: gen 92 | gen: docs copywrite fmt 93 | -------------------------------------------------------------------------------- /boundary.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hashicorp/terraform-provider-boundary/8ec00c0b42627e9fd081adb7fdfdab7ece21a1bc/boundary.png -------------------------------------------------------------------------------- /docs/data-sources/account.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_account Data Source - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The boundary_account data source allows you to find a Boundary account. 7 | --- 8 | 9 | # boundary_account (Data Source) 10 | 11 | The boundary_account data source allows you to find a Boundary account. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | # Retrieve the ID of a Boundary account 17 | data "boundary_account" "admin" { 18 | name = "admin" 19 | auth_method_id = "ampw_1234567890" 20 | } 21 | ``` 22 | 23 | 24 | ## Schema 25 | 26 | ### Required 27 | 28 | - `auth_method_id` (String) The auth method ID that will be queried for the account. 29 | - `name` (String) The name of the account to retrieve. 30 | 31 | ### Read-Only 32 | 33 | - `description` (String) The description of the retrieved account. 34 | - `id` (String) The ID of the retrieved account. 35 | - `scope` (List of Object) (see [below for nested schema](#nestedatt--scope)) 36 | - `type` (String) The type of the account 37 | 38 | 39 | ### Nested Schema for `scope` 40 | 41 | Read-Only: 42 | 43 | - `description` (String) 44 | - `id` (String) 45 | - `name` (String) 46 | - `parent_scope_id` (String) 47 | - `type` (String) 48 | -------------------------------------------------------------------------------- /docs/data-sources/auth_method.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_auth_method Data Source - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The boundary_auth_method data source allows you to find a Boundary auth method. 7 | --- 8 | 9 | # boundary_auth_method (Data Source) 10 | 11 | The boundary_auth_method data source allows you to find a Boundary auth method. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | # Retrieve an auth method from the global scope 17 | data "boundary_auth_method" "auth_method" { 18 | name = "password_auth_method" 19 | } 20 | 21 | # Auth method from a org scope 22 | data "boundary_scope" "org" { 23 | name = "my-org" 24 | scope_id = "global" 25 | } 26 | 27 | data "boundary_auth_method" "auth_method" { 28 | name = "password_auth_method" 29 | scope_id = data.boundary_scope.org.id 30 | } 31 | ``` 32 | 33 | 34 | ## Schema 35 | 36 | ### Required 37 | 38 | - `name` (String) The name of the auth method to retrieve. 39 | 40 | ### Optional 41 | 42 | - `scope_id` (String) The scope ID in which the resource is created. Defaults `global` if unset. 43 | 44 | ### Read-Only 45 | 46 | - `description` (String) The description of the retrieved auth method. 47 | - `id` (String) The ID of the retrieved auth method. 48 | - `scope` (List of Object) (see [below for nested schema](#nestedatt--scope)) 49 | - `type` (String) The type of the auth method 50 | 51 | 52 | ### Nested Schema for `scope` 53 | 54 | Read-Only: 55 | 56 | - `description` (String) 57 | - `id` (String) 58 | - `name` (String) 59 | - `parent_scope_id` (String) 60 | - `type` (String) 61 | -------------------------------------------------------------------------------- /docs/data-sources/group.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_group Data Source - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The boundary_group data source allows you to find a Boundary group. 7 | --- 8 | 9 | # boundary_group (Data Source) 10 | 11 | The boundary_group data source allows you to find a Boundary group. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | # Retrieve a user from the global scope 17 | data "boundary_group" "global_group" { 18 | name = "admin" 19 | } 20 | 21 | # User from an org scope 22 | data "boundary_scope" "org" { 23 | name = "org" 24 | scope_id = "global" 25 | } 26 | 27 | data "boundary_group" "org_group" { 28 | name = "username" 29 | scope_id = data.boundary_scope.org.id 30 | } 31 | ``` 32 | 33 | 34 | ## Schema 35 | 36 | ### Required 37 | 38 | - `name` (String) The name of the group to retrieve. 39 | 40 | ### Optional 41 | 42 | - `scope_id` (String) The scope ID in which the resource is created. Defaults `global` if unset. 43 | 44 | ### Read-Only 45 | 46 | - `description` (String) The description of the retrieved group. 47 | - `id` (String) The ID of the retrieved group. 48 | - `member_ids` (Set of String) Resource IDs for group members, these are most likely boundary users. 49 | - `scope` (List of Object) (see [below for nested schema](#nestedatt--scope)) 50 | 51 | 52 | ### Nested Schema for `scope` 53 | 54 | Read-Only: 55 | 56 | - `description` (String) 57 | - `id` (String) 58 | - `name` (String) 59 | - `parent_scope_id` (String) 60 | - `type` (String) 61 | -------------------------------------------------------------------------------- /docs/data-sources/scope.md: -------------------------------------------------------------------------------- 1 | --- 2 | page_title: "boundary_scope Data Source - terraform-provider-boundary" 3 | subcategory: "" 4 | description: |- 5 | The scope data source allows you to discover an existing Boundary scope by name. 6 | --- 7 | 8 | # boundary_scope (Data Source) 9 | 10 | The scope data source allows you to discover an existing Boundary scope by name. 11 | Please note that the Global scope will always have an id of "global", and does not need to be discovered with this data source. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | # Retrieve the ID of a Boundary project 17 | data "boundary_scope" "org" { 18 | name = "SecOps" 19 | scope_id = "global" 20 | } 21 | 22 | data "boundary_scope" "project" { 23 | name = "2111" 24 | scope_id = data.boundary_scope.id 25 | } 26 | ``` 27 | 28 | 29 | ## Schema 30 | 31 | ### Required 32 | 33 | - `name` (String) The name of the scope to retrieve. 34 | - `scope_id` (String) The parent scope ID that will be queried for the scope. 35 | 36 | ### Read-Only 37 | 38 | - `description` (String) The description of the retrieved scope. 39 | - `id` (String) The ID of the retrieved scope. 40 | -------------------------------------------------------------------------------- /docs/data-sources/user.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_user Data Source - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The user data source allows you to find a Boundary user. 7 | --- 8 | 9 | # boundary_user (Data Source) 10 | 11 | The user data source allows you to find a Boundary user. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | # Retrieve a user from the global scope 17 | data "boundary_user" "global_scope_admin" { 18 | name = "admin" 19 | } 20 | 21 | # User from a org scope 22 | data "boundary_user" "org_user" { 23 | name = "username" 24 | scope_id = data.boundary_scope.org.id 25 | } 26 | 27 | data "boundary_scope" "org" { 28 | name = "my-org" 29 | scope_id = data.boundary_scope.org.id 30 | } 31 | ``` 32 | 33 | 34 | ## Schema 35 | 36 | ### Required 37 | 38 | - `name` (String) The username to search for. 39 | 40 | ### Optional 41 | 42 | - `scope_id` (String) The scope ID in which the resource is created. Defaults `global` if unset. 43 | 44 | ### Read-Only 45 | 46 | - `account_ids` (Set of String) Account ID's to associate with this user resource. 47 | - `authorized_actions` (List of String) A list of actions that the worker is entitled to perform. 48 | - `description` (String) The user description. 49 | - `id` (String) The ID of the user. 50 | - `login_name` (String) Login name for user. 51 | - `primary_account_id` (String) Primary account ID. 52 | - `scope` (List of Object) (see [below for nested schema](#nestedatt--scope)) 53 | 54 | 55 | ### Nested Schema for `scope` 56 | 57 | Read-Only: 58 | 59 | - `description` (String) 60 | - `id` (String) 61 | - `name` (String) 62 | - `parent_scope_id` (String) 63 | - `type` (String) 64 | -------------------------------------------------------------------------------- /docs/index.md: -------------------------------------------------------------------------------- 1 | --- 2 | page_title: "Provider: Boundary" 3 | subcategory: "" 4 | description: |- 5 | Terraform provider for configuring Boundary. 6 | --- 7 | 8 | # Boundary Provider 9 | 10 | Terraform provider for configuring Boundary. 11 | 12 | ## Example Usage 13 | 14 | Do not keep your authentication password in HCL for production environments, use Terraform environment variables. 15 | 16 | ```terraform 17 | provider "boundary" { 18 | addr = "http://127.0.0.1:9200" 19 | auth_method_id = "ampw_1234567890" # changeme 20 | auth_method_login_name = "myuser" # changeme 21 | auth_method_password = "passpass" # changeme 22 | } 23 | 24 | provider "boundary" { 25 | addr = "http://127.0.0.1:9200" 26 | auth_method_login_name = "myuser" 27 | auth_method_password = "passpass" 28 | } 29 | 30 | provider "boundary" { 31 | addr = "http://127.0.0.1:9200" 32 | auth_method_login_name = "myuser" 33 | auth_method_password = "passpass" 34 | scope_id = "s_1234567890" 35 | } 36 | ``` 37 | 38 | 39 | ## Schema 40 | 41 | ### Required 42 | 43 | - `addr` (String) The base url of the Boundary API, e.g. "http://127.0.0.1:9200". If not set, it will be read from the "BOUNDARY_ADDR" env var. 44 | 45 | ### Optional 46 | 47 | - `auth_method_id` (String) The auth method ID e.g. ampw_1234567890. If not set, the default auth method for the given scope ID will be used. 48 | - `auth_method_login_name` (String) The auth method login name for password-style or ldap-style auth methods 49 | - `auth_method_password` (String) The auth method password for password-style or ldap-style auth methods 50 | - `password_auth_method_login_name` (String, Deprecated) The auth method login name for password-style auth methods 51 | - `password_auth_method_password` (String, Deprecated) The auth method password for password-style auth methods 52 | - `plugin_execution_dir` (String) Specifies a directory that the Boundary provider can use to write and execute its built-in plugins. 53 | - `recovery_kms_hcl` (String) Can be a heredoc string or a path on disk. If set, the string/file will be parsed as HCL and used with the recovery KMS mechanism. While this is set, it will override any other authentication information; the KMS mechanism will always be used. See Boundary's KMS docs for examples: https://boundaryproject.io/docs/configuration/kms 54 | - `scope_id` (String) The scope ID for the default auth method. 55 | - `tls_insecure` (Boolean) When set to true, does not validate the Boundary API endpoint certificate 56 | - `token` (String) The Boundary token to use, as a string or path on disk containing just the string. If set, the token read here will be used in place of authenticating with the auth method specified in "auth_method_id", although the recovery KMS mechanism will still override this. Can also be set with the BOUNDARY_TOKEN environment variable. -------------------------------------------------------------------------------- /docs/resources/account.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_account Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | Deprecated: use boundary_account_password instead. 7 | --- 8 | 9 | # boundary_account (Resource) 10 | 11 | Deprecated: use `boundary_account_password` instead. 12 | 13 | 14 | 15 | 16 | ## Schema 17 | 18 | ### Required 19 | 20 | - `auth_method_id` (String) The resource ID for the auth method. 21 | - `type` (String) The resource type. 22 | 23 | ### Optional 24 | 25 | - `description` (String) The account description. 26 | - `login_name` (String) The login name for this account. 27 | - `name` (String) The account name. Defaults to the resource name. 28 | - `password` (String, Sensitive) The account password. Only set on create, changes will not be reflected when updating account. 29 | 30 | ### Read-Only 31 | 32 | - `id` (String) The ID of the account. 33 | -------------------------------------------------------------------------------- /docs/resources/account_ldap.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_account_ldap Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The account resource allows you to configure a Boundary account. 7 | --- 8 | 9 | # boundary_account_ldap (Resource) 10 | 11 | The account resource allows you to configure a Boundary account. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "My first scope!" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_auth_method_ldap" "forumsys_ldap" { 25 | name = "forumsys public LDAP" 26 | scope_id = "global" # add the new auth method to the global scope 27 | urls = ["ldap://ldap.forumsys.com"] # the addr of the LDAP server 28 | user_dn = "dc=example,dc=com" # the basedn for users 29 | user_attr = "uid" # the user attribute 30 | group_dn = "dc=example,dc=com" # the basedn for groups 31 | bind_dn = "cn=read-only-admin,dc=example,dc=com" # the dn to use when binding 32 | bind_password = "password" # passwd to use when binding 33 | state = "active-public" # make sure the new auth-method is available to everyone 34 | enable_groups = true # this turns-on the discovery of a user's groups 35 | discover_dn = true # this turns-on the discovery of an authenticating user's dn 36 | } 37 | 38 | resource "boundary_account_ldap" "einstein" { 39 | auth_method_id = boundary_auth_method_ldap.forumsys_ldap.id 40 | login_name = "einstein" 41 | name = "einstein" 42 | } 43 | 44 | resource "boundary_user" "einstein" { 45 | name = "einstein" 46 | description = "User resource for einstein" 47 | scope_id = "global" 48 | account_ids = [boundary_account_ldap.einstein.id] 49 | } 50 | ``` 51 | 52 | 53 | ## Schema 54 | 55 | ### Required 56 | 57 | - `auth_method_id` (String) The resource ID for the auth method. 58 | 59 | ### Optional 60 | 61 | - `description` (String) The account description. 62 | - `login_name` (String) The login name for this account. 63 | - `name` (String) The account name. Defaults to the resource name. 64 | - `type` (String, Deprecated) The resource type. 65 | 66 | ### Read-Only 67 | 68 | - `id` (String) The ID of the account. 69 | 70 | ## Import 71 | 72 | Import is supported using the following syntax: 73 | 74 | ```shell 75 | terraform import boundary_account_ldap.foo 76 | ``` 77 | -------------------------------------------------------------------------------- /docs/resources/account_oidc.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_account_oidc Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The account resource allows you to configure a Boundary account. 7 | --- 8 | 9 | # boundary_account_oidc (Resource) 10 | 11 | The account resource allows you to configure a Boundary account. 12 | 13 | 14 | 15 | 16 | ## Schema 17 | 18 | ### Required 19 | 20 | - `auth_method_id` (String) The resource ID for the auth method. 21 | 22 | ### Optional 23 | 24 | - `description` (String) The account description. 25 | - `issuer` (String) The OIDC issuer. 26 | - `name` (String) The account name. Defaults to the resource name. 27 | - `subject` (String) The OIDC subject. 28 | 29 | ### Read-Only 30 | 31 | - `id` (String) The ID of the account. 32 | -------------------------------------------------------------------------------- /docs/resources/account_password.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_account_password Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The account resource allows you to configure a Boundary account. 7 | --- 8 | 9 | # boundary_account_password (Resource) 10 | 11 | The account resource allows you to configure a Boundary account. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "My first scope!" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_auth_method" "password" { 25 | scope_id = boundary_scope.org.id 26 | type = "password" 27 | } 28 | 29 | resource "boundary_account_password" "jeff" { 30 | auth_method_id = boundary_auth_method.password.id 31 | login_name = "jeff" 32 | password = "$uper$ecure" 33 | } 34 | ``` 35 | 36 | 37 | ## Schema 38 | 39 | ### Required 40 | 41 | - `auth_method_id` (String) The resource ID for the auth method. 42 | 43 | ### Optional 44 | 45 | - `description` (String) The account description. 46 | - `login_name` (String) The login name for this account. 47 | - `name` (String) The account name. Defaults to the resource name. 48 | - `password` (String, Sensitive) The account password. Only set on create, changes will not be reflected when updating account. 49 | - `type` (String, Deprecated) The resource type. 50 | 51 | ### Read-Only 52 | 53 | - `id` (String) The ID of the account. 54 | 55 | ## Import 56 | 57 | Import is supported using the following syntax: 58 | 59 | ```shell 60 | terraform import boundary_account_password.foo 61 | ``` 62 | -------------------------------------------------------------------------------- /docs/resources/alias_target.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_alias_target Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The target alias resource allows you to configure a Boundary target alias. 7 | --- 8 | 9 | # boundary_alias_target (Resource) 10 | 11 | The target alias resource allows you to configure a Boundary target alias. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "global scope" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_scope" "project" { 25 | name = "project_one" 26 | description = "My first scope!" 27 | scope_id = boundary_scope.org.id 28 | auto_create_admin_role = true 29 | } 30 | 31 | resource "boundary_host_catalog_static" "foo" { 32 | name = "test" 33 | description = "test catalog" 34 | scope_id = boundary_scope.project.id 35 | } 36 | 37 | resource "boundary_host_static" "foo" { 38 | name = "foo" 39 | host_catalog_id = boundary_host_catalog_static.foo.id 40 | address = "10.0.0.1" 41 | } 42 | 43 | resource "boundary_host_static" "bar" { 44 | name = "bar" 45 | host_catalog_id = boundary_host_catalog_static.foo.id 46 | address = "127.0.0.1" 47 | } 48 | 49 | resource "boundary_host_set_static" "foo" { 50 | name = "foo" 51 | host_catalog_id = boundary_host_catalog_static.foo.id 52 | 53 | host_ids = [ 54 | boundary_host_static.foo.id, 55 | boundary_host_static.bar.id, 56 | ] 57 | } 58 | 59 | resource "boundary_target" "foo" { 60 | name = "foo" 61 | description = "Foo target" 62 | type = "tcp" 63 | default_port = "22" 64 | scope_id = boundary_scope.project.id 65 | host_source_ids = [ 66 | boundary_host_set_static.foo.id, 67 | ] 68 | } 69 | 70 | resource "boundary_alias_target" "example_alias_target" { 71 | name = "example_alias_target" 72 | description = "Example alias to target foo using host boundary_host_static.bar" 73 | scope_id = "global" 74 | value = "example.bar.foo.boundary" 75 | destination_id = boundary_target.foo.id 76 | authorize_session_host_id = boundary_host_static.bar.id 77 | } 78 | ``` 79 | 80 | 81 | ## Schema 82 | 83 | ### Required 84 | 85 | - `scope_id` (String) The scope ID. 86 | - `value` (String) The value of the alias. 87 | 88 | ### Optional 89 | 90 | - `authorize_session_host_id` (String) The host id to pass to Boundary when performing an authorize session action. 91 | - `description` (String) The alias description. 92 | - `destination_id` (String) The destination of the alias. 93 | - `name` (String) The alias name. Defaults to the resource name. 94 | - `type` (String) The type of alias; hardcoded. 95 | 96 | ### Read-Only 97 | 98 | - `id` (String) The ID of the account. 99 | 100 | ## Import 101 | 102 | Import is supported using the following syntax: 103 | 104 | ```shell 105 | terraform import boundary_alias_target.example_alias_target 106 | ``` 107 | -------------------------------------------------------------------------------- /docs/resources/auth_method.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_auth_method Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The auth method resource allows you to configure a Boundary auth_method. 7 | --- 8 | 9 | # boundary_auth_method (Resource) 10 | 11 | The auth method resource allows you to configure a Boundary auth_method. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "My first scope!" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_auth_method" "password" { 25 | scope_id = boundary_scope.org.id 26 | type = "password" 27 | } 28 | ``` 29 | 30 | 31 | ## Schema 32 | 33 | ### Required 34 | 35 | - `scope_id` (String) The scope ID. 36 | - `type` (String) The resource type. 37 | 38 | ### Optional 39 | 40 | - `description` (String) The auth method description. 41 | - `min_login_name_length` (Number, Deprecated) The minimum login name length. 42 | - `min_password_length` (Number, Deprecated) The minimum password length. 43 | - `name` (String) The auth method name. Defaults to the resource name. 44 | 45 | ### Read-Only 46 | 47 | - `id` (String) The ID of the account. 48 | 49 | ## Import 50 | 51 | Import is supported using the following syntax: 52 | 53 | ```shell 54 | terraform import boundary_auth_method.foo 55 | ``` 56 | -------------------------------------------------------------------------------- /docs/resources/auth_method_password.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_auth_method_password Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The auth method resource allows you to configure a Boundary auth_method_password. 7 | --- 8 | 9 | # boundary_auth_method_password (Resource) 10 | 11 | The auth method resource allows you to configure a Boundary auth_method_password. 12 | 13 | 14 | 15 | 16 | ## Schema 17 | 18 | ### Required 19 | 20 | - `scope_id` (String) The scope ID. 21 | 22 | ### Optional 23 | 24 | - `description` (String) The auth method description. 25 | - `min_login_name_length` (Number) The minimum login name length. 26 | - `min_password_length` (Number) The minimum password length. 27 | - `name` (String) The auth method name. Defaults to the resource name. 28 | - `type` (String) The resource type, hardcoded per resource 29 | 30 | ### Read-Only 31 | 32 | - `id` (String) The ID of the account. 33 | -------------------------------------------------------------------------------- /docs/resources/credential_json.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_credential_json Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The json credential resource allows you to congiure a credential using a json object. 7 | --- 8 | 9 | # boundary_credential_json (Resource) 10 | 11 | The json credential resource allows you to congiure a credential using a json object. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "global scope" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_scope" "project" { 25 | name = "project_one" 26 | description = "My first scope!" 27 | scope_id = boundary_scope.org.id 28 | auto_create_admin_role = true 29 | } 30 | 31 | resource "boundary_credential_store_static" "example" { 32 | name = "example_static_credential_store" 33 | description = "My first static credential store!" 34 | scope_id = boundary_scope.project.id 35 | } 36 | 37 | resource "boundary_credential_json" "example" { 38 | name = "example_json" 39 | description = "My first json credential!" 40 | credential_store_id = boundary_credential_store_static.example.id 41 | object = file("~/object.json") # change to valid json file 42 | } 43 | ``` 44 | 45 | 46 | ## Schema 47 | 48 | ### Required 49 | 50 | - `credential_store_id` (String) The credential store in which to save this json credential. 51 | - `object` (String, Sensitive) The object for the this json credential. Either values encoded with the "jsonencode" function, pre-escaped JSON string, or a file 52 | 53 | ### Optional 54 | 55 | - `description` (String) The description of this json credential. 56 | - `name` (String) The name of this json credential. Defaults to the resource name. 57 | 58 | ### Read-Only 59 | 60 | - `id` (String) The ID of this json credential. 61 | - `object_hmac` (String) The object hmac. 62 | 63 | ## Import 64 | 65 | Import is supported using the following syntax: 66 | 67 | ```shell 68 | terraform import boundary_credential_json.example_json 69 | ``` 70 | -------------------------------------------------------------------------------- /docs/resources/credential_ssh_private_key.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_credential_ssh_private_key Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The SSH private key credential resource allows you to configure a credential using a username, private key and optional passphrase. 7 | --- 8 | 9 | # boundary_credential_ssh_private_key (Resource) 10 | 11 | The SSH private key credential resource allows you to configure a credential using a username, private key and optional passphrase. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "global scope" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_scope" "project" { 25 | name = "project_one" 26 | description = "My first scope!" 27 | scope_id = boundary_scope.org.id 28 | auto_create_admin_role = true 29 | } 30 | 31 | resource "boundary_credential_store_static" "example" { 32 | name = "example_static_credential_store" 33 | description = "My first static credential store!" 34 | scope_id = boundary_scope.project.id 35 | } 36 | 37 | resource "boundary_credential_ssh_private_key" "example" { 38 | name = "example_ssh_private_key" 39 | description = "My first ssh private key credential!" 40 | credential_store_id = boundary_credential_store_static.example.id 41 | username = "my-username" 42 | private_key = file("~/.ssh/id_rsa") # change to valid SSH Private Key 43 | private_key_passphrase = "optional-passphrase" # change to the passphrase of the Private Key if required 44 | } 45 | ``` 46 | 47 | 48 | ## Schema 49 | 50 | ### Required 51 | 52 | - `credential_store_id` (String) ID of the credential store this credential belongs to. 53 | - `private_key` (String, Sensitive) The private key associated with the credential. 54 | - `username` (String) The username associated with the credential. 55 | 56 | ### Optional 57 | 58 | - `description` (String) The description of the credential. 59 | - `name` (String) The name of the credential. Defaults to the resource name. 60 | - `private_key_passphrase` (String, Sensitive) The passphrase of the private key associated with the credential. 61 | 62 | ### Read-Only 63 | 64 | - `id` (String) The ID of the credential. 65 | - `private_key_hmac` (String) The private key hmac. 66 | - `private_key_passphrase_hmac` (String) The private key passphrase hmac. 67 | 68 | ## Import 69 | 70 | Import is supported using the following syntax: 71 | 72 | ```shell 73 | terraform import boundary_credential_ssh_private_key.example_ssh_private_key 74 | ``` 75 | -------------------------------------------------------------------------------- /docs/resources/credential_store_static.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_credential_store_static Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The static credential store resource allows you to configure a Boundary static credential store. 7 | --- 8 | 9 | # boundary_credential_store_static (Resource) 10 | 11 | The static credential store resource allows you to configure a Boundary static credential store. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "global scope" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_scope" "project" { 25 | name = "project_one" 26 | description = "My first scope!" 27 | scope_id = boundary_scope.org.id 28 | auto_create_admin_role = true 29 | } 30 | 31 | resource "boundary_credential_store_static" "example" { 32 | name = "example_static_credential_store" 33 | description = "My first static credential store!" 34 | scope_id = boundary_scope.project.id 35 | } 36 | ``` 37 | 38 | 39 | ## Schema 40 | 41 | ### Required 42 | 43 | - `scope_id` (String) The scope for this credential store. 44 | 45 | ### Optional 46 | 47 | - `description` (String) The static credential store description. 48 | - `name` (String) The static credential store name. Defaults to the resource name. 49 | 50 | ### Read-Only 51 | 52 | - `id` (String) The ID of the static credential store. 53 | 54 | ## Import 55 | 56 | Import is supported using the following syntax: 57 | 58 | ```shell 59 | terraform import boundary_credential_store_static.example_static_credential_store 60 | ``` 61 | -------------------------------------------------------------------------------- /docs/resources/credential_store_vault.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_credential_store_vault Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The credential store for Vault resource allows you to configure a Boundary credential store for Vault. 7 | --- 8 | 9 | # boundary_credential_store_vault (Resource) 10 | 11 | The credential store for Vault resource allows you to configure a Boundary credential store for Vault. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "My first scope!" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_scope" "project" { 25 | name = "project_one" 26 | description = "My first scope!" 27 | scope_id = boundary_scope.org.id 28 | auto_create_admin_role = true 29 | } 30 | 31 | resource "boundary_credential_store_vault" "example" { 32 | name = "foo" 33 | description = "My first Vault credential store!" 34 | address = "http://127.0.0.1:8200" # change to Vault address 35 | token = "s.0ufRo6XEGU2jOqnIr7OlFYP5" # change to valid Vault token 36 | scope_id = boundary_scope.project.id 37 | } 38 | ``` 39 | 40 | 41 | ## Schema 42 | 43 | ### Required 44 | 45 | - `address` (String) The address to Vault server. This should be a complete URL such as 'https://127.0.0.1:8200' 46 | - `scope_id` (String) The scope for this credential store. 47 | - `token` (String, Sensitive) A token used for accessing Vault. 48 | 49 | ### Optional 50 | 51 | - `ca_cert` (String) A PEM-encoded CA certificate to verify the Vault server's TLS certificate. 52 | - `client_certificate` (String) A PEM-encoded client certificate to use for TLS authentication to the Vault server. 53 | - `client_certificate_key` (String, Sensitive) A PEM-encoded private key matching the client certificate from 'client_certificate'. 54 | - `description` (String) The Vault credential store description. 55 | - `name` (String) The Vault credential store name. Defaults to the resource name. 56 | - `namespace` (String) The namespace within Vault to use. 57 | - `tls_server_name` (String) Name to use as the SNI host when connecting to Vault via TLS. 58 | - `tls_skip_verify` (Boolean) Whether or not to skip TLS verification. 59 | - `worker_filter` (String) HCP Only. A filter used to control which PKI workers can handle Vault requests. This allows the use of private Vault instances with Boundary. 60 | 61 | ### Read-Only 62 | 63 | - `client_certificate_key_hmac` (String) The Vault client certificate key hmac. 64 | - `id` (String) The ID of the Vault credential store. 65 | - `token_hmac` (String) The Vault token hmac. 66 | 67 | ## Import 68 | 69 | Import is supported using the following syntax: 70 | 71 | ```shell 72 | terraform import boundary_credential_store_vault.foo 73 | ``` 74 | -------------------------------------------------------------------------------- /docs/resources/credential_username_password.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_credential_username_password Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The username/password credential resource allows you to configure a credential using a username and password pair. 7 | --- 8 | 9 | # boundary_credential_username_password (Resource) 10 | 11 | The username/password credential resource allows you to configure a credential using a username and password pair. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "global scope" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_scope" "project" { 25 | name = "project_one" 26 | description = "My first scope!" 27 | scope_id = boundary_scope.org.id 28 | auto_create_admin_role = true 29 | } 30 | 31 | resource "boundary_credential_store_static" "example" { 32 | name = "example_static_credential_store" 33 | description = "My first static credential store!" 34 | scope_id = boundary_scope.project.id 35 | } 36 | 37 | resource "boundary_credential_username_password" "example" { 38 | name = "example_username_password" 39 | description = "My first username password credential!" 40 | credential_store_id = boundary_credential_store_static.example.id 41 | username = "my-username" 42 | password = "my-password" 43 | } 44 | ``` 45 | 46 | 47 | ## Schema 48 | 49 | ### Required 50 | 51 | - `credential_store_id` (String) The credential store in which to save this username/password credential. 52 | - `password` (String, Sensitive) The password of this username/password credential. 53 | - `username` (String) The username of this username/password credential. 54 | 55 | ### Optional 56 | 57 | - `description` (String) The description of this username/password credential. 58 | - `name` (String) The name of this username/password credential. Defaults to the resource name. 59 | 60 | ### Read-Only 61 | 62 | - `id` (String) The ID of this username/password credential. 63 | - `password_hmac` (String) The password hmac. 64 | 65 | ## Import 66 | 67 | Import is supported using the following syntax: 68 | 69 | ```shell 70 | terraform import boundary_credential_username_password.example_username_password 71 | ``` 72 | -------------------------------------------------------------------------------- /docs/resources/group.md: -------------------------------------------------------------------------------- 1 | --- 2 | page_title: "boundary_group Resource - terraform-provider-boundary" 3 | subcategory: "" 4 | description: |- 5 | The group resource allows you to configure a Boundary group. 6 | --- 7 | 8 | # Resource `boundary_group` 9 | 10 | The group resource allows you to configure a Boundary group. 11 | 12 | ## Example Usage 13 | 14 | ```terraform 15 | resource "boundary_scope" "org" { 16 | name = "organization_one" 17 | description = "My first scope!" 18 | scope_id = "global" 19 | auto_create_admin_role = true 20 | auto_create_default_role = true 21 | } 22 | 23 | resource "boundary_user" "foo" { 24 | description = "foo user" 25 | scope_id = boundary_scope.org.id 26 | } 27 | 28 | resource "boundary_group" "example" { 29 | name = "My group" 30 | description = "My first group!" 31 | member_ids = [boundary_user.foo.id] 32 | scope_id = boundary_scope.org.id 33 | } 34 | ``` 35 | 36 | Usage for project-specific group: 37 | 38 | ```terraform 39 | resource "boundary_scope" "org" { 40 | name = "organization_one" 41 | description = "My first scope!" 42 | scope_id = "global" 43 | auto_create_admin_role = true 44 | auto_create_default_role = true 45 | } 46 | 47 | resource "boundary_scope" "project" { 48 | name = "project_one" 49 | description = "My first scope!" 50 | scope_id = boundary_scope.org.id 51 | auto_create_admin_role = true 52 | } 53 | 54 | resource "boundary_user" "foo" { 55 | description = "foo user" 56 | scope_id = boundary_scope.org.id 57 | } 58 | 59 | resource "boundary_group" "example" { 60 | name = "My group" 61 | description = "My first group!" 62 | member_ids = [boundary_user.foo.id] 63 | scope_id = boundary_scope.project.id 64 | } 65 | ``` 66 | 67 | 68 | ## Schema 69 | 70 | ### Required 71 | 72 | - `scope_id` (String) The scope ID in which the resource is created. Defaults to the provider's `default_scope` if unset. 73 | 74 | ### Optional 75 | 76 | - `description` (String) The group description. 77 | - `member_ids` (Set of String) Resource IDs for group members, these are most likely boundary users. 78 | - `name` (String) The group name. Defaults to the resource name. 79 | 80 | ### Read-Only 81 | 82 | - `id` (String) The ID of the group. 83 | 84 | ## Import 85 | 86 | Import is supported using the following syntax: 87 | 88 | ```shell 89 | terraform import boundary_group.foo 90 | ``` 91 | -------------------------------------------------------------------------------- /docs/resources/host.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_host Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | Deprecated: use boundary_host_static instead. 7 | --- 8 | 9 | # boundary_host (Resource) 10 | 11 | Deprecated: use `boundary_host_static` instead. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "My first scope!" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_scope" "project" { 25 | name = "project_one" 26 | description = "My first scope!" 27 | scope_id = boundary_scope.org.id 28 | auto_create_admin_role = true 29 | } 30 | 31 | resource "boundary_host_catalog" "static" { 32 | name = "My catalog" 33 | description = "My first host catalog!" 34 | type = "static" 35 | scope_id = boundary_scope.project.id 36 | } 37 | 38 | resource "boundary_host" "example" { 39 | type = "static" 40 | name = "example_host" 41 | description = "My first host!" 42 | address = "10.0.0.1" 43 | host_catalog_id = boundary_host_catalog.static.id 44 | } 45 | ``` 46 | 47 | 48 | ## Schema 49 | 50 | ### Required 51 | 52 | - `host_catalog_id` (String) 53 | - `type` (String) The type of host 54 | 55 | ### Optional 56 | 57 | - `address` (String) The static address of the host resource as `` (note: port assignment occurs in the target resource definition, do not add :port here) or a domain name. 58 | - `description` (String) The host description. 59 | - `name` (String) The host name. Defaults to the resource name. 60 | 61 | ### Read-Only 62 | 63 | - `id` (String) The ID of the host. 64 | 65 | ## Import 66 | 67 | Import is supported using the following syntax: 68 | 69 | ```shell 70 | terraform import boundary_host.foo 71 | ``` 72 | -------------------------------------------------------------------------------- /docs/resources/host_catalog.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_host_catalog Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | Deprecated: use boundary_host_catalog_static instead. 7 | --- 8 | 9 | # boundary_host_catalog (Resource) 10 | 11 | Deprecated: use `boundary_host_catalog_static` instead. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "My first scope!" 19 | scope_id = boundary_scope.global.id 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_scope" "project" { 25 | name = "project_one" 26 | description = "My first scope!" 27 | scope_id = boundary_scope.org.id 28 | auto_create_admin_role = true 29 | } 30 | 31 | resource "boundary_host_catalog" "example" { 32 | name = "My catalog" 33 | description = "My first host catalog!" 34 | type = "Static" 35 | scope_id = boundary_scope.project.id 36 | } 37 | ``` 38 | 39 | 40 | ## Schema 41 | 42 | ### Required 43 | 44 | - `scope_id` (String) The scope ID in which the resource is created. 45 | - `type` (String) The host catalog type. Only `static` is supported. 46 | 47 | ### Optional 48 | 49 | - `description` (String) The host catalog description. 50 | - `name` (String) The host catalog name. Defaults to the resource name. 51 | 52 | ### Read-Only 53 | 54 | - `id` (String) The ID of the host catalog. 55 | 56 | ## Import 57 | 58 | Import is supported using the following syntax: 59 | 60 | ```shell 61 | terraform import boundary_host_catalog.foo 62 | ``` 63 | -------------------------------------------------------------------------------- /docs/resources/host_catalog_static.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_host_catalog_static Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The static host catalog resource allows you to configure a Boundary static-type host catalog. Host catalogs are always part of a project, so a project resource should be used inline or you should have the project ID in hand to successfully configure a host catalog. 7 | --- 8 | 9 | # boundary_host_catalog_static (Resource) 10 | 11 | The static host catalog resource allows you to configure a Boundary static-type host catalog. Host catalogs are always part of a project, so a project resource should be used inline or you should have the project ID in hand to successfully configure a host catalog. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "My first scope!" 19 | scope_id = boundary_scope.global.id 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_scope" "project" { 25 | name = "project_one" 26 | description = "My first scope!" 27 | scope_id = boundary_scope.org.id 28 | auto_create_admin_role = true 29 | } 30 | 31 | resource "boundary_host_catalog_static" "example" { 32 | name = "My catalog" 33 | description = "My first host catalog!" 34 | scope_id = boundary_scope.project.id 35 | } 36 | ``` 37 | 38 | 39 | ## Schema 40 | 41 | ### Required 42 | 43 | - `scope_id` (String) The scope ID in which the resource is created. 44 | 45 | ### Optional 46 | 47 | - `description` (String) The host catalog description. 48 | - `name` (String) The host catalog name. Defaults to the resource name. 49 | 50 | ### Read-Only 51 | 52 | - `id` (String) The ID of the host catalog. 53 | 54 | ## Import 55 | 56 | Import is supported using the following syntax: 57 | 58 | ```shell 59 | terraform import boundary_host_catalog_static.foo 60 | ``` 61 | -------------------------------------------------------------------------------- /docs/resources/host_set.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_host_set Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | Deprecated: use boundary_host_set_static instead. 7 | --- 8 | 9 | # boundary_host_set (Resource) 10 | 11 | Deprecated: use `boundary_host_set_static` instead. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "My first scope!" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_scope" "project" { 25 | name = "project_one" 26 | description = "My first scope!" 27 | scope_id = boundary_scope.org.id 28 | auto_create_admin_role = true 29 | } 30 | 31 | resource "boundary_host_catalog" "static" { 32 | type = "static" 33 | scope_id = boundary_scope.project.id 34 | } 35 | 36 | resource "boundary_host" "first" { 37 | type = "static" 38 | name = "host_1" 39 | description = "My first host!" 40 | address = "10.0.0.1" 41 | host_catalog_id = boundary_host_catalog.static.id 42 | } 43 | 44 | resource "boundary_host" "second" { 45 | type = "static" 46 | name = "host_2" 47 | description = "My second host!" 48 | address = "10.0.0.2" 49 | host_catalog_id = boundary_host_catalog.static.id 50 | } 51 | 52 | resource "boundary_host_set" "web" { 53 | host_catalog_id = boundary_host_catalog.static.id 54 | type = "static" 55 | host_ids = [ 56 | boundary_host.first.id, 57 | boundary_host.second.id, 58 | ] 59 | } 60 | ``` 61 | 62 | 63 | ## Schema 64 | 65 | ### Required 66 | 67 | - `host_catalog_id` (String) The catalog for the host set. 68 | - `type` (String) The type of host set 69 | 70 | ### Optional 71 | 72 | - `description` (String) The host set description. 73 | - `host_ids` (Set of String) The list of host IDs contained in this set. 74 | - `name` (String) The host set name. Defaults to the resource name. 75 | 76 | ### Read-Only 77 | 78 | - `id` (String) The ID of the host set. 79 | 80 | ## Import 81 | 82 | Import is supported using the following syntax: 83 | 84 | ```shell 85 | terraform import boundary_host_set.foo 86 | ``` 87 | -------------------------------------------------------------------------------- /docs/resources/host_set_static.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_host_set_static Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The host_set_static resource allows you to configure a Boundary host set. Host sets are always part of a host catalog, so a host catalog resource should be used inline or you should have the host catalog ID in hand to successfully configure a host set. 7 | --- 8 | 9 | # boundary_host_set_static (Resource) 10 | 11 | The host_set_static resource allows you to configure a Boundary host set. Host sets are always part of a host catalog, so a host catalog resource should be used inline or you should have the host catalog ID in hand to successfully configure a host set. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "My first scope!" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_scope" "project" { 25 | name = "project_one" 26 | description = "My first scope!" 27 | scope_id = boundary_scope.org.id 28 | auto_create_admin_role = true 29 | } 30 | 31 | resource "boundary_host_catalog_static" "example" { 32 | scope_id = boundary_scope.project.id 33 | } 34 | 35 | resource "boundary_host_static" "first" { 36 | name = "host_1" 37 | description = "My first host!" 38 | address = "10.0.0.1" 39 | host_catalog_id = boundary_host_catalog_static.example.id 40 | } 41 | 42 | resource "boundary_host_static" "second" { 43 | name = "host_2" 44 | description = "My second host!" 45 | address = "10.0.0.2" 46 | host_catalog_id = boundary_host_catalog_static.example.id 47 | } 48 | 49 | resource "boundary_host_set_static" "web" { 50 | host_catalog_id = boundary_host_catalog_static.example.id 51 | host_ids = [ 52 | boundary_host_static.first.id, 53 | boundary_host_static.second.id, 54 | ] 55 | } 56 | ``` 57 | 58 | 59 | ## Schema 60 | 61 | ### Required 62 | 63 | - `host_catalog_id` (String) The catalog for the host set. 64 | 65 | ### Optional 66 | 67 | - `description` (String) The host set description. 68 | - `host_ids` (Set of String) The list of host IDs contained in this set. 69 | - `name` (String) The host set name. Defaults to the resource name. 70 | - `type` (String) The type of host set 71 | 72 | ### Read-Only 73 | 74 | - `id` (String) The ID of the host set. 75 | 76 | ## Import 77 | 78 | Import is supported using the following syntax: 79 | 80 | ```shell 81 | terraform import boundary_host_set_static.foo 82 | ``` 83 | -------------------------------------------------------------------------------- /docs/resources/host_static.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_host_static Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The static host resource allows you to configure a Boundary static host. Hosts are always part of a project, so a project resource should be used inline or you should have the project ID in hand to successfully configure a host. 7 | --- 8 | 9 | # boundary_host_static (Resource) 10 | 11 | The static host resource allows you to configure a Boundary static host. Hosts are always part of a project, so a project resource should be used inline or you should have the project ID in hand to successfully configure a host. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "My first scope!" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_scope" "project" { 25 | name = "project_one" 26 | description = "My first scope!" 27 | scope_id = boundary_scope.org.id 28 | auto_create_admin_role = true 29 | } 30 | 31 | resource "boundary_host_catalog_static" "example" { 32 | name = "My catalog" 33 | description = "My first host catalog!" 34 | scope_id = boundary_scope.project.id 35 | } 36 | 37 | resource "boundary_host_static" "example" { 38 | name = "example_host" 39 | description = "My first host!" 40 | address = "10.0.0.1" 41 | host_catalog_id = boundary_host_catalog_static.example.id 42 | } 43 | ``` 44 | 45 | 46 | ## Schema 47 | 48 | ### Required 49 | 50 | - `host_catalog_id` (String) 51 | 52 | ### Optional 53 | 54 | - `address` (String) The static address of the host resource as `` (note: port assignment occurs in the target resource definition, do not add :port here) or a domain name. 55 | - `description` (String) The host description. 56 | - `name` (String) The host name. Defaults to the resource name. 57 | - `type` (String) The type of host 58 | 59 | ### Read-Only 60 | 61 | - `id` (String) The ID of the host. 62 | 63 | ## Import 64 | 65 | Import is supported using the following syntax: 66 | 67 | ```shell 68 | terraform import boundary_host_static.foo 69 | ``` 70 | -------------------------------------------------------------------------------- /docs/resources/managed_group.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_managed_group Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The managed group resource allows you to configure a Boundary group. 7 | --- 8 | 9 | # boundary_managed_group (Resource) 10 | 11 | The managed group resource allows you to configure a Boundary group. 12 | 13 | 14 | 15 | 16 | ## Schema 17 | 18 | ### Required 19 | 20 | - `auth_method_id` (String) The resource ID for the auth method. 21 | - `filter` (String) Boolean expression to filter the workers for this managed group. 22 | 23 | ### Optional 24 | 25 | - `description` (String) The managed group description. 26 | - `name` (String) The managed group name. Defaults to the resource name. 27 | 28 | ### Read-Only 29 | 30 | - `id` (String) The ID of the group. 31 | -------------------------------------------------------------------------------- /docs/resources/managed_group_ldap.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_managed_group_ldap Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The managed group resource allows you to configure a Boundary group. 7 | --- 8 | 9 | # boundary_managed_group_ldap (Resource) 10 | 11 | The managed group resource allows you to configure a Boundary group. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "My first scope!" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_auth_method_ldap" "forumsys_ldap" { 25 | name = "forumsys public LDAP" 26 | scope_id = "global" # add the new auth method to the global scope 27 | urls = ["ldap://ldap.forumsys.com"] # the addr of the LDAP server 28 | user_dn = "dc=example,dc=com" # the basedn for users 29 | user_attr = "uid" # the user attribute 30 | group_dn = "dc=example,dc=com" # the basedn for groups 31 | bind_dn = "cn=read-only-admin,dc=example,dc=com" # the dn to use when binding 32 | bind_password = "password" # passwd to use when binding 33 | state = "active-public" # make sure the new auth-method is available to everyone 34 | enable_groups = true # this turns-on the discovery of a user's groups 35 | discover_dn = true # this turns-on the discovery of an authenticating user's dn 36 | } 37 | 38 | resource "boundary_managed_group_ldap" "forumsys_scientists" { 39 | name = "scientists" 40 | description = "forumsys scientists managed group" 41 | auth_method_id = boundary_auth_method_ldap.forumsys_ldap.id 42 | group_names = ["Scientists"] 43 | } 44 | ``` 45 | 46 | 47 | ## Schema 48 | 49 | ### Required 50 | 51 | - `auth_method_id` (String) The resource ID for the auth method. 52 | - `group_names` (List of String) The list of groups that make up the managed group. 53 | 54 | ### Optional 55 | 56 | - `description` (String) The managed group description. 57 | - `name` (String) The managed group name. Defaults to the resource name. 58 | 59 | ### Read-Only 60 | 61 | - `id` (String) The ID of the group. 62 | 63 | ## Import 64 | 65 | Import is supported using the following syntax: 66 | 67 | ```shell 68 | terraform import boundary_managed_group_ldap.foo 69 | ``` 70 | -------------------------------------------------------------------------------- /docs/resources/policy_storage.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_policy_storage Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The storage policy resource allows you to configure a Boundary storage policy. Storage policies allow an admin to configure how long session recordings must be stored and when to delete them. Storage policies must be applied to the global scope or an org scope in order to take effect. 7 | --- 8 | 9 | # boundary_policy_storage (Resource) 10 | 11 | The storage policy resource allows you to configure a Boundary storage policy. Storage policies allow an admin to configure how long session recordings must be stored and when to delete them. Storage policies must be applied to the global scope or an org scope in order to take effect. 12 | 13 | 14 | 15 | 16 | ## Schema 17 | 18 | ### Required 19 | 20 | - `scope_id` (String) The scope for this policy. 21 | 22 | ### Optional 23 | 24 | - `delete_after_days` (Number) The number of days after which a session recording will be automatically deleted. Defaults to 0: never automatically delete. However, delete_after_days and retain_for_days cannot both be 0. 25 | - `delete_after_overridable` (Boolean) Whether or not the associated delete_after_days value can be overridden by org scopes. Note: if the associated delete_after_days value is 0, overridable is ignored 26 | - `description` (String) The policy description. 27 | - `name` (String) The policy name. Defaults to the resource name. 28 | - `retain_for_days` (Number) The number of days a session recording is required to be stored. Defaults to 0: allow deletions at any time. However, retain_for_days and delete_after_days cannot both be 0. 29 | - `retain_for_overridable` (Boolean) Whether or not the associated retain_for_days value can be overridden by org scopes. Note: if the associated retain_for_days value is 0, overridable is ignored. 30 | 31 | ### Read-Only 32 | 33 | - `id` (String) The ID of the policy. 34 | -------------------------------------------------------------------------------- /docs/resources/scope.md: -------------------------------------------------------------------------------- 1 | --- 2 | page_title: "boundary_scope Resource - terraform-provider-boundary" 3 | subcategory: "" 4 | description: |- 5 | The scope resource allows you to configure a Boundary scope. 6 | --- 7 | 8 | # Resource `boundary_scope` 9 | 10 | The scope resource allows you to configure a Boundary scope. 11 | 12 | ## Example Usage 13 | 14 | Creating the global scope: 15 | 16 | ```terraform 17 | resource "boundary_scope" "global" { 18 | global_scope = true 19 | scope_id = "global" 20 | } 21 | ``` 22 | 23 | Creating an organization scope within global: 24 | 25 | ```terraform 26 | resource "boundary_scope" "org" { 27 | name = "organization_one" 28 | description = "My first scope!" 29 | scope_id = boundary_scope.global.id 30 | auto_create_admin_role = true 31 | auto_create_default_role = true 32 | } 33 | ``` 34 | 35 | Creating an project scope within an organization: 36 | 37 | ```terraform 38 | resource "boundary_scope" "project" { 39 | name = "project_one" 40 | description = "My first scope!" 41 | scope_id = boundary_scope.org.id 42 | auto_create_admin_role = true 43 | } 44 | ``` 45 | 46 | Creating an organization scope with a managed role for administration (auto create role set false): 47 | 48 | ```terraform 49 | resource "boundary_scope" "org" { 50 | name = "organization_one" 51 | description = "My first scope!" 52 | scope_id = boundary_scope.global.id 53 | } 54 | 55 | resource "boundary_role" "org_admin" { 56 | scope_id = boundary_scope.global.id 57 | grant_scope_ids = [boundary_scope.org.id] 58 | grant_strings = ["ids=*;type=*;actions=*"] 59 | principal_ids = ["u_auth"] 60 | } 61 | ``` 62 | 63 | 64 | ## Schema 65 | 66 | ### Required 67 | 68 | - `scope_id` (String) The scope ID containing the sub scope resource. 69 | 70 | ### Optional 71 | 72 | - `auto_create_admin_role` (Boolean) If set, when a new scope is created, the provider will not disable the functionality that automatically creates a role in the new scope and gives permissions to manage the scope to the provider's user. Marking this true makes for simpler HCL but results in role resources that are unmanaged by Terraform. 73 | - `auto_create_default_role` (Boolean) Only relevant when creating an org scope. If set, when a new scope is created, the provider will not disable the functionality that automatically creates a role in the new scope and gives listing of scopes and auth methods and the ability to authenticate to the anonymous user. Marking this true makes for simpler HCL but results in role resources that are unmanaged by Terraform. 74 | - `description` (String) The scope description. 75 | - `global_scope` (Boolean) Indicates that the scope containing this value is the global scope, which triggers some specialized behavior to allow it to be imported and managed. 76 | - `name` (String) The scope name. Defaults to the resource name. 77 | 78 | ### Read-Only 79 | 80 | - `id` (String) The ID of the scope. 81 | 82 | ## Import 83 | 84 | Import is supported using the following syntax: 85 | 86 | ```shell 87 | terraform import boundary_scope.foo 88 | ``` -------------------------------------------------------------------------------- /docs/resources/scope_policy_attachment.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_scope_policy_attachment Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | 7 | --- 8 | 9 | # boundary_scope_policy_attachment (Resource) 10 | 11 | 12 | 13 | 14 | 15 | 16 | ## Schema 17 | 18 | ### Required 19 | 20 | - `policy_id` (String) 21 | - `scope_id` (String) 22 | 23 | ### Read-Only 24 | 25 | - `id` (String) The ID of this resource. 26 | -------------------------------------------------------------------------------- /docs/resources/user.md: -------------------------------------------------------------------------------- 1 | --- 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs 3 | page_title: "boundary_user Resource - terraform-provider-boundary" 4 | subcategory: "" 5 | description: |- 6 | The user resource allows you to configure a Boundary user. 7 | --- 8 | 9 | # boundary_user (Resource) 10 | 11 | The user resource allows you to configure a Boundary user. 12 | 13 | ## Example Usage 14 | 15 | ```terraform 16 | resource "boundary_scope" "org" { 17 | name = "organization_one" 18 | description = "My first scope!" 19 | scope_id = "global" 20 | auto_create_admin_role = true 21 | auto_create_default_role = true 22 | } 23 | 24 | resource "boundary_auth_method" "password" { 25 | scope_id = boundary_scope.org.id 26 | type = "password" 27 | } 28 | 29 | resource "boundary_account_password" "jeff" { 30 | auth_method_id = boundary_auth_method.password.id 31 | type = "password" 32 | login_name = "jeff" 33 | password = "$uper$ecure" 34 | } 35 | 36 | resource "boundary_user" "jeff" { 37 | name = "jeff" 38 | description = "Jeff's user resource" 39 | account_ids = [boundary_account_password.jeff.id] 40 | scope_id = boundary_scope.org.id 41 | } 42 | ``` 43 | 44 | 45 | ## Schema 46 | 47 | ### Required 48 | 49 | - `scope_id` (String) The scope ID in which the resource is created. Defaults to the provider's `default_scope` if unset. 50 | 51 | ### Optional 52 | 53 | - `account_ids` (Set of String) Account ID's to associate with this user resource. 54 | - `description` (String) The user description. 55 | - `name` (String) The username. Defaults to the resource name. 56 | 57 | ### Read-Only 58 | 59 | - `id` (String) The ID of the user. 60 | 61 | ## Import 62 | 63 | Import is supported using the following syntax: 64 | 65 | ```shell 66 | terraform import boundary_user.foo 67 | ``` 68 | -------------------------------------------------------------------------------- /docs/resources/worker.md: -------------------------------------------------------------------------------- 1 | --- 2 | page_title: "boundary_worker Resource - terraform-provider-boundary" 3 | subcategory: "" 4 | description: |- 5 | The resource allows you to create a self-managed worker object. 6 | --- 7 | 8 | # boundary_worker (Resource) 9 | 10 | The resource allows you to create a self-managed worker object. 11 | 12 | ## Example Usage 13 | 14 | ### Controller-led worker 15 | 16 | ```terraform 17 | resource "boundary_worker" "controller_led" { 18 | scope_id = "global" 19 | name = "controller-led-worker-1" 20 | description = "self managed worker with controller led auth" 21 | } 22 | ``` 23 | 24 | ### Worker-led worker 25 | 26 | ```terraform 27 | resource "boundary_worker" "worker_led" { 28 | scope_id = "global" 29 | name = "worker-led-worker-1" 30 | description = "self managed worker with worker led auth" 31 | worker_generated_auth_token = var.worker_generated_auth_token 32 | } 33 | ``` 34 | 35 | 36 | ## Schema 37 | 38 | ### Optional 39 | 40 | - `description` (String) The description for the worker. 41 | - `name` (String) The name for the worker. 42 | - `scope_id` (String) The scope for the worker. Defaults to `global`. 43 | - `worker_generated_auth_token` (String) The worker authentication token required to register the worker for the worker-led authentication flow. Leaving this blank will result in a controller generated token. 44 | 45 | ### Read-Only 46 | 47 | - `address` (String) The accessible address of the self managed worker. 48 | - `authorized_actions` (List of String) A list of actions that the worker is entitled to perform. 49 | - `controller_generated_activation_token` (String) A single use token generated by the controller to be passed to the self-managed worker. 50 | - `id` (String) The ID of the worker. 51 | - `release_version` (Number) The version of the Boundary binary running on the self managed worker. 52 | 53 | ## Import 54 | 55 | Import is supported using the following syntax: 56 | 57 | ```shell 58 | terraform import boundary_worker.foo 59 | ``` 60 | -------------------------------------------------------------------------------- /examples/data-sources/boundary_account/data-source.tf: -------------------------------------------------------------------------------- 1 | # Retrieve the ID of a Boundary account 2 | data "boundary_account" "admin" { 3 | name = "admin" 4 | auth_method_id = "ampw_1234567890" 5 | } 6 | -------------------------------------------------------------------------------- /examples/data-sources/boundary_auth_method/data-source.tf: -------------------------------------------------------------------------------- 1 | # Retrieve an auth method from the global scope 2 | data "boundary_auth_method" "auth_method" { 3 | name = "password_auth_method" 4 | } 5 | 6 | # Auth method from a org scope 7 | data "boundary_scope" "org" { 8 | name = "my-org" 9 | scope_id = "global" 10 | } 11 | 12 | data "boundary_auth_method" "auth_method" { 13 | name = "password_auth_method" 14 | scope_id = data.boundary_scope.org.id 15 | } 16 | -------------------------------------------------------------------------------- /examples/data-sources/boundary_group/data-source.tf: -------------------------------------------------------------------------------- 1 | # Retrieve a user from the global scope 2 | data "boundary_group" "global_group" { 3 | name = "admin" 4 | } 5 | 6 | # User from an org scope 7 | data "boundary_scope" "org" { 8 | name = "org" 9 | scope_id = "global" 10 | } 11 | 12 | data "boundary_group" "org_group" { 13 | name = "username" 14 | scope_id = data.boundary_scope.org.id 15 | } 16 | -------------------------------------------------------------------------------- /examples/data-sources/boundary_scope/data-source.tf: -------------------------------------------------------------------------------- 1 | # Retrieve the ID of a Boundary project 2 | data "boundary_scope" "org" { 3 | name = "SecOps" 4 | scope_id = "global" 5 | } 6 | 7 | data "boundary_scope" "project" { 8 | name = "2111" 9 | scope_id = data.boundary_scope.id 10 | } 11 | -------------------------------------------------------------------------------- /examples/data-sources/boundary_user/data-source.tf: -------------------------------------------------------------------------------- 1 | # Retrieve a user from the global scope 2 | data "boundary_user" "global_scope_admin" { 3 | name = "admin" 4 | } 5 | 6 | # User from a org scope 7 | data "boundary_user" "org_user" { 8 | name = "username" 9 | scope_id = data.boundary_scope.org.id 10 | } 11 | 12 | data "boundary_scope" "org" { 13 | name = "my-org" 14 | scope_id = data.boundary_scope.org.id 15 | } 16 | -------------------------------------------------------------------------------- /examples/provider/provider.tf: -------------------------------------------------------------------------------- 1 | provider "boundary" { 2 | addr = "http://127.0.0.1:9200" 3 | auth_method_id = "ampw_1234567890" # changeme 4 | auth_method_login_name = "myuser" # changeme 5 | auth_method_password = "passpass" # changeme 6 | } 7 | 8 | provider "boundary" { 9 | addr = "http://127.0.0.1:9200" 10 | auth_method_login_name = "myuser" 11 | auth_method_password = "passpass" 12 | } 13 | 14 | provider "boundary" { 15 | addr = "http://127.0.0.1:9200" 16 | auth_method_login_name = "myuser" 17 | auth_method_password = "passpass" 18 | scope_id = "s_1234567890" 19 | } 20 | -------------------------------------------------------------------------------- /examples/resources/boundary_account_ldap/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_account_ldap.foo 2 | -------------------------------------------------------------------------------- /examples/resources/boundary_account_ldap/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_auth_method_ldap" "forumsys_ldap" { 10 | name = "forumsys public LDAP" 11 | scope_id = "global" # add the new auth method to the global scope 12 | urls = ["ldap://ldap.forumsys.com"] # the addr of the LDAP server 13 | user_dn = "dc=example,dc=com" # the basedn for users 14 | user_attr = "uid" # the user attribute 15 | group_dn = "dc=example,dc=com" # the basedn for groups 16 | bind_dn = "cn=read-only-admin,dc=example,dc=com" # the dn to use when binding 17 | bind_password = "password" # passwd to use when binding 18 | state = "active-public" # make sure the new auth-method is available to everyone 19 | enable_groups = true # this turns-on the discovery of a user's groups 20 | discover_dn = true # this turns-on the discovery of an authenticating user's dn 21 | } 22 | 23 | resource "boundary_account_ldap" "einstein" { 24 | auth_method_id = boundary_auth_method_ldap.forumsys_ldap.id 25 | login_name = "einstein" 26 | name = "einstein" 27 | } 28 | 29 | resource "boundary_user" "einstein" { 30 | name = "einstein" 31 | description = "User resource for einstein" 32 | scope_id = "global" 33 | account_ids = [boundary_account_ldap.einstein.id] 34 | } 35 | -------------------------------------------------------------------------------- /examples/resources/boundary_account_password/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_account_password.foo -------------------------------------------------------------------------------- /examples/resources/boundary_account_password/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_auth_method" "password" { 10 | scope_id = boundary_scope.org.id 11 | type = "password" 12 | } 13 | 14 | resource "boundary_account_password" "jeff" { 15 | auth_method_id = boundary_auth_method.password.id 16 | login_name = "jeff" 17 | password = "$uper$ecure" 18 | } 19 | -------------------------------------------------------------------------------- /examples/resources/boundary_alias_target/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_alias_target.example_alias_target 2 | -------------------------------------------------------------------------------- /examples/resources/boundary_alias_target/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "global scope" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_host_catalog_static" "foo" { 17 | name = "test" 18 | description = "test catalog" 19 | scope_id = boundary_scope.project.id 20 | } 21 | 22 | resource "boundary_host_static" "foo" { 23 | name = "foo" 24 | host_catalog_id = boundary_host_catalog_static.foo.id 25 | address = "10.0.0.1" 26 | } 27 | 28 | resource "boundary_host_static" "bar" { 29 | name = "bar" 30 | host_catalog_id = boundary_host_catalog_static.foo.id 31 | address = "127.0.0.1" 32 | } 33 | 34 | resource "boundary_host_set_static" "foo" { 35 | name = "foo" 36 | host_catalog_id = boundary_host_catalog_static.foo.id 37 | 38 | host_ids = [ 39 | boundary_host_static.foo.id, 40 | boundary_host_static.bar.id, 41 | ] 42 | } 43 | 44 | resource "boundary_target" "foo" { 45 | name = "foo" 46 | description = "Foo target" 47 | type = "tcp" 48 | default_port = "22" 49 | scope_id = boundary_scope.project.id 50 | host_source_ids = [ 51 | boundary_host_set_static.foo.id, 52 | ] 53 | } 54 | 55 | resource "boundary_alias_target" "example_alias_target" { 56 | name = "example_alias_target" 57 | description = "Example alias to target foo using host boundary_host_static.bar" 58 | scope_id = "global" 59 | value = "example.bar.foo.boundary" 60 | destination_id = boundary_target.foo.id 61 | authorize_session_host_id = boundary_host_static.bar.id 62 | } -------------------------------------------------------------------------------- /examples/resources/boundary_auth_method/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_auth_method.foo -------------------------------------------------------------------------------- /examples/resources/boundary_auth_method/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_auth_method" "password" { 10 | scope_id = boundary_scope.org.id 11 | type = "password" 12 | } 13 | -------------------------------------------------------------------------------- /examples/resources/boundary_auth_method_ldap/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_auth_method_ldap.foo 2 | -------------------------------------------------------------------------------- /examples/resources/boundary_auth_method_ldap/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_auth_method_ldap" "forumsys_ldap" { 10 | name = "forumsys public LDAP" 11 | scope_id = "global" # add the new auth method to the global scope 12 | urls = ["ldap://ldap.forumsys.com"] # the addr of the LDAP server 13 | user_dn = "dc=example,dc=com" # the basedn for users 14 | user_attr = "uid" # the user attribute 15 | group_dn = "dc=example,dc=com" # the basedn for groups 16 | bind_dn = "cn=read-only-admin,dc=example,dc=com" # the dn to use when binding 17 | bind_password = "password" # passwd to use when binding 18 | state = "active-public" # make sure the new auth-method is available to everyone 19 | enable_groups = true # this turns-on the discovery of a user's groups 20 | discover_dn = true # this turns-on the discovery of an authenticating user's dn 21 | } 22 | -------------------------------------------------------------------------------- /examples/resources/boundary_auth_method_oidc/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_auth_method_oidc.foo -------------------------------------------------------------------------------- /examples/resources/boundary_auth_method_oidc/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_auth_method_oidc" "vault" { 10 | api_url_prefix = "https://XO-XO-XO-XO-XOXOXO.boundary.hashicorp.cloud:9200" 11 | client_id = "eieio" 12 | client_secret = "hvo_secret_XO" 13 | description = "My Boundary OIDC Auth Method for Vault" 14 | issuer = "https://XO-XO-XO-XO-XOXOXO.vault.hashicorp.cloud:8200/v1/identity/oidc/provider/my-provider" 15 | scope_id = "global" 16 | signing_algorithms = ["RS256"] 17 | type = "oidc" 18 | } 19 | 20 | resource "boundary_auth_method_oidc" "oidc_with_one_prompt" { 21 | api_url_prefix = "https://XO-XO-XO-XO-XOXOXO.boundary.hashicorp.cloud:9200" 22 | client_id = "eieio" 23 | client_secret = "hvo_secret_XO" 24 | description = "My Boundary OIDC Auth Method With Prompt" 25 | issuer = "https://sts.windows.net/TENANT_ID/" 26 | scope_id = "global" 27 | signing_algorithms = ["RS256"] 28 | prompts = ["select_account"] 29 | type = "oidc" 30 | } 31 | 32 | resource "boundary_auth_method_oidc" "oidc_with_multiple_prompts" { 33 | api_url_prefix = "https://XO-XO-XO-XO-XOXOXO.boundary.hashicorp.cloud:9200" 34 | client_id = "eieio" 35 | client_secret = "hvo_secret_XO" 36 | description = "My Boundary OIDC Auth Method With Multiple Prompts" 37 | issuer = "https://sts.windows.net/TENANT_ID/" 38 | scope_id = "global" 39 | signing_algorithms = ["RS256"] 40 | prompts = ["consent", "select_account"] 41 | type = "oidc" 42 | } 43 | -------------------------------------------------------------------------------- /examples/resources/boundary_credential_json/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_credential_json.example_json -------------------------------------------------------------------------------- /examples/resources/boundary_credential_json/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "global scope" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_credential_store_static" "example" { 17 | name = "example_static_credential_store" 18 | description = "My first static credential store!" 19 | scope_id = boundary_scope.project.id 20 | } 21 | 22 | resource "boundary_credential_json" "example" { 23 | name = "example_json" 24 | description = "My first json credential!" 25 | credential_store_id = boundary_credential_store_static.example.id 26 | object = file("~/object.json") # change to valid json file 27 | } 28 | -------------------------------------------------------------------------------- /examples/resources/boundary_credential_library_vault/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_credential_library_vault.foo 2 | -------------------------------------------------------------------------------- /examples/resources/boundary_credential_library_vault/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_credential_store_vault" "foo" { 17 | name = "foo" 18 | description = "My first Vault credential store!" 19 | address = "http://127.0.0.1:8200" # change to Vault address 20 | token = "s.0ufRo6XEGU2jOqnIr7OlFYP5" # change to valid Vault token 21 | scope_id = boundary_scope.project.id 22 | } 23 | 24 | resource "boundary_credential_library_vault" "foo" { 25 | name = "foo" 26 | description = "My first Vault credential library!" 27 | credential_store_id = boundary_credential_store_vault.foo.id 28 | path = "my/secret/foo" # change to Vault backend path 29 | http_method = "GET" 30 | } 31 | 32 | resource "boundary_credential_library_vault" "bar" { 33 | name = "bar" 34 | description = "My second Vault credential library!" 35 | credential_store_id = boundary_credential_store_vault.foo.id 36 | path = "my/secret/bar" # change to Vault backend path 37 | http_method = "POST" 38 | http_request_body = < 2 | -------------------------------------------------------------------------------- /examples/resources/boundary_credential_library_vault_ssh_certificate/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_credential_store_vault" "foo" { 17 | name = "foo" 18 | description = "My first Vault credential store!" 19 | address = "http://127.0.0.1:8200" # change to Vault address 20 | token = "s.0ufRo6XEGU2jOqnIr7OlFYP5" # change to valid Vault token 21 | scope_id = boundary_scope.project.id 22 | } 23 | 24 | resource "boundary_credential_library_vault_ssh_certificate" "foo" { 25 | name = "foo" 26 | description = "My first Vault SSH certificate credential library!" 27 | credential_store_id = boundary_credential_store_vault.foo.id 28 | path = "ssh/sign/foo" # change to correct Vault endpoint and role 29 | username = "foo" # change to valid username 30 | } 31 | 32 | resource "boundary_credential_library_vault_ssh_certificate" "bar" { 33 | name = "bar" 34 | description = "My second Vault SSH certificate credential library!" 35 | credential_store_id = boundary_credential_store_vault.foo.id 36 | path = "ssh/sign/foo" # change to correct Vault endpoint and role 37 | username = "foo" 38 | key_type = "ecdsa" 39 | key_bits = 384 40 | 41 | extensions = { 42 | permit-pty = "" 43 | } 44 | } 45 | 46 | resource "boundary_credential_library_vault_ssh_certificate" "baz" { 47 | name = "baz" 48 | description = "vault " 49 | credential_store_id = boundary_credential_store_vault.foo.id 50 | path = "ssh/issue/foo" # change to correct Vault endpoint and role 51 | username = "foo" 52 | key_type = "rsa" 53 | key_bits = 4096 54 | 55 | extensions = { 56 | permit-pty = "" 57 | permit-X11-forwarding = "" 58 | } 59 | 60 | critical_options = { 61 | force-command = "/bin/some_script" 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /examples/resources/boundary_credential_ssh_private_key/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_credential_ssh_private_key.example_ssh_private_key 2 | -------------------------------------------------------------------------------- /examples/resources/boundary_credential_ssh_private_key/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "global scope" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_credential_store_static" "example" { 17 | name = "example_static_credential_store" 18 | description = "My first static credential store!" 19 | scope_id = boundary_scope.project.id 20 | } 21 | 22 | resource "boundary_credential_ssh_private_key" "example" { 23 | name = "example_ssh_private_key" 24 | description = "My first ssh private key credential!" 25 | credential_store_id = boundary_credential_store_static.example.id 26 | username = "my-username" 27 | private_key = file("~/.ssh/id_rsa") # change to valid SSH Private Key 28 | private_key_passphrase = "optional-passphrase" # change to the passphrase of the Private Key if required 29 | } 30 | -------------------------------------------------------------------------------- /examples/resources/boundary_credential_store_static/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_credential_store_static.example_static_credential_store 2 | -------------------------------------------------------------------------------- /examples/resources/boundary_credential_store_static/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "global scope" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_credential_store_static" "example" { 17 | name = "example_static_credential_store" 18 | description = "My first static credential store!" 19 | scope_id = boundary_scope.project.id 20 | } 21 | -------------------------------------------------------------------------------- /examples/resources/boundary_credential_store_vault/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_credential_store_vault.foo 2 | -------------------------------------------------------------------------------- /examples/resources/boundary_credential_store_vault/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_credential_store_vault" "example" { 17 | name = "foo" 18 | description = "My first Vault credential store!" 19 | address = "http://127.0.0.1:8200" # change to Vault address 20 | token = "s.0ufRo6XEGU2jOqnIr7OlFYP5" # change to valid Vault token 21 | scope_id = boundary_scope.project.id 22 | } 23 | -------------------------------------------------------------------------------- /examples/resources/boundary_credential_username_password/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_credential_username_password.example_username_password 2 | -------------------------------------------------------------------------------- /examples/resources/boundary_credential_username_password/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "global scope" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_credential_store_static" "example" { 17 | name = "example_static_credential_store" 18 | description = "My first static credential store!" 19 | scope_id = boundary_scope.project.id 20 | } 21 | 22 | resource "boundary_credential_username_password" "example" { 23 | name = "example_username_password" 24 | description = "My first username password credential!" 25 | credential_store_id = boundary_credential_store_static.example.id 26 | username = "my-username" 27 | password = "my-password" 28 | } 29 | -------------------------------------------------------------------------------- /examples/resources/boundary_group/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_group.foo -------------------------------------------------------------------------------- /examples/resources/boundary_group/project-specific/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_user" "foo" { 17 | description = "foo user" 18 | scope_id = boundary_scope.org.id 19 | } 20 | 21 | resource "boundary_group" "example" { 22 | name = "My group" 23 | description = "My first group!" 24 | member_ids = [boundary_user.foo.id] 25 | scope_id = boundary_scope.project.id 26 | } 27 | -------------------------------------------------------------------------------- /examples/resources/boundary_group/simple/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_user" "foo" { 10 | description = "foo user" 11 | scope_id = boundary_scope.org.id 12 | } 13 | 14 | resource "boundary_group" "example" { 15 | name = "My group" 16 | description = "My first group!" 17 | member_ids = [boundary_user.foo.id] 18 | scope_id = boundary_scope.org.id 19 | } 20 | -------------------------------------------------------------------------------- /examples/resources/boundary_host/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_host.foo -------------------------------------------------------------------------------- /examples/resources/boundary_host/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_host_catalog" "static" { 17 | name = "My catalog" 18 | description = "My first host catalog!" 19 | type = "static" 20 | scope_id = boundary_scope.project.id 21 | } 22 | 23 | resource "boundary_host" "example" { 24 | type = "static" 25 | name = "example_host" 26 | description = "My first host!" 27 | address = "10.0.0.1" 28 | host_catalog_id = boundary_host_catalog.static.id 29 | } 30 | -------------------------------------------------------------------------------- /examples/resources/boundary_host_catalog/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_host_catalog.foo -------------------------------------------------------------------------------- /examples/resources/boundary_host_catalog/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = boundary_scope.global.id 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_host_catalog" "example" { 17 | name = "My catalog" 18 | description = "My first host catalog!" 19 | type = "Static" 20 | scope_id = boundary_scope.project.id 21 | } 22 | -------------------------------------------------------------------------------- /examples/resources/boundary_host_catalog_plugin/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_host_catalog_plugin.foo -------------------------------------------------------------------------------- /examples/resources/boundary_host_catalog_plugin/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = boundary_scope.global.id 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | # For more information about the aws plugin, please visit here: 17 | # https://github.com/hashicorp/boundary-plugin-host-aws 18 | # 19 | # For more information about aws users, please visit here: 20 | # https://learn.hashicorp.com/tutorials/boundary/aws-host-catalogs?in=boundary/oss-access-management#configure-terraform-and-iam-user-privileges 21 | resource "boundary_host_catalog_plugin" "aws_example" { 22 | name = "My aws catalog" 23 | description = "My first host catalog!" 24 | scope_id = boundary_scope.project.id 25 | plugin_name = "aws" 26 | attributes_json = jsonencode({ "region" = "us-east-1" }) 27 | 28 | # recommended to pass in aws secrets using a file() or using environment variables 29 | # the secrets below must be generated in aws by creating a aws iam user with programmatic access 30 | secrets_json = jsonencode({ 31 | "access_key_id" = "aws_access_key_id_value", 32 | "secret_access_key" = "aws_secret_access_key_value" 33 | }) 34 | } 35 | 36 | # For more information about the azure plugin, please visit here: 37 | # https://github.com/hashicorp/boundary-plugin-host-azure 38 | # 39 | # For more information about azure ad applications, please visit here: 40 | # https://learn.hashicorp.com/tutorials/boundary/azure-host-catalogs#register-a-new-azure-ad-application-1 41 | resource "boundary_host_catalog_plugin" "azure_example" { 42 | name = "My azure catalog" 43 | description = "My second host catalog!" 44 | scope_id = boundary_scope.project.id 45 | plugin_name = "azure" 46 | 47 | # the attributes below must be generated in azure by creating an ad application 48 | attributes_json = jsonencode({ 49 | "disable_credential_rotation" = "true", 50 | "tenant_id" = "ARM_TENANT_ID", 51 | "subscription_id" = "ARM_SUBSCRIPTION_ID", 52 | "client_id" = "ARM_CLIENT_ID" 53 | }) 54 | 55 | # recommended to pass in azure secrets using a file() or using environment variables 56 | # the secrets below must be generated in azure by creating an ad application 57 | secrets_json = jsonencode({ 58 | "secret_value" = "ARM_CLIENT_SECRET" 59 | }) 60 | } 61 | -------------------------------------------------------------------------------- /examples/resources/boundary_host_catalog_static/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_host_catalog_static.foo -------------------------------------------------------------------------------- /examples/resources/boundary_host_catalog_static/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = boundary_scope.global.id 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_host_catalog_static" "example" { 17 | name = "My catalog" 18 | description = "My first host catalog!" 19 | scope_id = boundary_scope.project.id 20 | } 21 | -------------------------------------------------------------------------------- /examples/resources/boundary_host_set/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_host_set.foo -------------------------------------------------------------------------------- /examples/resources/boundary_host_set/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_host_catalog" "static" { 17 | type = "static" 18 | scope_id = boundary_scope.project.id 19 | } 20 | 21 | resource "boundary_host" "first" { 22 | type = "static" 23 | name = "host_1" 24 | description = "My first host!" 25 | address = "10.0.0.1" 26 | host_catalog_id = boundary_host_catalog.static.id 27 | } 28 | 29 | resource "boundary_host" "second" { 30 | type = "static" 31 | name = "host_2" 32 | description = "My second host!" 33 | address = "10.0.0.2" 34 | host_catalog_id = boundary_host_catalog.static.id 35 | } 36 | 37 | resource "boundary_host_set" "web" { 38 | host_catalog_id = boundary_host_catalog.static.id 39 | type = "static" 40 | host_ids = [ 41 | boundary_host.first.id, 42 | boundary_host.second.id, 43 | ] 44 | } 45 | -------------------------------------------------------------------------------- /examples/resources/boundary_host_set_plugin/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_host_set_plugin.foo -------------------------------------------------------------------------------- /examples/resources/boundary_host_set_static/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_host_set_static.foo -------------------------------------------------------------------------------- /examples/resources/boundary_host_set_static/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_host_catalog_static" "example" { 17 | scope_id = boundary_scope.project.id 18 | } 19 | 20 | resource "boundary_host_static" "first" { 21 | name = "host_1" 22 | description = "My first host!" 23 | address = "10.0.0.1" 24 | host_catalog_id = boundary_host_catalog_static.example.id 25 | } 26 | 27 | resource "boundary_host_static" "second" { 28 | name = "host_2" 29 | description = "My second host!" 30 | address = "10.0.0.2" 31 | host_catalog_id = boundary_host_catalog_static.example.id 32 | } 33 | 34 | resource "boundary_host_set_static" "web" { 35 | host_catalog_id = boundary_host_catalog_static.example.id 36 | host_ids = [ 37 | boundary_host_static.first.id, 38 | boundary_host_static.second.id, 39 | ] 40 | } 41 | -------------------------------------------------------------------------------- /examples/resources/boundary_host_static/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_host_static.foo -------------------------------------------------------------------------------- /examples/resources/boundary_host_static/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_host_catalog_static" "example" { 17 | name = "My catalog" 18 | description = "My first host catalog!" 19 | scope_id = boundary_scope.project.id 20 | } 21 | 22 | resource "boundary_host_static" "example" { 23 | name = "example_host" 24 | description = "My first host!" 25 | address = "10.0.0.1" 26 | host_catalog_id = boundary_host_catalog_static.example.id 27 | } 28 | -------------------------------------------------------------------------------- /examples/resources/boundary_managed_group_ldap/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_managed_group_ldap.foo 2 | -------------------------------------------------------------------------------- /examples/resources/boundary_managed_group_ldap/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_auth_method_ldap" "forumsys_ldap" { 10 | name = "forumsys public LDAP" 11 | scope_id = "global" # add the new auth method to the global scope 12 | urls = ["ldap://ldap.forumsys.com"] # the addr of the LDAP server 13 | user_dn = "dc=example,dc=com" # the basedn for users 14 | user_attr = "uid" # the user attribute 15 | group_dn = "dc=example,dc=com" # the basedn for groups 16 | bind_dn = "cn=read-only-admin,dc=example,dc=com" # the dn to use when binding 17 | bind_password = "password" # passwd to use when binding 18 | state = "active-public" # make sure the new auth-method is available to everyone 19 | enable_groups = true # this turns-on the discovery of a user's groups 20 | discover_dn = true # this turns-on the discovery of an authenticating user's dn 21 | } 22 | 23 | resource "boundary_managed_group_ldap" "forumsys_scientists" { 24 | name = "scientists" 25 | description = "forumsys scientists managed group" 26 | auth_method_id = boundary_auth_method_ldap.forumsys_ldap.id 27 | group_names = ["Scientists"] 28 | } 29 | -------------------------------------------------------------------------------- /examples/resources/boundary_policy/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "global" { 2 | global_scope = true 3 | scope_id = "global" 4 | } 5 | 6 | resource "boundary_scope" "org" { 7 | name = "organization_one" 8 | description = "My first scope!" 9 | scope_id = boundary_scope.global.id 10 | auto_create_admin_role = true 11 | auto_create_default_role = true 12 | } 13 | 14 | resource "boundary_policy_storage" "foo" { 15 | name = "foo" 16 | description = "Foo policy" 17 | scope_id = boundary_scope.org.id 18 | retain_for_days = 10 19 | retain_for_overridable = false 20 | delete_after_days = 10 21 | delete_after_overridable = true 22 | } 23 | 24 | resource "boundary_scope_policy_attachment" "foo_attachment" { 25 | scope_id = boundary_scope.org.id 26 | policy_id = boundary_policy_storage.foo.id 27 | } 28 | -------------------------------------------------------------------------------- /examples/resources/boundary_role/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_role.foo -------------------------------------------------------------------------------- /examples/resources/boundary_role/project-specific/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_scope" "project" { 10 | name = "project_one" 11 | description = "My first scope!" 12 | scope_id = boundary_scope.org.id 13 | auto_create_admin_role = true 14 | } 15 | 16 | resource "boundary_user" "readonly" { 17 | name = "readonly" 18 | description = "A readonly user" 19 | scope_id = boundary_scope.org.id 20 | } 21 | 22 | resource "boundary_role" "readonly" { 23 | name = "readonly" 24 | description = "A readonly role" 25 | principal_ids = [boundary_user.readonly.id] 26 | grant_strings = ["ids=*;type=*;actions=read"] 27 | scope_id = boundary_scope.project.id 28 | } 29 | -------------------------------------------------------------------------------- /examples/resources/boundary_role/simple/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_role" "example" { 10 | name = "My role" 11 | description = "My first role!" 12 | scope_id = boundary_scope.org.id 13 | } 14 | -------------------------------------------------------------------------------- /examples/resources/boundary_role/user-grants/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_user" "readonly" { 10 | name = "readonly" 11 | description = "A readonly user" 12 | scope_id = boundary_scope.org.id 13 | } 14 | 15 | resource "boundary_role" "readonly" { 16 | name = "readonly" 17 | description = "A readonly role" 18 | principal_ids = [boundary_user.readonly.id] 19 | grant_strings = ["ids=*;type=*;actions=read"] 20 | scope_id = boundary_scope.org.id 21 | } 22 | -------------------------------------------------------------------------------- /examples/resources/boundary_role/user/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_user" "foo" { 10 | name = "User 1" 11 | scope_id = boundary_scope.org.id 12 | } 13 | 14 | resource "boundary_user" "bar" { 15 | name = "User 2" 16 | scope_id = boundary_scope.org.id 17 | } 18 | 19 | resource "boundary_role" "example" { 20 | name = "My role" 21 | description = "My first role!" 22 | principal_ids = [boundary_user.foo.id, boundary_user.bar.id] 23 | scope_id = boundary_scope.org.id 24 | } 25 | -------------------------------------------------------------------------------- /examples/resources/boundary_scope/global.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "global" { 2 | global_scope = true 3 | scope_id = "global" 4 | } 5 | -------------------------------------------------------------------------------- /examples/resources/boundary_scope/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_scope.foo -------------------------------------------------------------------------------- /examples/resources/boundary_scope/organization.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = boundary_scope.global.id 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | -------------------------------------------------------------------------------- /examples/resources/boundary_scope/project.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "project" { 2 | name = "project_one" 3 | description = "My first scope!" 4 | scope_id = boundary_scope.org.id 5 | auto_create_admin_role = true 6 | } 7 | -------------------------------------------------------------------------------- /examples/resources/boundary_scope/role.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = boundary_scope.global.id 5 | } 6 | 7 | resource "boundary_role" "org_admin" { 8 | scope_id = boundary_scope.global.id 9 | grant_scope_ids = [boundary_scope.org.id] 10 | grant_strings = ["ids=*;type=*;actions=*"] 11 | principal_ids = ["u_auth"] 12 | } 13 | -------------------------------------------------------------------------------- /examples/resources/boundary_storage_bucket/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_storage_bucket.foo -------------------------------------------------------------------------------- /examples/resources/boundary_storage_bucket/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = boundary_scope.global.id 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_storage_bucket" "aws_static_credentials_example" { 10 | name = "My aws storage bucket with static credentials" 11 | description = "My first storage bucket!" 12 | scope_id = boundary_scope.org.id 13 | plugin_name = "aws" 14 | bucket_name = "mybucket" 15 | attributes_json = jsonencode({ "region" = "us-east-1" }) 16 | 17 | # recommended to pass in aws secrets using a file() or using environment variables 18 | # the secrets below must be generated in aws by creating a aws iam user with programmatic access 19 | secrets_json = jsonencode({ 20 | "access_key_id" = "aws_access_key_id_value", 21 | "secret_access_key" = "aws_secret_access_key_value" 22 | }) 23 | worker_filter = "\"pki\" in \"/tags/type\"" 24 | } 25 | 26 | resource "boundary_storage_bucket" "aws_dynamic_credentials_example" { 27 | name = "My aws storage bucket with dynamic credentials" 28 | description = "My first storage bucket!" 29 | scope_id = boundary_scope.org.id 30 | plugin_name = "aws" 31 | bucket_name = "mybucket" 32 | 33 | # the role_arn value should be the same arn used as the instance profile that is attached to the ec2 instance 34 | # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html 35 | attributes_json = jsonencode({ 36 | "region" = "us-east-1" 37 | "role_arn" = "arn:aws:iam::123456789012:role/S3Access" 38 | "disable_credential_rotation" = "true" 39 | }) 40 | worker_filter = "\"pki\" in \"/tags/type\"" 41 | } 42 | -------------------------------------------------------------------------------- /examples/resources/boundary_target/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_target.foo -------------------------------------------------------------------------------- /examples/resources/boundary_user/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_user.foo -------------------------------------------------------------------------------- /examples/resources/boundary_user/resource.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_scope" "org" { 2 | name = "organization_one" 3 | description = "My first scope!" 4 | scope_id = "global" 5 | auto_create_admin_role = true 6 | auto_create_default_role = true 7 | } 8 | 9 | resource "boundary_auth_method" "password" { 10 | scope_id = boundary_scope.org.id 11 | type = "password" 12 | } 13 | 14 | resource "boundary_account_password" "jeff" { 15 | auth_method_id = boundary_auth_method.password.id 16 | type = "password" 17 | login_name = "jeff" 18 | password = "$uper$ecure" 19 | } 20 | 21 | resource "boundary_user" "jeff" { 22 | name = "jeff" 23 | description = "Jeff's user resource" 24 | account_ids = [boundary_account_password.jeff.id] 25 | scope_id = boundary_scope.org.id 26 | } 27 | -------------------------------------------------------------------------------- /examples/resources/boundary_worker/controller_led.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_worker" "controller_led" { 2 | scope_id = "global" 3 | name = "controller-led-worker-1" 4 | description = "self managed worker with controller led auth" 5 | } 6 | -------------------------------------------------------------------------------- /examples/resources/boundary_worker/import.sh: -------------------------------------------------------------------------------- 1 | terraform import boundary_worker.foo -------------------------------------------------------------------------------- /examples/resources/boundary_worker/worker_led.tf: -------------------------------------------------------------------------------- 1 | resource "boundary_worker" "worker_led" { 2 | scope_id = "global" 3 | name = "worker-led-worker-1" 4 | description = "self managed worker with worker led auth" 5 | worker_generated_auth_token = var.worker_generated_auth_token 6 | } 7 | -------------------------------------------------------------------------------- /internal/provider/const.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) HashiCorp, Inc. 2 | // SPDX-License-Identifier: MPL-2.0 3 | 4 | package provider 5 | 6 | const ( 7 | // IDKey is used for common SDK ID resource attribute 8 | IDKey = "id" 9 | // NameKey is used for common "name" resource attribute 10 | NameKey = "name" 11 | // DescriptionKey is used for common "description" resource attribute 12 | DescriptionKey = "description" 13 | // ScopeIdKey is used for common "scope_id" resource attribute 14 | ScopeIdKey = "scope_id" 15 | // TypeKey is used for common "type" resource attribute 16 | TypeKey = "type" 17 | // HostCatalogIdKey is used for common "host_catalog_id" resource attribute 18 | HostCatalogIdKey = "host_catalog_id" 19 | // AuthMethodIdKey is used for common "auth_method_id" resource attribute 20 | AuthMethodIdKey = "auth_method_id" 21 | // PluginIdKey is used for common "plugin_id" resource attribute 22 | PluginIdKey = "plugin_id" 23 | // PluginNameKey is used for common "plugin_name" resource attribute 24 | PluginNameKey = "plugin_name" 25 | // AttributesJsonKey is used for setting attributes and corresponds to the 26 | // API "attributes" key 27 | AttributesJsonKey = "attributes_json" 28 | // SecretsJsonKey is used for setting secrets and corresponds to the API 29 | // "secrets" key 30 | SecretsJsonKey = "secrets_json" 31 | // SecretsHmacKey is a read-only key used for ensuring we detect if secrets 32 | // have changed 33 | SecretsHmacKey = "secrets_hmac" 34 | // PreferredEndpointsKey is used for setting preferred endpoints 35 | PreferredEndpointsKey = "preferred_endpoints" 36 | // SyncIntervalSecondsKey is used for setting the interval seconds 37 | SyncIntervalSecondsKey = "sync_interval_seconds" 38 | // internalSecretsConfigHmacKey is used for storing an hmac of hmac from server + 39 | // config string 40 | internalSecretsConfigHmacKey = "internal_secrets_config_hmac" 41 | // internalHmacUsedForSecretsConfigHmacKey is used for storing the server-provided 42 | // hmac used when calculating the current value of secretsConfigHmacKey 43 | internalHmacUsedForSecretsConfigHmacKey = "internal_hmac_used_for_secrets_config_hmac" 44 | // internalForceUpdateKey is used to force updates so we can always check 45 | // the value of secrets 46 | internalForceUpdateKey = "internal_force_update" 47 | // workerFilter is used for common "worker_filter" resource attribute 48 | WorkerFilterKey = "worker_filter" 49 | // LoginNameKey is used for common "login_name" resource attribute 50 | LoginNameKey = "login_name" 51 | // PrimaryAccountIdKey is used for common "primary_account_id" resource attribute 52 | PrimaryAccountIdKey = "primary_account_id" 53 | // ScopeKey is used for common "scope" resource attribute 54 | ScopeKey = "scope" 55 | // ParentScopeKey is used for common "parent_scope_id" resource attribute 56 | ParentScopeIdKey = "parent_scope_id" 57 | // GroupMemberIdsKey is used for common "member_ids" resource attribute 58 | GroupMemberIdsKey = "member_ids" 59 | // ValueKey is used for common "value" resource attribute 60 | ValueKey = "value" 61 | // DestinationIdKey is used for common "destination_id" resource attribute 62 | DestinationIdKey = "destination_id" 63 | ) 64 | -------------------------------------------------------------------------------- /internal/provider/data_source_account.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) HashiCorp, Inc. 2 | // SPDX-License-Identifier: MPL-2.0 3 | 4 | package provider 5 | 6 | import ( 7 | "context" 8 | "net/http" 9 | 10 | "github.com/hashicorp/boundary/api" 11 | "github.com/hashicorp/boundary/api/accounts" 12 | "github.com/hashicorp/terraform-plugin-sdk/v2/diag" 13 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" 14 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" 15 | ) 16 | 17 | func dataSourceAccount() *schema.Resource { 18 | return &schema.Resource{ 19 | Description: "The boundary_account data source allows you to find a Boundary account.", 20 | ReadContext: dataSourceAccountRead, 21 | 22 | Schema: map[string]*schema.Schema{ 23 | NameKey: { 24 | Description: "The name of the account to retrieve.", 25 | Type: schema.TypeString, 26 | Required: true, 27 | ValidateFunc: validation.StringIsNotEmpty, 28 | }, 29 | AuthMethodIdKey: { 30 | Description: "The auth method ID that will be queried for the account.", 31 | Type: schema.TypeString, 32 | Required: true, 33 | ValidateFunc: validation.StringIsNotEmpty, 34 | }, 35 | IDKey: { 36 | Description: "The ID of the retrieved account.", 37 | Type: schema.TypeString, 38 | Computed: true, 39 | }, 40 | DescriptionKey: { 41 | Description: "The description of the retrieved account.", 42 | Type: schema.TypeString, 43 | Computed: true, 44 | }, 45 | TypeKey: { 46 | Description: "The type of the account", 47 | Type: schema.TypeString, 48 | Computed: true, 49 | }, 50 | ScopeKey: { 51 | Type: schema.TypeList, 52 | Computed: true, 53 | Elem: &schema.Resource{ 54 | Schema: map[string]*schema.Schema{ 55 | IDKey: { 56 | Type: schema.TypeString, 57 | Computed: true, 58 | }, 59 | NameKey: { 60 | Type: schema.TypeString, 61 | Computed: true, 62 | }, 63 | TypeKey: { 64 | Type: schema.TypeString, 65 | Computed: true, 66 | }, 67 | DescriptionKey: { 68 | Type: schema.TypeString, 69 | Computed: true, 70 | }, 71 | ParentScopeIdKey: { 72 | Type: schema.TypeString, 73 | Computed: true, 74 | }, 75 | }, 76 | }, 77 | }, 78 | }, 79 | } 80 | } 81 | 82 | func dataSourceAccountRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { 83 | md := meta.(*metaData) 84 | 85 | name := d.Get(NameKey).(string) 86 | authMethodId := d.Get(AuthMethodIdKey).(string) 87 | 88 | acl := accounts.NewClient(md.client) 89 | accountsList, err := acl.List(ctx, authMethodId, 90 | accounts.WithFilter(FilterWithItemNameMatches(name)), 91 | ) 92 | if err != nil { 93 | return diag.Errorf("error calling list account: %v", err) 94 | } 95 | accounts := accountsList.GetItems() 96 | if accounts == nil { 97 | return diag.Errorf("no accounts found") 98 | } 99 | if len(accounts) == 0 { 100 | return diag.Errorf("no matching account found") 101 | } 102 | if len(accounts) > 1 { 103 | return diag.Errorf("error found more than 1 account") 104 | } 105 | 106 | arr, err := acl.Read(ctx, accounts[0].Id) 107 | if err != nil { 108 | if apiErr := api.AsServerError(err); apiErr != nil && apiErr.Response().StatusCode() == http.StatusNotFound { 109 | d.SetId("") 110 | return nil 111 | } 112 | return diag.Errorf("error calling read account: %v", err) 113 | } 114 | if arr == nil { 115 | return diag.Errorf("account nil after read") 116 | } 117 | 118 | if err := setFromAccountRead(d, *arr.Item); err != nil { 119 | return diag.FromErr(err) 120 | } 121 | 122 | return nil 123 | } 124 | 125 | func setFromAccountRead(d *schema.ResourceData, account accounts.Account) error { 126 | if err := d.Set(NameKey, account.Name); err != nil { 127 | return err 128 | } 129 | if err := d.Set(DescriptionKey, account.Description); err != nil { 130 | return err 131 | } 132 | if err := d.Set(TypeKey, account.Type); err != nil { 133 | return err 134 | } 135 | 136 | d.Set(ScopeKey, flattenScopeInfo(account.Scope)) 137 | d.SetId(account.Id) 138 | return nil 139 | } 140 | -------------------------------------------------------------------------------- /internal/provider/data_source_auth_method_test.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) HashiCorp, Inc. 2 | // SPDX-License-Identifier: MPL-2.0 3 | 4 | package provider 5 | 6 | import ( 7 | "fmt" 8 | "testing" 9 | 10 | "github.com/hashicorp/boundary/testing/controller" 11 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" 12 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" 13 | ) 14 | 15 | const ( 16 | testAuthMethodName = "test_auth_method" 17 | ) 18 | 19 | var authMethodReadGlobal = fmt.Sprintf(` 20 | resource "boundary_auth_method" "auth_method" { 21 | name = "%s" 22 | description = "test" 23 | scope_id = "global" 24 | type = "password" 25 | depends_on = [boundary_role.org1_admin] 26 | } 27 | 28 | data "boundary_auth_method" "auth_method" { 29 | depends_on = [ boundary_auth_method.auth_method ] 30 | name = "%s" 31 | }`, testAuthMethodName, testAuthMethodName) 32 | 33 | var authMethodReadOrg = fmt.Sprintf(` 34 | resource "boundary_auth_method" "auth_method" { 35 | name = "%s" 36 | description = "test" 37 | scope_id = boundary_scope.org1.id 38 | type = "password" 39 | depends_on = [boundary_role.org1_admin] 40 | } 41 | 42 | data "boundary_auth_method" "auth_method" { 43 | depends_on = [ boundary_auth_method.auth_method ] 44 | name = "%s" 45 | scope_id = boundary_scope.org1.id 46 | }`, testAuthMethodName, testAuthMethodName) 47 | 48 | func TestAccAuthMethodReadGlobal(t *testing.T) { 49 | tc := controller.NewTestController(t, tcConfig...) 50 | defer tc.Shutdown() 51 | url := tc.ApiAddrs()[0] 52 | 53 | var provider *schema.Provider 54 | resource.Test(t, resource.TestCase{ 55 | ProviderFactories: providerFactories(&provider), 56 | Steps: []resource.TestStep{ 57 | { 58 | Config: testConfig(url, fooOrg, authMethodReadGlobal), 59 | Check: resource.ComposeTestCheckFunc( 60 | resource.TestCheckResourceAttrSet("data.boundary_auth_method.auth_method", IDKey), 61 | resource.TestCheckResourceAttrSet("data.boundary_auth_method.auth_method", ScopeIdKey), 62 | resource.TestCheckResourceAttr("data.boundary_auth_method.auth_method", NameKey, testAuthMethodName), 63 | resource.TestCheckResourceAttr("data.boundary_auth_method.auth_method", TypeKey, "password"), 64 | resource.TestCheckResourceAttrSet("data.boundary_auth_method.auth_method", DescriptionKey), 65 | resource.TestCheckResourceAttrSet("data.boundary_auth_method.auth_method", "scope.0.id"), 66 | resource.TestCheckResourceAttr("data.boundary_auth_method.auth_method", "scope.0.name", "global"), 67 | resource.TestCheckResourceAttr("data.boundary_auth_method.auth_method", "scope.0.type", "global"), 68 | ), 69 | }, 70 | }, 71 | }) 72 | } 73 | 74 | func TestAccAuthMethodReadOrg(t *testing.T) { 75 | tc := controller.NewTestController(t, tcConfig...) 76 | defer tc.Shutdown() 77 | url := tc.ApiAddrs()[0] 78 | 79 | var provider *schema.Provider 80 | resource.Test(t, resource.TestCase{ 81 | ProviderFactories: providerFactories(&provider), 82 | Steps: []resource.TestStep{ 83 | { 84 | Config: testConfig(url, fooOrg, authMethodReadOrg), 85 | Check: resource.ComposeTestCheckFunc( 86 | resource.TestCheckResourceAttrSet("data.boundary_auth_method.auth_method", IDKey), 87 | resource.TestCheckResourceAttrSet("data.boundary_auth_method.auth_method", ScopeIdKey), 88 | resource.TestCheckResourceAttr("data.boundary_auth_method.auth_method", NameKey, testAuthMethodName), 89 | resource.TestCheckResourceAttr("data.boundary_auth_method.auth_method", TypeKey, "password"), 90 | resource.TestCheckResourceAttrSet("data.boundary_auth_method.auth_method", DescriptionKey), 91 | resource.TestCheckResourceAttrSet("data.boundary_auth_method.auth_method", "scope.0.id"), 92 | resource.TestCheckResourceAttr("data.boundary_auth_method.auth_method", "scope.0.name", "org1"), 93 | resource.TestCheckResourceAttr("data.boundary_auth_method.auth_method", "scope.0.type", "org"), 94 | ), 95 | }, 96 | }, 97 | }) 98 | } 99 | -------------------------------------------------------------------------------- /internal/provider/data_source_group.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) HashiCorp, Inc. 2 | // SPDX-License-Identifier: MPL-2.0 3 | 4 | package provider 5 | 6 | import ( 7 | "context" 8 | "net/http" 9 | 10 | "github.com/hashicorp/boundary/api" 11 | "github.com/hashicorp/boundary/api/groups" 12 | "github.com/hashicorp/terraform-plugin-sdk/v2/diag" 13 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" 14 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" 15 | ) 16 | 17 | func dataSourceGroup() *schema.Resource { 18 | return &schema.Resource{ 19 | Description: "The boundary_group data source allows you to find a Boundary group.", 20 | ReadContext: dataSourceGroupRead, 21 | 22 | Schema: map[string]*schema.Schema{ 23 | NameKey: { 24 | Description: "The name of the group to retrieve.", 25 | Type: schema.TypeString, 26 | Required: true, 27 | ValidateFunc: validation.StringIsNotEmpty, 28 | }, 29 | ScopeIdKey: { 30 | Description: "The scope ID in which the resource is created. Defaults `global` if unset.", 31 | Type: schema.TypeString, 32 | Optional: true, 33 | Default: "global", 34 | ValidateFunc: validation.StringIsNotEmpty, 35 | }, 36 | IDKey: { 37 | Description: "The ID of the retrieved group.", 38 | Type: schema.TypeString, 39 | Computed: true, 40 | }, 41 | DescriptionKey: { 42 | Description: "The description of the retrieved group.", 43 | Type: schema.TypeString, 44 | Computed: true, 45 | }, 46 | ScopeKey: { 47 | Type: schema.TypeList, 48 | Computed: true, 49 | Elem: &schema.Resource{ 50 | Schema: map[string]*schema.Schema{ 51 | IDKey: { 52 | Type: schema.TypeString, 53 | Computed: true, 54 | }, 55 | NameKey: { 56 | Type: schema.TypeString, 57 | Computed: true, 58 | }, 59 | TypeKey: { 60 | Type: schema.TypeString, 61 | Computed: true, 62 | }, 63 | DescriptionKey: { 64 | Type: schema.TypeString, 65 | Computed: true, 66 | }, 67 | ParentScopeIdKey: { 68 | Type: schema.TypeString, 69 | Computed: true, 70 | }, 71 | }, 72 | }, 73 | }, 74 | GroupMemberIdsKey: { 75 | Description: "Resource IDs for group members, these are most likely boundary users.", 76 | Type: schema.TypeSet, 77 | Elem: &schema.Schema{Type: schema.TypeString}, 78 | Computed: true, 79 | }, 80 | }, 81 | } 82 | } 83 | 84 | func dataSourceGroupRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { 85 | md := meta.(*metaData) 86 | 87 | name := d.Get(NameKey).(string) 88 | scopeId := d.Get(ScopeIdKey).(string) 89 | 90 | gcl := groups.NewClient(md.client) 91 | groupsList, err := gcl.List(ctx, scopeId, 92 | groups.WithFilter(FilterWithItemNameMatches(name)), 93 | ) 94 | if err != nil { 95 | return diag.Errorf("error calling list group: %v", err) 96 | } 97 | groups := groupsList.GetItems() 98 | if groups == nil { 99 | return diag.Errorf("no groups found") 100 | } 101 | if len(groups) == 0 { 102 | return diag.Errorf("no matching group found") 103 | } 104 | if len(groups) > 1 { 105 | return diag.Errorf("error found more than 1 group") 106 | } 107 | 108 | grr, err := gcl.Read(ctx, groups[0].Id) 109 | if err != nil { 110 | if apiErr := api.AsServerError(err); apiErr != nil && apiErr.Response().StatusCode() == http.StatusNotFound { 111 | d.SetId("") 112 | return nil 113 | } 114 | return diag.Errorf("error calling read group: %v", err) 115 | } 116 | if grr == nil { 117 | return diag.Errorf("group nil after read") 118 | } 119 | 120 | if err := setFromGroupRead(d, *grr.Item); err != nil { 121 | return diag.FromErr(err) 122 | } 123 | 124 | return nil 125 | } 126 | 127 | func setFromGroupRead(d *schema.ResourceData, group groups.Group) error { 128 | if err := d.Set(NameKey, group.Name); err != nil { 129 | return err 130 | } 131 | if err := d.Set(DescriptionKey, group.Description); err != nil { 132 | return err 133 | } 134 | if err := d.Set(ScopeIdKey, group.ScopeId); err != nil { 135 | return err 136 | } 137 | if err := d.Set(GroupMemberIdsKey, group.MemberIds); err != nil { 138 | return err 139 | } 140 | 141 | d.Set(ScopeKey, flattenScopeInfo(group.Scope)) 142 | d.SetId(group.Id) 143 | return nil 144 | } 145 | -------------------------------------------------------------------------------- /internal/provider/data_source_group_test.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) HashiCorp, Inc. 2 | // SPDX-License-Identifier: MPL-2.0 3 | 4 | package provider 5 | 6 | import ( 7 | "fmt" 8 | "testing" 9 | 10 | "github.com/hashicorp/boundary/testing/controller" 11 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" 12 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" 13 | ) 14 | 15 | const ( 16 | testGroupName = "test_group" 17 | ) 18 | 19 | var groupReadGlobal = fmt.Sprintf(` 20 | 21 | resource "boundary_user" "user" { 22 | description = "user" 23 | scope_id = "global" 24 | depends_on = [boundary_role.org1_admin] 25 | } 26 | 27 | resource "boundary_group" "group" { 28 | name = "%s" 29 | description = "test" 30 | scope_id = "global" 31 | member_ids = [boundary_user.user.id] 32 | depends_on = [boundary_user.user] 33 | } 34 | 35 | data "boundary_group" "group" { 36 | depends_on = [ boundary_group.group ] 37 | name = "%s" 38 | }`, testGroupName, testGroupName) 39 | 40 | var groupReadOrg = fmt.Sprintf(` 41 | resource "boundary_user" "user" { 42 | description = "user" 43 | scope_id = boundary_scope.org1.id 44 | depends_on = [boundary_role.org1_admin] 45 | } 46 | 47 | resource "boundary_group" "group" { 48 | name = "%s" 49 | description = "test" 50 | scope_id = boundary_scope.org1.id 51 | member_ids = [boundary_user.user.id] 52 | depends_on = [boundary_user.user] 53 | } 54 | 55 | data "boundary_group" "group" { 56 | depends_on = [ boundary_group.group ] 57 | name = "%s" 58 | scope_id = boundary_scope.org1.id 59 | }`, testGroupName, testGroupName) 60 | 61 | func TestAccGroupReadGlobal(t *testing.T) { 62 | tc := controller.NewTestController(t, tcConfig...) 63 | defer tc.Shutdown() 64 | url := tc.ApiAddrs()[0] 65 | 66 | var provider *schema.Provider 67 | resource.Test(t, resource.TestCase{ 68 | ProviderFactories: providerFactories(&provider), 69 | Steps: []resource.TestStep{ 70 | { 71 | Config: testConfig(url, fooOrg, groupReadGlobal), 72 | Check: resource.ComposeTestCheckFunc( 73 | testAccCheckGroupResourceExists(provider, "boundary_group.group"), 74 | resource.TestCheckResourceAttrSet("data.boundary_group.group", IDKey), 75 | resource.TestCheckResourceAttrSet("data.boundary_group.group", ScopeIdKey), 76 | resource.TestCheckResourceAttr("data.boundary_group.group", NameKey, testGroupName), 77 | resource.TestCheckResourceAttrSet("data.boundary_group.group", DescriptionKey), 78 | resource.TestCheckResourceAttrSet("data.boundary_group.group", fmt.Sprintf("%s.#", GroupMemberIdsKey)), 79 | resource.TestCheckResourceAttrSet("data.boundary_group.group", "scope.0.id"), 80 | resource.TestCheckResourceAttr("data.boundary_group.group", "scope.0.name", "global"), 81 | resource.TestCheckResourceAttr("data.boundary_group.group", "scope.0.type", "global"), 82 | ), 83 | }, 84 | }, 85 | }) 86 | } 87 | 88 | func TestAccGroupReadOrg(t *testing.T) { 89 | tc := controller.NewTestController(t, tcConfig...) 90 | defer tc.Shutdown() 91 | url := tc.ApiAddrs()[0] 92 | 93 | var provider *schema.Provider 94 | resource.Test(t, resource.TestCase{ 95 | ProviderFactories: providerFactories(&provider), 96 | Steps: []resource.TestStep{ 97 | { 98 | Config: testConfig(url, fooOrg, groupReadOrg), 99 | Check: resource.ComposeTestCheckFunc( 100 | testAccCheckGroupResourceExists(provider, "boundary_group.group"), 101 | resource.TestCheckResourceAttrSet("data.boundary_group.group", IDKey), 102 | resource.TestCheckResourceAttrSet("data.boundary_group.group", ScopeIdKey), 103 | resource.TestCheckResourceAttr("data.boundary_group.group", NameKey, testGroupName), 104 | resource.TestCheckResourceAttrSet("data.boundary_group.group", DescriptionKey), 105 | resource.TestCheckResourceAttrSet("data.boundary_group.group", fmt.Sprintf("%s.#", GroupMemberIdsKey)), 106 | resource.TestCheckResourceAttrSet("data.boundary_group.group", "scope.0.id"), 107 | resource.TestCheckResourceAttr("data.boundary_group.group", "scope.0.name", "org1"), 108 | resource.TestCheckResourceAttr("data.boundary_group.group", "scope.0.type", "org"), 109 | ), 110 | }, 111 | }, 112 | }) 113 | } 114 | -------------------------------------------------------------------------------- /internal/provider/data_source_scope.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) HashiCorp, Inc. 2 | // SPDX-License-Identifier: MPL-2.0 3 | 4 | package provider 5 | 6 | import ( 7 | "context" 8 | "net/http" 9 | 10 | "github.com/hashicorp/boundary/api" 11 | "github.com/hashicorp/boundary/api/scopes" 12 | "github.com/hashicorp/terraform-plugin-sdk/v2/diag" 13 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" 14 | ) 15 | 16 | func dataSourceScope() *schema.Resource { 17 | return &schema.Resource{ 18 | Description: "The scope data source allows you to discover an existing Boundary scope by name.", 19 | ReadContext: dataSourceScopeRead, 20 | 21 | Schema: map[string]*schema.Schema{ 22 | IDKey: { 23 | Description: "The ID of the retrieved scope.", 24 | Type: schema.TypeString, 25 | Computed: true, 26 | }, 27 | NameKey: { 28 | Description: "The name of the scope to retrieve.", 29 | Type: schema.TypeString, 30 | Required: true, 31 | }, 32 | DescriptionKey: { 33 | Description: "The description of the retrieved scope.", 34 | Type: schema.TypeString, 35 | Computed: true, 36 | }, 37 | ScopeIdKey: { 38 | Description: "The parent scope ID that will be queried for the scope.", 39 | Type: schema.TypeString, 40 | Required: true, 41 | }, 42 | }, 43 | } 44 | } 45 | 46 | func dataSourceScopeRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { 47 | md := meta.(*metaData) 48 | opts := []scopes.Option{} 49 | 50 | var name string 51 | if v, ok := d.GetOk(NameKey); ok { 52 | name = v.(string) 53 | } else { 54 | return diag.Errorf("no name provided") 55 | } 56 | 57 | var scopeId string 58 | if scopeIdVal, ok := d.GetOk(ScopeIdKey); ok { 59 | scopeId = scopeIdVal.(string) 60 | } else { 61 | return diag.Errorf("no parent scope ID provided") 62 | } 63 | 64 | scp := scopes.NewClient(md.client) 65 | 66 | scpls, err := scp.List(ctx, scopeId, opts...) 67 | if err != nil { 68 | return diag.Errorf("error calling list scope: %v", err) 69 | } 70 | if scpls == nil { 71 | return diag.Errorf("no scopes found") 72 | } 73 | 74 | var scopeIdRead string 75 | for _, scopeItem := range scpls.GetItems() { 76 | if scopeItem.Name == name { 77 | scopeIdRead = scopeItem.Id 78 | break 79 | } 80 | } 81 | 82 | if scopeIdRead == "" { 83 | return diag.Errorf("scope name %v not found in scope list", err) 84 | } 85 | 86 | srr, err := scp.Read(ctx, scopeIdRead) 87 | if err != nil { 88 | if apiErr := api.AsServerError(err); apiErr != nil && apiErr.Response().StatusCode() == http.StatusNotFound { 89 | d.SetId("") 90 | return nil 91 | } 92 | return diag.Errorf("error calling read scope: %v", err) 93 | } 94 | if srr == nil { 95 | return diag.Errorf("scope nil after read") 96 | } 97 | 98 | if err := setFromScopeReadResponseMap(d, srr.GetResponse().Map); err != nil { 99 | return diag.FromErr(err) 100 | } 101 | 102 | return nil 103 | } 104 | 105 | func setFromScopeReadResponseMap(d *schema.ResourceData, raw map[string]interface{}) error { 106 | if err := d.Set(NameKey, raw["name"]); err != nil { 107 | return err 108 | } 109 | if err := d.Set(DescriptionKey, raw["description"]); err != nil { 110 | return err 111 | } 112 | 113 | d.SetId(raw["id"].(string)) 114 | return nil 115 | } 116 | -------------------------------------------------------------------------------- /internal/provider/data_source_scope_test.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) HashiCorp, Inc. 2 | // SPDX-License-Identifier: MPL-2.0 3 | 4 | package provider 5 | 6 | import ( 7 | "fmt" 8 | "testing" 9 | 10 | "github.com/hashicorp/boundary/testing/controller" 11 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" 12 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" 13 | ) 14 | 15 | const ( 16 | orgName = "test org scope" 17 | projectName = "test project scope" 18 | notProjectName = "test project scope with wrong name" 19 | scopeDesc = "created to test the scope datasource" 20 | ) 21 | 22 | var scopeCreateAndRead = fmt.Sprintf(` 23 | resource "boundary_scope" "global" { 24 | global_scope = true 25 | name = "global" 26 | description = "Global Scope" 27 | scope_id = "global" 28 | } 29 | 30 | resource "boundary_scope" "org" { 31 | scope_id = boundary_scope.global.id 32 | name = "%s" 33 | description = "%s" 34 | } 35 | 36 | resource "boundary_scope" "project" { 37 | depends_on = [boundary_role.org_admin] 38 | scope_id = boundary_scope.org.id 39 | name = "%s" 40 | description = "%s" 41 | } 42 | 43 | resource "boundary_role" "org_admin" { 44 | scope_id = "global" 45 | grant_scope_ids = [boundary_scope.org.id] 46 | grant_strings = ["ids=*;type=*;actions=*"] 47 | principal_ids = ["u_auth"] 48 | } 49 | 50 | data "boundary_scope" "org" { 51 | depends_on = [boundary_scope.org] 52 | scope_id = "global" 53 | name = "%s" 54 | } 55 | 56 | data "boundary_scope" "project" { 57 | depends_on = [boundary_scope.project] 58 | scope_id = data.boundary_scope.org.id 59 | name = "%s" 60 | }`, orgName, scopeDesc, projectName, scopeDesc, orgName, projectName) 61 | 62 | func TestAccScopeRead(t *testing.T) { 63 | tc := controller.NewTestController(t, tcConfig...) 64 | defer tc.Shutdown() 65 | url := tc.ApiAddrs()[0] 66 | 67 | var provider *schema.Provider 68 | resource.Test(t, resource.TestCase{ 69 | ProviderFactories: providerFactories(&provider), 70 | CheckDestroy: testAccCheckScopeResourceDestroy(t, provider), 71 | Steps: []resource.TestStep{ 72 | { 73 | // create and read 74 | Config: testConfig(url, scopeCreateAndRead), 75 | Check: resource.ComposeTestCheckFunc( 76 | testAccCheckScopeResourceExists(provider, "boundary_scope.org"), 77 | resource.TestCheckResourceAttr("boundary_scope.org", "description", scopeDesc), 78 | resource.TestCheckResourceAttr("boundary_scope.org", "name", orgName), 79 | testAccCheckScopeResourceExists(provider, "boundary_scope.project"), 80 | resource.TestCheckResourceAttr("boundary_scope.project", "description", scopeDesc), 81 | resource.TestCheckResourceAttr("boundary_scope.project", "name", projectName), 82 | // Check attributes on the org datasource 83 | resource.TestCheckResourceAttrSet("data.boundary_scope.org", "scope_id"), 84 | resource.TestCheckResourceAttrSet("data.boundary_scope.org", "id"), 85 | resource.TestCheckResourceAttr("data.boundary_scope.org", "name", orgName), 86 | resource.TestCheckResourceAttr("data.boundary_scope.org", "description", scopeDesc), 87 | // Check attributes on the project datasource 88 | resource.TestCheckResourceAttrSet("data.boundary_scope.project", "scope_id"), 89 | resource.TestCheckResourceAttrSet("data.boundary_scope.project", "id"), 90 | resource.TestCheckResourceAttr("data.boundary_scope.project", "name", projectName), 91 | resource.TestCheckResourceAttr("data.boundary_scope.project", "description", scopeDesc), 92 | ), 93 | }, 94 | }, 95 | }) 96 | } 97 | -------------------------------------------------------------------------------- /internal/provider/data_source_user_test.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) HashiCorp, Inc. 2 | // SPDX-License-Identifier: MPL-2.0 3 | 4 | package provider 5 | 6 | import ( 7 | "fmt" 8 | "testing" 9 | 10 | "github.com/YakDriver/regexache" 11 | "github.com/hashicorp/boundary/testing/controller" 12 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" 13 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" 14 | ) 15 | 16 | var ( 17 | orgUserDataSource = fmt.Sprintf(` 18 | resource "boundary_user" "org1" { 19 | name = "test" 20 | description = "%s" 21 | scope_id = boundary_scope.org1.id 22 | depends_on = [boundary_role.org1_admin] 23 | } 24 | data "boundary_user" "org1" { 25 | name = "test" 26 | scope_id = boundary_scope.org1.id 27 | depends_on = [boundary_user.org1] 28 | }`, fooDescription) 29 | 30 | globalUserDataSource = ` 31 | data "boundary_user" "admin" { 32 | name = "admin" 33 | depends_on = [boundary_role.org1_admin] 34 | }` 35 | ) 36 | 37 | // NOTE: this test also tests out the direct token auth mechanism. 38 | 39 | func TestAccUserDataSource_basicOrgUser(t *testing.T) { 40 | tc := controller.NewTestController(t, tcConfig...) 41 | defer tc.Shutdown() 42 | url := tc.ApiAddrs()[0] 43 | token := tc.Token().Token 44 | 45 | resourceName := "boundary_user.org1" 46 | dataSourceName := "data.boundary_user.org1" 47 | 48 | var provider *schema.Provider 49 | resource.Test(t, resource.TestCase{ 50 | ProviderFactories: providerFactories(&provider), 51 | CheckDestroy: testAccCheckUserResourceDestroy(t, provider), 52 | Steps: []resource.TestStep{ 53 | { 54 | // test create 55 | Config: testConfigWithToken(url, token, fooOrg, orgUserDataSource), 56 | Check: resource.ComposeTestCheckFunc( 57 | testAccCheckUserResourceExists(provider, resourceName), 58 | resource.TestCheckResourceAttr(dataSourceName, DescriptionKey, fooDescription), 59 | resource.TestCheckResourceAttr(dataSourceName, NameKey, "test"), 60 | ), 61 | }, 62 | }, 63 | }) 64 | } 65 | 66 | func TestAccUserDataSource_globalAdminUser(t *testing.T) { 67 | tc := controller.NewTestController(t, tcConfig...) 68 | defer tc.Shutdown() 69 | url := tc.ApiAddrs()[0] 70 | token := tc.Token().Token 71 | 72 | dataSourceName := "data.boundary_user.admin" 73 | 74 | var provider *schema.Provider 75 | resource.Test(t, resource.TestCase{ 76 | ProviderFactories: providerFactories(&provider), 77 | Steps: []resource.TestStep{ 78 | { 79 | Config: testConfigWithToken(url, token, fooOrg, globalUserDataSource), 80 | Check: resource.ComposeTestCheckFunc( 81 | resource.TestCheckResourceAttr(dataSourceName, NameKey, "admin"), 82 | resource.TestCheckResourceAttr(dataSourceName, DescriptionKey, "Initial admin user within the \"global\" scope"), 83 | resource.TestCheckResourceAttr(dataSourceName, LoginNameKey, "testuser"), 84 | resource.TestMatchResourceAttr(dataSourceName, IDKey, regexache.MustCompile(`^u_.+`)), 85 | resource.TestMatchResourceAttr(dataSourceName, PrimaryAccountIdKey, regexache.MustCompile(`^acctpw_.+`)), 86 | resource.TestCheckResourceAttr(dataSourceName, "authorized_actions.#", "8"), 87 | resource.TestCheckResourceAttr(dataSourceName, "scope.0.name", "global"), 88 | resource.TestCheckResourceAttr(dataSourceName, "scope.0.id", "global"), 89 | resource.TestCheckResourceAttr(dataSourceName, "scope.0.type", "global"), 90 | resource.TestCheckResourceAttr(dataSourceName, "scope.0.description", "Global Scope"), 91 | ), 92 | }, 93 | }, 94 | }) 95 | } 96 | -------------------------------------------------------------------------------- /internal/provider/filter.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) HashiCorp, Inc. 2 | // SPDX-License-Identifier: MPL-2.0 3 | 4 | package provider 5 | 6 | import "fmt" 7 | 8 | func FilterWithItemNameMatches(name string) string { 9 | return fmt.Sprintf("\"/item/name\" matches \"%s\"", name) 10 | } 11 | -------------------------------------------------------------------------------- /internal/provider/pathorcontents.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) HashiCorp, Inc. 2 | // SPDX-License-Identifier: MPL-2.0 3 | 4 | // Helpers for dealing with file paths and their contents 5 | // 6 | // Originally from Terraform; see 7 | // https://www.terraform.io/docs/extend/guides/v2-upgrade-guide.html#removal-of-helper-pathorcontents-package 8 | package provider 9 | 10 | import ( 11 | "io/ioutil" 12 | "os" 13 | 14 | "github.com/mitchellh/go-homedir" 15 | ) 16 | 17 | // If the argument is a path, Read loads it and returns the contents, 18 | // otherwise the argument is assumed to be the desired contents and is simply 19 | // returned. 20 | // 21 | // The boolean second return value can be called `wasPath` - it indicates if a 22 | // path was detected and a file loaded. 23 | func ReadPathOrContents(poc string) (string, bool, error) { 24 | if len(poc) == 0 { 25 | return poc, false, nil 26 | } 27 | 28 | path := poc 29 | if path[0] == '~' { 30 | var err error 31 | path, err = homedir.Expand(path) 32 | if err != nil { 33 | return path, true, err 34 | } 35 | } 36 | 37 | if _, err := os.Stat(path); err == nil { 38 | contents, err := ioutil.ReadFile(path) 39 | if err != nil { 40 | return string(contents), true, err 41 | } 42 | return string(contents), true, nil 43 | } 44 | 45 | return poc, false, nil 46 | } 47 | -------------------------------------------------------------------------------- /internal/provider/resource_account_oidc_test.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) HashiCorp, Inc. 2 | // SPDX-License-Identifier: MPL-2.0 3 | 4 | package provider 5 | 6 | import ( 7 | "fmt" 8 | "strings" 9 | "testing" 10 | 11 | "github.com/hashicorp/boundary/testing/controller" 12 | "github.com/hashicorp/cap/oidc" 13 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" 14 | "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" 15 | ) 16 | 17 | const ( 18 | fooAccountOidcDesc = "test account oidc" 19 | fooAccountOidcDescUpdate = "test account oidc update" 20 | ) 21 | 22 | var fooAccountOidc = ` 23 | resource "boundary_auth_method_oidc" "foo" { 24 | name = "test" 25 | description = "test account oidc auth method" 26 | scope_id = boundary_scope.org1.id 27 | depends_on = [boundary_role.org1_admin] 28 | 29 | issuer = "%s" 30 | client_id = "foo_id" 31 | client_secret = "foo_secret" 32 | max_age = 0 33 | api_url_prefix = "http://localhost:9200" 34 | idp_ca_certs = [ 35 | <&2 11 | exit 1 12 | fi 13 | 14 | if [[ -z "GOARCH" ]]; then 15 | echo "Must provide GOARCH in environment" 1>&2 16 | exit 1 17 | fi 18 | 19 | BINARY_SUFFIX="" 20 | if [ "${GOOS}x" = "windowsx" ]; then 21 | BINARY_SUFFIX=".exe" 22 | fi 23 | 24 | # Get the parent directory of where this script is. 25 | SOURCE="${BASH_SOURCE[0]}" 26 | while [ -h "$SOURCE" ] ; do SOURCE="$(readlink "$SOURCE")"; done 27 | export DIR="$( cd -P "$( dirname "$SOURCE" )/.." && pwd )" 28 | 29 | echo "==> Building kms plugins for ${GOOS}-${GOARCH}..." 30 | rm -f $DIR/plugins/kms/assets/${GOOS}/${GOARCH}/boundary-plugin-kms-* 31 | for CURR_PLUGIN in $(ls $DIR/plugins/kms/mains); do 32 | echo "==> Building $CURR_PLUGIN plugin..." 33 | cd $DIR/plugins/kms/mains/$CURR_PLUGIN; 34 | go build -v -o $DIR/plugins/kms/assets/${GOOS}/${GOARCH}/boundary-plugin-kms-${CURR_PLUGIN}${BINARY_SUFFIX} .; 35 | cd $DIR; 36 | done; 37 | cd $DIR/plugins/kms/assets/${GOOS}/${GOARCH}; 38 | for CURR_PLUGIN in $(ls boundary-plugin-kms-*); do 39 | echo "==> gzip $CURR_PLUGIN plugin..." 40 | gzip -f -9 $CURR_PLUGIN; 41 | done; 42 | cd $DIR; 43 | -------------------------------------------------------------------------------- /templates/data-sources/scope.md.tmpl: -------------------------------------------------------------------------------- 1 | --- 2 | page_title: "boundary_scope Data Source - terraform-provider-boundary" 3 | subcategory: "" 4 | description: |- 5 | {{ .Description | plainmarkdown | trimspace | prefixlines " " }} 6 | --- 7 | 8 | # boundary_scope (Data Source) 9 | 10 | {{ .Description | trimspace }} 11 | Please note that the Global scope will always have an id of "global", and does not need to be discovered with this data source. 12 | 13 | ## Example Usage 14 | 15 | {{tffile "examples/data-sources/boundary_scope/data-source.tf"}} 16 | 17 | {{ .SchemaMarkdown | trimspace }} 18 | -------------------------------------------------------------------------------- /templates/index.md.tmpl: -------------------------------------------------------------------------------- 1 | --- 2 | page_title: "Provider: Boundary" 3 | subcategory: "" 4 | description: |- 5 | Terraform provider for configuring Boundary. 6 | --- 7 | 8 | # Boundary Provider 9 | 10 | Terraform provider for configuring Boundary. 11 | 12 | ## Example Usage 13 | 14 | Do not keep your authentication password in HCL for production environments, use Terraform environment variables. 15 | 16 | {{tffile "examples/provider/provider.tf"}} 17 | 18 | {{ .SchemaMarkdown | trimspace }} -------------------------------------------------------------------------------- /templates/resources/group.md.tmpl: -------------------------------------------------------------------------------- 1 | --- 2 | page_title: "boundary_group Resource - terraform-provider-boundary" 3 | subcategory: "" 4 | description: |- 5 | {{ .Description | plainmarkdown | trimspace | prefixlines " " }} 6 | --- 7 | 8 | # Resource `boundary_group` 9 | 10 | {{ .Description | trimspace }} 11 | 12 | ## Example Usage 13 | 14 | {{tffile "examples/resources/boundary_group/simple/resource.tf"}} 15 | 16 | Usage for project-specific group: 17 | 18 | {{tffile "examples/resources/boundary_group/project-specific/resource.tf"}} 19 | 20 | {{ .SchemaMarkdown | trimspace }} 21 | 22 | ## Import 23 | 24 | Import is supported using the following syntax: 25 | 26 | {{codefile "shell" "examples/resources/boundary_group/import.sh" }} 27 | -------------------------------------------------------------------------------- /templates/resources/role.md.tmpl: -------------------------------------------------------------------------------- 1 | --- 2 | page_title: "boundary_role Resource - terraform-provider-boundary" 3 | subcategory: "" 4 | description: |- 5 | {{ .Description | plainmarkdown | trimspace | prefixlines " " }} 6 | --- 7 | 8 | # Resource `boundary_role` 9 | 10 | {{ .Description | trimspace }} 11 | 12 | ## Example Usage 13 | 14 | Basic usage: 15 | 16 | {{tffile "examples/resources/boundary_role/simple/resource.tf"}} 17 | 18 | Usage with a user resource: 19 | 20 | {{tffile "examples/resources/boundary_role/user/resource.tf"}} 21 | 22 | Usage with user and grants resource: 23 | 24 | {{tffile "examples/resources/boundary_role/user-grants/resource.tf"}} 25 | 26 | Usage for a project-specific role: 27 | 28 | {{tffile "examples/resources/boundary_role/project-specific/resource.tf"}} 29 | 30 | {{ .SchemaMarkdown | trimspace }} 31 | 32 | ## Import 33 | 34 | Import is supported using the following syntax: 35 | 36 | {{codefile "shell" "examples/resources/boundary_role/import.sh" }} -------------------------------------------------------------------------------- /templates/resources/scope.md.tmpl: -------------------------------------------------------------------------------- 1 | --- 2 | page_title: "boundary_scope Resource - terraform-provider-boundary" 3 | subcategory: "" 4 | description: |- 5 | {{ .Description | plainmarkdown | trimspace | prefixlines " " }} 6 | --- 7 | 8 | # Resource `boundary_scope` 9 | 10 | {{ .Description | trimspace }} 11 | 12 | ## Example Usage 13 | 14 | Creating the global scope: 15 | 16 | {{tffile "examples/resources/boundary_scope/global.tf"}} 17 | 18 | Creating an organization scope within global: 19 | 20 | {{tffile "examples/resources/boundary_scope/organization.tf"}} 21 | 22 | Creating an project scope within an organization: 23 | 24 | {{tffile "examples/resources/boundary_scope/project.tf"}} 25 | 26 | Creating an organization scope with a managed role for administration (auto create role set false): 27 | 28 | {{tffile "examples/resources/boundary_scope/role.tf"}} 29 | 30 | {{ .SchemaMarkdown | trimspace }} 31 | 32 | ## Import 33 | 34 | Import is supported using the following syntax: 35 | 36 | {{codefile "shell" "examples/resources/boundary_scope/import.sh" }} -------------------------------------------------------------------------------- /templates/resources/worker.md.tmpl: -------------------------------------------------------------------------------- 1 | --- 2 | page_title: "boundary_worker Resource - terraform-provider-boundary" 3 | subcategory: "" 4 | description: |- 5 | {{ .Description | plainmarkdown | trimspace | prefixlines " " }} 6 | --- 7 | 8 | # boundary_worker (Resource) 9 | 10 | {{ .Description | trimspace }} 11 | 12 | ## Example Usage 13 | 14 | ### Controller-led worker 15 | 16 | {{tffile "examples/resources/boundary_worker/controller_led.tf"}} 17 | 18 | ### Worker-led worker 19 | 20 | {{tffile "examples/resources/boundary_worker/worker_led.tf"}} 21 | 22 | {{ .SchemaMarkdown | trimspace }} 23 | 24 | ## Import 25 | 26 | Import is supported using the following syntax: 27 | 28 | {{codefile "shell" "examples/resources/boundary_worker/import.sh" }} 29 | -------------------------------------------------------------------------------- /terraform-registry-manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": 1, 3 | "metadata": { 4 | "protocol_versions": ["5.0"] 5 | } 6 | } -------------------------------------------------------------------------------- /tools/tools.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) HashiCorp, Inc. 2 | // SPDX-License-Identifier: MPL-2.0 3 | 4 | //go:build tools 5 | // +build tools 6 | 7 | package tools 8 | 9 | //go:generate go install github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs 10 | //go:generate go install mvdan.cc/gofumpt 11 | 12 | import ( 13 | // docs generator 14 | _ "github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs" 15 | _ "mvdan.cc/gofumpt" 16 | ) 17 | --------------------------------------------------------------------------------