updated docs

changelog.md

@@ -1,3 +1,26 @@
+# 0.9.0-beta9
+
+## New Resources
+    ciphertrust_password_policy
+        Updates CipherTrust Manager's global password policy
+    ciphertrust_policies:
+        Creates custom policies that:
+            Allow a non-admin users add an AWS KMS
+            Allow a non-admin users add an Azure vault
+            Allow a non-admin users add a Google Cloud keyring
+            Prevent users from exporting CipherTrust keys 
+     ciphertrust_policy_attachments
+        Used to attach ciphertrust_policies to principles, eg groups.
+
+## New Data Sources
+    ciphertrust-gcp-connection
+        Reads a gcp connection resource
+
+## Breaking changes
+    ciphertrust_gcp_key
+        enable_versions - has changed from a list of version id strings to a list of version numbers
+        disable_versions - has changed from a list of version id strings to a list of version numbers
+
 # 0.9.0-beta8
 
 ## New Resources

docs/data-sources/aws_account_details.md

@@ -23,10 +23,12 @@ resource "ciphertrust_aws_connection" "aws_connection" {
   secret_access_key = "secret-access-key"
 }
 
+# Use the connection ID to retrieve account details
 data "ciphertrust_aws_account_details" "account_details" {
   aws_connection = ciphertrust_aws_connection.aws_connection.id
 }
 
+# Use the account details datasource elements to create a KMS resource
 resource "ciphertrust_aws_kms" "kms" {
   account_id     = data.ciphertrust_aws_account_details.account_details.account_id
   aws_connection = ciphertrust_aws_connection.aws_connection.id

docs/data-sources/azure_connection.md

@@ -14,21 +14,6 @@ This data-source provides vault details associated with a [ciphertrust_azure_con
 ## Example Usage
 
 ```terraform
-# Create an Azure connection
-resource "ciphertrust_azure_connection" "azure_connection" {
-  name          = "connection-name"
-  client_id     = "azure-client-id"
-  client_secret = "azure-client-secret"
-  tenant_id     = "azure-tenant-id"
-}
-
-# Add a vault
-resource "ciphertrust_azure_vault" "azure_vault" {
-  azure_connection = ciphertrust_azure_connection.azure_connection.name
-  subscription_id  = "azure-subscription-id"
-  name             = "azure-vault-name"
-}
-
 # Get the Azure connection details including the vaults
 data "ciphertrust_azure_connection" "connection_details" {
   azure_connection = "connection-name"

docs/data-sources/azure_key.md

@@ -16,14 +16,9 @@ It's possible to identify the key using a range of fields.
 ## Example Usage
 
 ```terraform
-# Retrieve details using the Terraform resource ID
-data "ciphertrust_azure_key" "by_resource_id" {
-  id = ciphertrust_azure_key.azure_key.id
-}
-
 # Retrieve details using the Azure key ID
 data "ciphertrust_azure_key" "by_azure_key_id" {
-  azure_key_id = ciphertrust_azure_key.azure_key.azure_key_id
+  azure_key_id = "kid"
 }
 
 # Retrieve details using the key name and vault
@@ -38,9 +33,8 @@ data "ciphertrust_azure_key" "by_name_and_vault" {
 
 ### Optional
 
-- `azure_key_id` (String) Azure key identifier. Can be used alone to identify the key, all other parameters will be ignored.
-- `id` (String) Azure key identifier. Can be used alone to identify a key.
-- `key_id` (String) CipherTrust Key ID. Can be used alone to identify the key, all other parameters will be ignored.
+- `azure_key_id` (String) Azure key identifier. Can be used alone to identify the key.
+- `key_id` (String) CipherTrust Key ID. Can be used alone to identify the key.
 - `key_vault` (String) Name of the Azure vault containing the key in the format of vault_name::subscription_id.
 - `name` (String) Key name.
 - `version` (String) Key version. Set to -1 to retrieve the latest version
@@ -58,6 +52,7 @@ data "ciphertrust_azure_key" "by_name_and_vault" {
 - `enabled` (Boolean) True if the key is enabled.
 - `expiration_date` (String) Date of key expiry.
 - `exportable` (Boolean) True if the key is exportable.
+- `id` (String) Azure key identifier.
 - `key_material_origin` (String) Key material origin of an uploaded or imported key.
 - `key_ops` (List of String) Allowed key operations for asymmetric keys.
 - `key_size` (Number) Size of asymmetric keys.

docs/data-sources/gcp_connection.md

@@ -0,0 +1,26 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "ciphertrust_gcp_connection Data Source - terraform-provider-ciphertrust"
+subcategory: ""
+description: |-
+  
+---
+
+# ciphertrust_gcp_connection (Data Source)
+
+This data-source retrieves details of a [ciphertrust_gcp_connection](https://registry.terraform.io/providers/ThalesGroup/ciphertrust/latest/docs/resources/gcp_connection) resource.
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) Name of the Google cloud connection.
+
+### Read-Only
+
+- `cloud_name` (String) Name of the cloud.
+- `description` (String) Description of the Google Cloud connection.
+- `id` (String) CipherTrust Google Cloud connection ID.
+- `key_rings` (Map of String) A list of keying name:keyring ID pairs managed by the connection.
+- `meta` (Map of String) A list of key:value pairs to store with the connection.

docs/data-sources/gcp_key.md

@@ -16,20 +16,15 @@ It's possible to identify the key using a range of fields.
 ## Example Usage
 
 ```terraform
-# Retrieve details using the terraform ID
-data "ciphertrust_gcp_key" "by_terraform_id" {
-  id = ciphertrust_gcp_key.gcp_key.id
-}
-
 # Retrieve details using the CipherTrust key ID
 data "ciphertrust_gcp_key" "by_ciphertrust_id" {
-  key_id = ciphertrust_gcp_key.gcp_key.key_id
+  key_id = "6f4134bf-0007-42db-bc0b-e11e5bfbe782"
 }
 
-# Retrieve details using the key name and the keyring name
-data "ciphertrust_gcp_key" "by_multiple_values" {
-  name        = ciphertrust_gcp_key.gcp_key.name
-  key_ring    = ciphertrust_gcp_key.gcp_key.key_ring_name
+# Retrieve details using the key name and keyring
+data "ciphertrust_gcp_key" "by_keyname_and_keyring" {
+  name     = "key-name"
+  key_ring = "projects/my-project/locations/my-location/keyRings/my-keyring"
 }
 ```
 
@@ -38,10 +33,9 @@ data "ciphertrust_gcp_key" "by_multiple_values" {
 
 ### Optional
 
-- `id` (String) Terraform resource ID. Can be used alone to identify the key, all other parameters will be ignored.
-- `key_id` (String) CipherTrust key ID. Can be used alone to identify the key, all other parameters will be ignored.
+- `key_id` (String) CipherTrust key ID. Can be used alone to identify the key.
 - `key_ring` (String) Terraform ID of the keyring.
-- `keyring_id` (String) Keyring ID, short keyring name.
+- `keyring_id` (String) Google cloud keyring ID.
 - `location_id` (String) Google Cloud location.
 - `name` (String) Name of the key.
 - `project_id` (String) Google Cloud project ID.
@@ -52,14 +46,16 @@ data "ciphertrust_gcp_key" "by_multiple_values" {
 - `cloud_name` (String) Cloud name.
 - `create_status` (String) Key creation status.
 - `created_at` (String) Date the key was created.
+- `id` (String) Terraform datasource ID
 - `key_labels` (Map of String) A list of key:value pairs to assigned to the key.
-- `key_ring_name` (String) Google cloud keyring.
+- `key_ring_name` (String) Google cloud keyring name.
 - `key_versions` (List of Object) Key version details. (see [below for nested schema](#nestedatt--key_versions))
 - `labels` (Map of String) A list of key:value pairs associated with the key.
 - `next_rotation_time` (String) Time when the key will next be rotated by Google Cloud KMS.
 - `primary` (String) Primary version.
 - `purpose` (String) Purpose of the key.
 - `rotation_period` (String) Frequency at which the Google Cloud key will to be rotated by Google Cloud.
+- `state` (String) State of the key.
 - `updated_at` (String) Date the key was last updated.
 
 <a id="nestedatt--key_versions"></a>
@@ -71,7 +67,7 @@ Read-Only:
 - `is_primary` (Boolean)
 - `local_key_id` (String)
 - `local_key_name` (String)
-- `public_key` (Set of Object) (see [below for nested schema](#nestedobjatt--key_versions--public_key))
+- `public_key` (List of Object) (see [below for nested schema](#nestedobjatt--key_versions--public_key))
 - `version` (Number)
 - `version_id` (String)
 - `version_state` (String)

docs/data-sources/gcp_keyring.md

@@ -15,23 +15,23 @@ It's possible to identify the key using a range of fields.
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
-### Optional
+### Required
 
-- `id` (String) Terraform resource ID. Can be used alone to identify the keyring.
 - `name` (String) Keyring name. Can be used alone to identify the keyring.
 
 ### Read-Only
 
-- `acls` (Set of Object) List of ACLs that have been added to the keyring. (see [below for nested schema](#nestedatt--acls))
+- `acls` (List of Object) List of ACLs that have been added to the keyring. (see [below for nested schema](#nestedatt--acls))
 - `gcp_connection` (String) Name of the Google Cloud connection.
-- `keyring_id` (String) Keyring ID, short keyring name.
+- `id` (String) The ID of this resource.
+- `keyring_id` (String) Google cloud keyring ID.
 - `project_id` (String) Google Cloud project ID.
 
 <a id="nestedatt--acls"></a>
 ### Nested Schema for `acls`
 
 Read-Only:
 
-- `actions` (Set of String)
+- `actions` (List of String)
 - `group` (String)
 - `user_id` (String)

docs/resources/password_policy.md

@@ -0,0 +1,50 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "ciphertrust_password_policy Resource - terraform-provider-ciphertrust"
+subcategory: ""
+description: |-
+
+---
+
+# ciphertrust_password_policy (Resource)
+Change the current password policy for all users. Can only be used to by a member of the admin group. Currently, a single policy named 'global' is applied to all users.
+
+
+## Example Usage
+
+```terraform
+resource "ciphertrust_password_policy" "PasswordPolicy"{
+	inclusive_min_upper_case = 2 
+	inclusive_min_lower_case = 2 
+	inclusive_min_digits = 2 
+	inclusive_min_other = 2 
+	inclusive_min_total_length = 10
+	inclusive_max_total_length = 50 
+	password_history_threshold = 10 
+	failed_logins_lockout_thresholds = [0, 0, 1, 1]
+	password_lifetime = 20
+	password_change_min_days = 100
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Optional
+
+- `failed_logins_lockout_thresholds` (List of Number) List of lockout durations in minutes for failed login attempts. For example, with input of [0, 5, 30], the first failed login attempt with duration of zero will not lockout the user account, the second failed login attempt will lockout the account for 5 minutes, the third and subsequent failed login attempts will lockout for 30 minutes. Set an empty array '[]' to disable the user account lockout.List of lockout durations in minutes for failed login attempts. For example, with input of [0, 5, 30], the first failed login attempt with duration of zero will not lockout the user account, the second failed login attempt will lockout the account for 5 minutes, the third and subsequent failed login attempts will lockout for 30 minutes. Set an empty array '[]' to disable the user account lockout.
+- `inclusive_max_total_length` (Number) The maximum length of the password. Value 0 is ignored.
+- `inclusive_min_digits` (Number) The minimum number of digits.
+- `inclusive_min_lower_case` (Number) The minimum number of lower cases.
+- `inclusive_min_other` (Number) The minimum number of other characters.
+- `inclusive_min_total_length` (Number) The minimum length of the password. Value 0 is ignored.
+- `inclusive_min_upper_case` (Number) The minimum number of upper cases.
+- `password_change_min_days` (Number) The minimum period in days between password changes. Value 0 is ignored.
+- `password_history_threshold` (Number) Determines the number of past passwords a user cannot reuse. Even with value 0, the user will not be able to change their password to the same password.
+- `password_lifetime` (Number) The maximum lifetime of the password in days. Value 0 is ignored.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+

docs/resources/policies.md

@@ -0,0 +1,56 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "ciphertrust_policies Resource - terraform-provider-ciphertrust"
+subcategory: ""
+description: |-
+  
+---
+
+# ciphertrust_policies (Resource)
+
+
+
+## Example Usage
+
+```terraform
+resource "ciphertrust_policies" "policy" {
+    name    =   "policyReadKeyOnly"
+    actions =   ["ReadKey"]
+    allow   =   true
+    effect  =   "allow"
+    conditions {
+        path   = "context.resource.alg"
+        op     = "equals"
+        values = ["aes","rsa"]
+    }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Optional
+
+- `actions` (List of String) Action attribute of an operation is a string, in the form of VerbResource e.g. CreateKey, or VerbWithResource e.g. EncryptWithKey
+- `allow` (Boolean) Allow is the effect of the policy, either to allow the actions or to deny the actions.
+- `conditions` (Block List) Conditions are rules for matching the other attributes of the operation (see [below for nested schema](#nestedblock--conditions))
+- `effect` (String) Specifies the effect of the policy, either to allow or to deny.
+- `include_descendant_accounts` (Boolean) When false, only the resources in the principal's account can be accessed if the policy allows it.
+- `name` (String) This is the name of the policy.
+- `resources` (List of String) Resources is a list of URI strings, which must be in URI format.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+<a id="nestedblock--conditions"></a>
+### Nested Schema for `conditions`
+
+Optional:
+
+- `negate` (Boolean)
+- `op` (String)
+- `path` (String)
+- `values` (List of String)
+
+

docs/resources/policy_attachments.md

@@ -0,0 +1,31 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "ciphertrust_policy_attachments Resource - terraform-provider-ciphertrust"
+subcategory: ""
+description: |-
+  
+---
+
+# ciphertrust_policy_attachments (Resource)
+
+
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `policy` (String) The ID for the policy to be attached.
+- `principal_selector` (String) Selects which principals to apply the policy to. This can also be done using the conditions set while creating a policy.
+
+### Optional
+
+- `jurisdiction` (String) Jurisdiction to which the policy applies.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+

docs/resources/user.md

@@ -8,7 +8,7 @@ description: |-
 
 # ciphertrust_user (Resource)
 
-Users are unique individuals or systems using the API.
+
 
 ## Example Usage
 
@@ -33,17 +33,17 @@ resource "ciphertrust_user" "user_admin1" {
 
 ### Required
 
-- `password` (String) The user password.
+- `password` (String) (Updateable) The user password.
 - `username` (String) The user name.
 
 ### Optional
 
-- `email` (String) E-mail of the user.
+- `email` (String) (Updateable) E-mail of the user.
 - `is_domain_user` (Boolean) This flag can be used to create the user in a non-root domain where user management is allowed.
-- `name` (String) Full name of the user.
-- `password_change_required` (Boolean) Password change required flag. If set to true, user will be required to change their password on next successful login.
-- `prevent_ui_login` (Boolean) If true, user is not allowed to login from Web UI. Default - false
-- `user_metadata` (Map of String) User meta data
+- `name` (String) (Updateable) Full name of the user.
+- `password_change_required` (Boolean) (Updateable) Password change required flag. If set to true, user will be required to change their password on next successful login.
+- `prevent_ui_login` (Boolean) (Updateable) If true, user is not allowed to login from Web UI. Default - false
+- `user_metadata` (Map of String) (Updateable) User meta data
 
 ### Read-Only