Initial framework scaffolding, and implement encryption_key_manager and resource_server using the framework

Author: acwest

docs/data-sources/clients.md

@@ -38,7 +38,7 @@ data "auth0_clients" "first_party_apps" {
 
 ### Read-Only
 
-- `clients` (List of Object) List of clients matching the filter criteria. (see [below for nested schema](#nestedatt--clients))
+- `clients` (Set of Object) List of clients matching the filter criteria. (see [below for nested schema](#nestedatt--clients))
 - `id` (String) The ID of this resource.
 
 <a id="nestedatt--clients"></a>

docs/data-sources/provider.md

@@ -0,0 +1,20 @@
+---
+page_title: "Data Source: auth0_provider"
+description: |-
+  A data source for retrieving basic information about the provider.
+---
+
+# Data Source: auth0_provider
+
+A data source for retrieving basic information about the provider.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Read-Only
+
+- `provider_version` (String) The version of the provider.
+
+

docs/data-sources/resource_server.md

@@ -1,12 +1,12 @@
 ---
 page_title: "Data Source: auth0_resource_server"
 description: |-
-  Data source to retrieve a specific Auth0 resource server by resource_server_id or identifier.
+  With this datasource, you can set up APIs that can be consumed from your authorized applications.
 ---
 
 # Data Source: auth0_resource_server
 
-Data source to retrieve a specific Auth0 resource server by `resource_server_id` or `identifier`.
+With this datasource, you can set up APIs that can be consumed from your authorized applications.
 
 ## Example Usage
 
@@ -29,71 +29,68 @@ data "auth0_resource_server" "some-resource-server-by-id" {
 
 - `identifier` (String) Unique identifier for the resource server. Used as the audience parameter for authorization calls. If not provided, `resource_server_id` must be set.
 - `resource_server_id` (String) The ID of the resource server. If not provided, `identifier` must be set.
+- `token_encryption` (Attributes) Configuration for JSON Web Encryption(JWE) of tokens for this resource server. (see [below for nested schema](#nestedatt--token_encryption))
 
 ### Read-Only
 
 - `allow_offline_access` (Boolean) Indicates whether refresh tokens can be issued for this resource server.
-- `authorization_details` (List of Object) Authorization details for this resource server. (see [below for nested schema](#nestedatt--authorization_details))
+- `authorization_details` (Attributes List) Authorization details for this resource server. (see [below for nested schema](#nestedatt--authorization_details))
 - `consent_policy` (String) Consent policy for this resource server. Options include `transactional-authorization-with-mfa`, or `null` to disable.
 - `enforce_policies` (Boolean) If this setting is enabled, RBAC authorization policies will be enforced for this API. Role and permission assignments will be evaluated during the login transaction.
-- `id` (String) The ID of this resource.
-- `name` (String) Friendly name for the resource server. Cannot include `<` or `>` characters.
-- `proof_of_possession` (List of Object) Configuration settings for proof-of-possession for this resource server. (see [below for nested schema](#nestedatt--proof_of_possession))
-- `scopes` (Set of Object) List of permissions (scopes) used by this resource server. (see [below for nested schema](#nestedatt--scopes))
+- `name` (String) Friendly name for the resource server.
+- `proof_of_possession` (Attributes) Configuration settings for proof-of-possession for this resource server. (see [below for nested schema](#nestedatt--proof_of_possession))
+- `scopes` (Attributes Set) List of permissions (scopes) used by this resource server. (see [below for nested schema](#nestedatt--scopes))
 - `signing_alg` (String) Algorithm used to sign JWTs. Options include `HS256`, `RS256`, and `PS256`.
 - `signing_secret` (String) Secret used to sign tokens when using symmetric algorithms (HS256).
 - `skip_consent_for_verifiable_first_party_clients` (Boolean) Indicates whether to skip user consent for applications flagged as first party.
 - `token_dialect` (String) Dialect of access tokens that should be issued for this resource server. Options include `access_token`, `rfc9068_profile`, `access_token_authz`, and `rfc9068_profile_authz`. `access_token` is a JWT containing standard Auth0 claims. `rfc9068_profile` is a JWT conforming to the IETF JWT Access Token Profile. `access_token_authz` is a JWT containing standard Auth0 claims, including RBAC permissions claims. `rfc9068_profile_authz` is a JWT conforming to the IETF JWT Access Token Profile, including RBAC permissions claims. RBAC permissions claims are available if RBAC (`enforce_policies`) is enabled for this API. For more details, refer to [Access Token Profiles](https://auth0.com/docs/secure/tokens/access-tokens/access-token-profiles).
-- `token_encryption` (List of Object) Configuration for JSON Web Encryption(JWE) of tokens for this resource server. (see [below for nested schema](#nestedatt--token_encryption))
 - `token_lifetime` (Number) Number of seconds during which access tokens issued for this resource server from the token endpoint remain valid.
 - `token_lifetime_for_web` (Number) Number of seconds during which access tokens issued for this resource server via implicit or hybrid flows remain valid. Cannot be greater than the `token_lifetime` value.
 - `verification_location` (String) URL from which to retrieve JWKs for this resource server. Used for verifying the JWT sent to Auth0 for token introspection.
 
-<a id="nestedatt--authorization_details"></a>
-### Nested Schema for `authorization_details`
+<a id="nestedatt--token_encryption"></a>
+### Nested Schema for `token_encryption`
 
 Read-Only:
 
-- `disable` (Boolean)
-- `type` (String)
-
+- `encryption_key` (Attributes) Authorization details for this resource server. (see [below for nested schema](#nestedatt--token_encryption--encryption_key))
+- `format` (String) Format of the token encryption. Only `compact-nested-jwe` is supported.
 
-<a id="nestedatt--proof_of_possession"></a>
-### Nested Schema for `proof_of_possession`
+<a id="nestedatt--token_encryption--encryption_key"></a>
+### Nested Schema for `token_encryption.encryption_key`
 
 Read-Only:
 
-- `disable` (Boolean)
-- `mechanism` (String)
-- `required` (Boolean)
+- `algorithm` (String) Algorithm used to encrypt the token.
+- `kid` (String) Key ID.
+- `name` (String) Name of the encryption key.
+- `pem` (String) PEM-formatted public key. Must be JSON escaped.
 
 
-<a id="nestedatt--scopes"></a>
-### Nested Schema for `scopes`
+
+<a id="nestedatt--authorization_details"></a>
+### Nested Schema for `authorization_details`
 
 Read-Only:
 
-- `description` (String)
-- `name` (String)
+- `type` (String) Type of authorization details.
 
 
-<a id="nestedatt--token_encryption"></a>
-### Nested Schema for `token_encryption`
+<a id="nestedatt--proof_of_possession"></a>
+### Nested Schema for `proof_of_possession`
 
 Read-Only:
 
-- `disable` (Boolean)
-- `encryption_key` (List of Object) (see [below for nested schema](#nestedobjatt--token_encryption--encryption_key))
-- `format` (String)
+- `mechanism` (String) Mechanism used for proof-of-possession. Only `mtls` is supported.
+- `required` (Boolean) Indicates whether proof-of-possession is required with this resource server.
 
-<a id="nestedobjatt--token_encryption--encryption_key"></a>
-### Nested Schema for `token_encryption.encryption_key`
+
+<a id="nestedatt--scopes"></a>
+### Nested Schema for `scopes`
 
 Read-Only:
 
-- `algorithm` (String)
-- `kid` (String)
-- `name` (String)
-- `pem` (String)
+- `description` (String) Description of the permission (scope).
+- `name` (String) Name of the permission (scope). Examples include `read:appointments` or `delete:appointments`.
 
 

docs/resources/encryption_key_manager.md

@@ -1,12 +1,12 @@
 ---
 page_title: "Resource: auth0_encryption_key_manager"
 description: |-
-  Resource to allow the rekeying of your tenant master key.
+  A resource for managing the tenant root key.
 ---
 
 # Resource: auth0_encryption_key_manager
 
-Resource to allow the rekeying of your tenant master key.
+A resource for managing the tenant root key.
 
 ## Example Usage
 
@@ -50,13 +50,12 @@ resource "auth0_encryption_key_manager" "my_key_manager" {
 
 ### Optional
 
-- `customer_provided_root_key` (Block List, Max: 1) This attribute is used for provisioning the customer provided root key. To initiate the provisioning process, create a new empty `customer_provided_root_key` block. After applying this, the `public_wrapping_key` can be retreived from the resource, and the new root key should be generated by the customer and wrapped with the wrapping key, then base64-encoded and added as the `wrapped_key` attribute. (see [below for nested schema](#nestedblock--customer_provided_root_key))
+- `customer_provided_root_key` (Block, Optional) This attribute is used for provisioning the customer provided root key. To initiate the provisioning process, create a new empty `customer_provided_root_key` block. After applying this, the `public_wrapping_key` can be retreived from the resource, and the new root key should be generated by the customer and wrapped with the wrapping key, then base64-encoded and added as the `wrapped_key` attribute. (see [below for nested schema](#nestedblock--customer_provided_root_key))
 - `key_rotation_id` (String) If this value is changed, the encryption keys will be rotated. A UUID is recommended for the `key_rotation_id`.
 
 ### Read-Only
 
-- `encryption_keys` (List of Object) All encryption keys. (see [below for nested schema](#nestedatt--encryption_keys))
-- `id` (String) The ID of this resource.
+- `encryption_keys` (Attributes List) All encryption keys. (see [below for nested schema](#nestedatt--encryption_keys))
 
 <a id="nestedblock--customer_provided_root_key"></a>
 ### Nested Schema for `customer_provided_root_key`
@@ -82,11 +81,11 @@ Read-Only:
 
 Read-Only:
 
-- `created_at` (String)
-- `key_id` (String)
-- `parent_key_id` (String)
-- `state` (String)
-- `type` (String)
-- `updated_at` (String)
+- `created_at` (String) The ISO 8601 formatted date the customer provided root key was created.
+- `key_id` (String) The key ID of the customer provided root key.
+- `parent_key_id` (String) The key ID of the parent wrapping key.
+- `state` (String) The state of the encryption key. One of `pre-activation`, `active`, `deactivated`, or `destroyed`.
+- `type` (String) The type of the encryption key. One of `customer-provided-root-key`, `environment-root-key`, or `tenant-master-key`.
+- `updated_at` (String) The ISO 8601 formatted date the customer provided root key was updated.
 
 

docs/resources/resource_server.md

@@ -55,64 +55,58 @@ EOF
 ### Optional
 
 - `allow_offline_access` (Boolean) Indicates whether refresh tokens can be issued for this resource server.
-- `authorization_details` (Block List) Authorization details for this resource server. (see [below for nested schema](#nestedblock--authorization_details))
+- `authorization_details` (Attributes List) Authorization details for this resource server. (see [below for nested schema](#nestedatt--authorization_details))
 - `consent_policy` (String) Consent policy for this resource server. Options include `transactional-authorization-with-mfa`, or `null` to disable.
 - `enforce_policies` (Boolean) If this setting is enabled, RBAC authorization policies will be enforced for this API. Role and permission assignments will be evaluated during the login transaction.
 - `name` (String) Friendly name for the resource server. Cannot include `<` or `>` characters.
-- `proof_of_possession` (Block List, Max: 1) Configuration settings for proof-of-possession for this resource server. (see [below for nested schema](#nestedblock--proof_of_possession))
+- `proof_of_possession` (Attributes) Configuration settings for proof-of-possession for this resource server. (see [below for nested schema](#nestedatt--proof_of_possession))
 - `signing_alg` (String) Algorithm used to sign JWTs. Options include `HS256`, `RS256`, and `PS256`.
 - `signing_secret` (String) Secret used to sign tokens when using symmetric algorithms (HS256).
 - `skip_consent_for_verifiable_first_party_clients` (Boolean) Indicates whether to skip user consent for applications flagged as first party.
 - `token_dialect` (String) Dialect of access tokens that should be issued for this resource server. Options include `access_token`, `rfc9068_profile`, `access_token_authz`, and `rfc9068_profile_authz`. `access_token` is a JWT containing standard Auth0 claims. `rfc9068_profile` is a JWT conforming to the IETF JWT Access Token Profile. `access_token_authz` is a JWT containing standard Auth0 claims, including RBAC permissions claims. `rfc9068_profile_authz` is a JWT conforming to the IETF JWT Access Token Profile, including RBAC permissions claims. RBAC permissions claims are available if RBAC (`enforce_policies`) is enabled for this API. For more details, refer to [Access Token Profiles](https://auth0.com/docs/secure/tokens/access-tokens/access-token-profiles).
-- `token_encryption` (Block List, Max: 1) Configuration for JSON Web Encryption(JWE) of tokens for this resource server. (see [below for nested schema](#nestedblock--token_encryption))
+- `token_encryption` (Attributes) Configuration for JSON Web Encryption(JWE) of tokens for this resource server. (see [below for nested schema](#nestedatt--token_encryption))
 - `token_lifetime` (Number) Number of seconds during which access tokens issued for this resource server from the token endpoint remain valid.
 - `token_lifetime_for_web` (Number) Number of seconds during which access tokens issued for this resource server via implicit or hybrid flows remain valid. Cannot be greater than the `token_lifetime` value.
 - `verification_location` (String) URL from which to retrieve JWKs for this resource server. Used for verifying the JWT sent to Auth0 for token introspection.
 
 ### Read-Only
 
-- `id` (String) The ID of this resource.
+- `resource_server_id` (String) A generated string identifying the resource server.
 
-<a id="nestedblock--authorization_details"></a>
+<a id="nestedatt--authorization_details"></a>
 ### Nested Schema for `authorization_details`
 
-Optional:
+Required:
 
-- `disable` (Boolean) Disable authorization details.
 - `type` (String) Type of authorization details.
 
 
-<a id="nestedblock--proof_of_possession"></a>
+<a id="nestedatt--proof_of_possession"></a>
 ### Nested Schema for `proof_of_possession`
 
 Optional:
 
-- `disable` (Boolean) Disable proof-of-possession.
 - `mechanism` (String) Mechanism used for proof-of-possession. Only `mtls` is supported.
 - `required` (Boolean) Indicates whether proof-of-possession is required with this resource server.
 
 
-<a id="nestedblock--token_encryption"></a>
+<a id="nestedatt--token_encryption"></a>
 ### Nested Schema for `token_encryption`
 
 Optional:
 
-- `disable` (Boolean) Disable token encryption.
-- `encryption_key` (Block List, Max: 1) Authorization details for this resource server. (see [below for nested schema](#nestedblock--token_encryption--encryption_key))
+- `encryption_key` (Attributes) Authorization details for this resource server. (see [below for nested schema](#nestedatt--token_encryption--encryption_key))
 - `format` (String) Format of the token encryption. Only `compact-nested-jwe` is supported.
 
-<a id="nestedblock--token_encryption--encryption_key"></a>
+<a id="nestedatt--token_encryption--encryption_key"></a>
 ### Nested Schema for `token_encryption.encryption_key`
 
-Required:
-
-- `algorithm` (String) Algorithm used to encrypt the token.
-- `pem` (String) PEM-formatted public key. Must be JSON escaped.
-
 Optional:
 
+- `algorithm` (String) Algorithm used to encrypt the token.
 - `kid` (String) Key ID.
 - `name` (String) Name of the encryption key.
+- `pem` (String) PEM-formatted public key. Must be JSON escaped.
 
 ## Import
 

docs/resources/resource_server_scope.md

@@ -50,10 +50,6 @@ resource "auth0_resource_server_scope" "write_posts" {
 
 - `description` (String) Description of the scope (permission).
 
-### Read-Only
-
-- `id` (String) The ID of this resource.
-
 ## Import
 
 Import is supported using the following syntax:

docs/resources/resource_server_scopes.md

@@ -49,11 +49,10 @@ resource "auth0_resource_server_scopes" "my_api_scopes" {
 ### Required
 
 - `resource_server_identifier` (String) Identifier of the resource server that the scopes (permission) are associated with.
-- `scopes` (Block Set, Min: 1) (see [below for nested schema](#nestedblock--scopes))
 
-### Read-Only
+### Optional
 
-- `id` (String) The ID of this resource.
+- `scopes` (Block Set) List of the scopes associated with a resource server. (see [below for nested schema](#nestedblock--scopes))
 
 <a id="nestedblock--scopes"></a>
 ### Nested Schema for `scopes`

go.mod

@@ -11,6 +11,11 @@ require (
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/terraform-plugin-docs v0.19.4
+	github.com/hashicorp/terraform-plugin-framework v1.13.0
+	github.com/hashicorp/terraform-plugin-framework-timetypes v0.5.0
+	github.com/hashicorp/terraform-plugin-framework-validators v0.15.0
+	github.com/hashicorp/terraform-plugin-go v0.25.0
+	github.com/hashicorp/terraform-plugin-mux v0.16.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.35.0
 	github.com/hashicorp/terraform-plugin-testing v1.11.0
 	github.com/stretchr/testify v1.10.0
@@ -48,7 +53,6 @@ require (
 	github.com/hashicorp/logutils v1.0.0 // indirect
 	github.com/hashicorp/terraform-exec v0.21.0 // indirect
 	github.com/hashicorp/terraform-json v0.23.0 // indirect
-	github.com/hashicorp/terraform-plugin-go v0.25.0 // indirect
 	github.com/hashicorp/terraform-plugin-log v0.9.0 // indirect
 	github.com/hashicorp/terraform-registry-address v0.2.3 // indirect
 	github.com/hashicorp/terraform-svchost v0.1.1 // indirect

go.sum

@@ -111,10 +111,18 @@ github.com/hashicorp/terraform-json v0.23.0 h1:sniCkExU4iKtTADReHzACkk8fnpQXrdD2
 github.com/hashicorp/terraform-json v0.23.0/go.mod h1:MHdXbBAbSg0GvzuWazEGKAn/cyNfIB7mN6y7KJN6y2c=
 github.com/hashicorp/terraform-plugin-docs v0.19.4 h1:G3Bgo7J22OMtegIgn8Cd/CaSeyEljqjH3G39w28JK4c=
 github.com/hashicorp/terraform-plugin-docs v0.19.4/go.mod h1:4pLASsatTmRynVzsjEhbXZ6s7xBlUw/2Kt0zfrq8HxA=
+github.com/hashicorp/terraform-plugin-framework v1.13.0 h1:8OTG4+oZUfKgnfTdPTJwZ532Bh2BobF4H+yBiYJ/scw=
+github.com/hashicorp/terraform-plugin-framework v1.13.0/go.mod h1:j64rwMGpgM3NYXTKuxrCnyubQb/4VKldEKlcG8cvmjU=
+github.com/hashicorp/terraform-plugin-framework-timetypes v0.5.0 h1:v3DapR8gsp3EM8fKMh6up9cJUFQ2iRaFsYLP8UJnCco=
+github.com/hashicorp/terraform-plugin-framework-timetypes v0.5.0/go.mod h1:c3PnGE9pHBDfdEVG9t1S1C9ia5LW+gkFR0CygXlM8ak=
+github.com/hashicorp/terraform-plugin-framework-validators v0.15.0 h1:RXMmu7JgpFjnI1a5QjMCBb11usrW2OtAG+iOTIj5c9Y=
+github.com/hashicorp/terraform-plugin-framework-validators v0.15.0/go.mod h1:Bh89/hNmqsEWug4/XWKYBwtnw3tbz5BAy1L1OgvbIaY=
 github.com/hashicorp/terraform-plugin-go v0.25.0 h1:oi13cx7xXA6QciMcpcFi/rwA974rdTxjqEhXJjbAyks=
 github.com/hashicorp/terraform-plugin-go v0.25.0/go.mod h1:+SYagMYadJP86Kvn+TGeV+ofr/R3g4/If0O5sO96MVw=
 github.com/hashicorp/terraform-plugin-log v0.9.0 h1:i7hOA+vdAItN1/7UrfBqBwvYPQ9TFvymaRGZED3FCV0=
 github.com/hashicorp/terraform-plugin-log v0.9.0/go.mod h1:rKL8egZQ/eXSyDqzLUuwUYLVdlYeamldAHSxjUFADow=
+github.com/hashicorp/terraform-plugin-mux v0.16.0 h1:RCzXHGDYwUwwqfYYWJKBFaS3fQsWn/ZECEiW7p2023I=
+github.com/hashicorp/terraform-plugin-mux v0.16.0/go.mod h1:PF79mAsPc8CpusXPfEVa4X8PtkB+ngWoiUClMrNZlYo=
 github.com/hashicorp/terraform-plugin-sdk/v2 v2.35.0 h1:wyKCCtn6pBBL46c1uIIBNUOWlNfYXfXpVo16iDyLp8Y=
 github.com/hashicorp/terraform-plugin-sdk/v2 v2.35.0/go.mod h1:B0Al8NyYVr8Mp/KLwssKXG1RqnTk7FySqSn4fRuLNgw=
 github.com/hashicorp/terraform-plugin-testing v1.11.0 h1:MeDT5W3YHbONJt2aPQyaBsgQeAIckwPX41EUHXEn29A=