smallstep
diff --git a/‎docs/data-sources/credential.md‎
Lines changed: 176 additions & 0 deletions b/‎docs/data-sources/credential.md‎
Lines changed: 176 additions & 0 deletions
diff --git a/‎docs/resources/credential.md‎
Lines changed: 222 additions & 0 deletions b/‎docs/resources/credential.md‎
Lines changed: 222 additions & 0 deletions
@@ -0,0 +1,176 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "smallstep_credential Data Source - terraform-provider-smallstep"
+subcategory: ""
+description: |-
+  A certificate key pair.
+---
+
+# smallstep_credential (Data Source)
+
+A certificate key pair.
+
+## Example Usage
+
+```terraform
+data "smallstep_credential" "device_cred" {
+  id = "b63cd688-c803-4e32-babe-e5940b4bd832"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `id` (String) A UUID identifying this credential. Read only.
+
+### Read-Only
+
+- `certificate` (Attributes) Configuration for the certificate of a managed credential. (see [below for nested schema](#nestedatt--certificate))
+- `files` (Attributes) Configuration for files that will be written when a managed credential is issued. (see [below for nested schema](#nestedatt--files))
+- `key` (Attributes) The attributes of the cryptographic key. Key `type` and `protection` are required unless the `pubFile` is set. (see [below for nested schema](#nestedatt--key))
+- `policy` (Attributes) Policy to select the devices an account is assigned to. An empty policy indicates an account will be provisioned for all devices. (see [below for nested schema](#nestedatt--policy))
+- `slug` (String)
+
+<a id="nestedatt--certificate"></a>
+### Nested Schema for `certificate`
+
+Read-Only:
+
+- `authority_id` (String) A UUID identifying the authority that issues certificates for the credential.
+- `duration` (String) The certificate lifetime. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
+- `x509` (Attributes) Populate certificate fields using using static names or device metadata. (see [below for nested schema](#nestedatt--certificate--x509))
+
+<a id="nestedatt--certificate--x509"></a>
+### Nested Schema for `certificate.x509`
+
+Read-Only:
+
+- `common_name` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--common_name))
+- `country` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--country))
+- `locality` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--locality))
+- `organization` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--organization))
+- `organizational_unit` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--organizational_unit))
+- `postal_code` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--postal_code))
+- `province` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--province))
+- `sans` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--sans))
+- `street_address` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--street_address))
+
+<a id="nestedatt--certificate--x509--common_name"></a>
+### Nested Schema for `certificate.x509.common_name`
+
+Read-Only:
+
+- `device_metadata` (String) A value populated from a key in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user. If no value is found in the device's metadata at the specified key then the static value will be used.
+- `static` (String) A literal value.
+
+
+<a id="nestedatt--certificate--x509--country"></a>
+### Nested Schema for `certificate.x509.country`
+
+Read-Only:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+<a id="nestedatt--certificate--x509--locality"></a>
+### Nested Schema for `certificate.x509.locality`
+
+Read-Only:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+<a id="nestedatt--certificate--x509--organization"></a>
+### Nested Schema for `certificate.x509.organization`
+
+Read-Only:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+<a id="nestedatt--certificate--x509--organizational_unit"></a>
+### Nested Schema for `certificate.x509.organizational_unit`
+
+Read-Only:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+<a id="nestedatt--certificate--x509--postal_code"></a>
+### Nested Schema for `certificate.x509.postal_code`
+
+Read-Only:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+<a id="nestedatt--certificate--x509--province"></a>
+### Nested Schema for `certificate.x509.province`
+
+Read-Only:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+<a id="nestedatt--certificate--x509--sans"></a>
+### Nested Schema for `certificate.x509.sans`
+
+Read-Only:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+<a id="nestedatt--certificate--x509--street_address"></a>
+### Nested Schema for `certificate.x509.street_address`
+
+Read-Only:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+
+
+<a id="nestedatt--files"></a>
+### Nested Schema for `files`
+
+Read-Only:
+
+- `crt_file` (String) The filepath where the certificate is to be stored.
+- `gid` (Number) GID of the files where the credential is stored.
+- `key_file` (String) The filepath where the key is to be stored.
+- `key_format` (String) The format used to encode the private key. For X509 keys the default format is PKCS#8. The classic format is PKCS#1 for RSA keys, SEC 1 for ECDSA keys, and PKCS#8 for ED25519 keys. For SSH keys the default format is always the OPENSSH format. When a hardware module is used to store the keys the default will be a JSON representation of the key, except on Linux tss2 will be used. Allowed values: `DEFAULT` `PKCS8` `OPENSSH` `TSS2` `CLASSIC`
+- `mode` (Number) Permission bits of the files where the credential is stored.
+- `root_file` (String) The filepath where the root certificate is to be stored.
+- `uid` (Number) UID of the files where the credential is stored.
+
+
+<a id="nestedatt--key"></a>
+### Nested Schema for `key`
+
+Read-Only:
+
+- `protection` (String) Whether to use a hardware module to store the private key. If set to `NONE` no hardware module will be used. `HARDWARE_WITH_FALLBACK` can only be used with the key file format `DEFAULT`. Allowed values: `NONE` `HARDWARE` `HARDWARE_WITH_FALLBACK` `HARDWARE_ATTESTED`
+- `pub_file` (String) A CSR or SSH public key to use instead of generating one. Cannot be used in conjunction with key type, key protection, key file or key file format.
+- `type` (String) The key type used. The current default type is `ECDSA_P256` but is not fixed at the time the credential resource is created - new keys generated for this credential in the future may have a different type. Allowed values: `DEFAULT` `ECDSA_P256` `ECDSA_P384` `ECDSA_P521` `RSA_2048` `RSA_3072` `RSA_4096` `ED25519`
+
+
+<a id="nestedatt--policy"></a>
+### Nested Schema for `policy`
+
+Read-Only:
+
+- `assurance` (List of String) Assurance levels that devices must match. Allowed values: `normal` `high`
+- `os` (List of String) Operating systems that devices must match. Allowed values: `Linux` `Windows` `macOS` `iOS` `tvOS` `watchOS` `visionOS`
+- `ownership` (List of String) Ownership values that devices must match. Allowed values: `company` `user`
+- `source` (List of String) Registration sources that devices must match. Allowed values: `End-User` `Smallstep API` `Smallstep Agent` `Jamf` `Intune`
+- `tags` (List of String) Tags that devices must match.
@@ -0,0 +1,222 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "smallstep_credential Resource - terraform-provider-smallstep"
+subcategory: ""
+description: |-
+  A certificate key pair.
+---
+
+# smallstep_credential (Resource)
+
+A certificate key pair.
+
+## Example Usage
+
+```terraform
+resource "smallstep_credential" "test" {
+  slug = "slug"
+
+  certificate = {
+    authority_id = smallstep_authory.staging.id
+    duration     = "168h"
+    x509 = {
+      common_name = {
+        device_metadata = "smallstep:identity"
+      }
+      sans = {
+        device_metadata = ["smallstep:identity"]
+      }
+    }
+  }
+
+  key = {
+    type       = "ECDSA_P384"
+    protection = "HARDWARE_ATTESTED"
+  }
+
+  policy = {
+    os        = ["Linux"]
+    ownership = ["company"]
+  }
+
+  files = {
+    root_file = "/var/ssl/ca.pem"
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `certificate` (Attributes) Configuration for the certificate of a managed credential. (see [below for nested schema](#nestedatt--certificate))
+- `key` (Attributes) The attributes of the cryptographic key. Key `type` and `protection` are required unless the `pubFile` is set. (see [below for nested schema](#nestedatt--key))
+- `slug` (String)
+
+### Optional
+
+- `files` (Attributes) Configuration for files that will be written when a managed credential is issued. (see [below for nested schema](#nestedatt--files))
+- `policy` (Attributes) Policy to select the devices an account is assigned to. An empty policy indicates an account will be provisioned for all devices. (see [below for nested schema](#nestedatt--policy))
+
+### Read-Only
+
+- `id` (String) A UUID identifying this credential. Read only.
+
+<a id="nestedatt--certificate"></a>
+### Nested Schema for `certificate`
+
+Required:
+
+- `x509` (Attributes) Populate certificate fields using using static names or device metadata. (see [below for nested schema](#nestedatt--certificate--x509))
+
+Optional:
+
+- `authority_id` (String) A UUID identifying the authority that issues certificates for the credential.
+- `duration` (String) The certificate lifetime. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
+
+<a id="nestedatt--certificate--x509"></a>
+### Nested Schema for `certificate.x509`
+
+Required:
+
+- `common_name` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--common_name))
+
+Optional:
+
+- `country` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--country))
+- `locality` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--locality))
+- `organization` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--organization))
+- `organizational_unit` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--organizational_unit))
+- `postal_code` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--postal_code))
+- `province` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--province))
+- `sans` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--sans))
+- `street_address` (Attributes) (see [below for nested schema](#nestedatt--certificate--x509--street_address))
+
+<a id="nestedatt--certificate--x509--common_name"></a>
+### Nested Schema for `certificate.x509.common_name`
+
+Optional:
+
+- `device_metadata` (String) A value populated from a key in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user. If no value is found in the device's metadata at the specified key then the static value will be used.
+- `static` (String) A literal value.
+
+
+<a id="nestedatt--certificate--x509--country"></a>
+### Nested Schema for `certificate.x509.country`
+
+Optional:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+<a id="nestedatt--certificate--x509--locality"></a>
+### Nested Schema for `certificate.x509.locality`
+
+Optional:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+<a id="nestedatt--certificate--x509--organization"></a>
+### Nested Schema for `certificate.x509.organization`
+
+Optional:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+<a id="nestedatt--certificate--x509--organizational_unit"></a>
+### Nested Schema for `certificate.x509.organizational_unit`
+
+Optional:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+<a id="nestedatt--certificate--x509--postal_code"></a>
+### Nested Schema for `certificate.x509.postal_code`
+
+Optional:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+<a id="nestedatt--certificate--x509--province"></a>
+### Nested Schema for `certificate.x509.province`
+
+Optional:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+<a id="nestedatt--certificate--x509--sans"></a>
+### Nested Schema for `certificate.x509.sans`
+
+Optional:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+<a id="nestedatt--certificate--x509--street_address"></a>
+### Nested Schema for `certificate.x509.street_address`
+
+Optional:
+
+- `device_metadata` (List of String) Values populated from keys in the device's metadata. The special value `smallstep:identity` refers to the device's assigned user.
+- `static` (List of String) Literal values.
+
+
+
+
+<a id="nestedatt--key"></a>
+### Nested Schema for `key`
+
+Optional:
+
+- `protection` (String) Whether to use a hardware module to store the private key. If set to `NONE` no hardware module will be used. `HARDWARE_WITH_FALLBACK` can only be used with the key file format `DEFAULT`. Allowed values: `NONE` `HARDWARE` `HARDWARE_WITH_FALLBACK` `HARDWARE_ATTESTED`
+- `pub_file` (String) A CSR or SSH public key to use instead of generating one. Cannot be used in conjunction with key type, key protection, key file or key file format.
+- `type` (String) The key type used. The current default type is `ECDSA_P256` but is not fixed at the time the credential resource is created - new keys generated for this credential in the future may have a different type. Allowed values: `DEFAULT` `ECDSA_P256` `ECDSA_P384` `ECDSA_P521` `RSA_2048` `RSA_3072` `RSA_4096` `ED25519`
+
+
+<a id="nestedatt--files"></a>
+### Nested Schema for `files`
+
+Optional:
+
+- `crt_file` (String) The filepath where the certificate is to be stored.
+- `gid` (Number) GID of the files where the credential is stored.
+- `key_file` (String) The filepath where the key is to be stored.
+- `key_format` (String) The format used to encode the private key. For X509 keys the default format is PKCS#8. The classic format is PKCS#1 for RSA keys, SEC 1 for ECDSA keys, and PKCS#8 for ED25519 keys. For SSH keys the default format is always the OPENSSH format. When a hardware module is used to store the keys the default will be a JSON representation of the key, except on Linux tss2 will be used. Allowed values: `DEFAULT` `PKCS8` `OPENSSH` `TSS2` `CLASSIC`
+- `mode` (Number) Permission bits of the files where the credential is stored.
+- `root_file` (String) The filepath where the root certificate is to be stored.
+- `uid` (Number) UID of the files where the credential is stored.
+
+
+<a id="nestedatt--policy"></a>
+### Nested Schema for `policy`
+
+Optional:
+
+- `assurance` (List of String) Assurance levels that devices must match. Allowed values: `normal` `high`
+- `os` (List of String) Operating systems that devices must match. Allowed values: `Linux` `Windows` `macOS` `iOS` `tvOS` `watchOS` `visionOS`
+- `ownership` (List of String) Ownership values that devices must match. Allowed values: `company` `user`
+- `source` (List of String) Registration sources that devices must match. Allowed values: `End-User` `Smallstep API` `Smallstep Agent` `Jamf` `Intune`
+- `tags` (List of String) Tags that devices must match.
+
+## Import
+
+Import is supported using the following syntax:
+
+The [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import) can be used, for example:
+
+```shell
+terraform import smallstep_credential.device_cred c1161f78-d251-401e-b17c-fe38fc26ae7b
+```