Add more examples (#16)

Use custom docs templates to support multiple examples.

Author: areed

CHANGELOG.md

@@ -1,3 +1,8 @@
+## 0.4.2
+
+CHANGES:
+* Add more examples to smallstep_device_collection and smallstep_workload docs.
+
 ## 0.4.1
 
 BUG FIXES:

docs/resources/device_collection.md

@@ -12,6 +12,52 @@ Configuration to create a new device collection.
 
 ## Example Usage
 
+### GCP VM Device Collection with GCE Instance
+
+```terraform
+resource "smallstep_device_collection" "gcp" {
+  slug         = "gce"
+  display_name = "GCE"
+  device_type  = "gcp-vm"
+  gcp_vm = {
+    service_accounts = ["[email protected]"]
+  }
+  admin_emails = ["[email protected]"]
+}
+
+data "google_compute_instance" "dbserver" {
+  name = "dbserver"
+  zone = "us-central1-b"
+}
+
+resource "smallstep_collection_instance" "dbserver" {
+  depends_on      = [smallstep_device_collection.gcp]
+  collection_slug = smallstep_device_collection.gcp.slug
+  id              = data.google_compute_instance.dbserver.instance_id
+  data = jsonencode({
+    "hostname"   = data.google_compute_instance.dbserver.name
+    "private_ip" = data.google_compute_instance.dbserver.network_interface.0.network_ip
+    "public_ip"  = data.google_compute_instance.dbserver.network_interface.0.access_config[0].nat_ip
+  })
+}
+```
+
+### TPM Device Collection
+
+```terraform
+resource "smallstep_device_collection" "tpm" {
+  slug         = "tmpservers"
+  display_name = "TPM Servers"
+  admin_emails = ["[email protected]"]
+  device_type  = "tpm"
+  tpm = {
+    attestor_roots = file("${path.module}/root.crt")
+  }
+}
+```
+
+### EC2 Device Collection
+
 ```terraform
 resource "smallstep_device_collection" "aws" {
   slug         = "ec2west"
@@ -23,19 +69,11 @@ resource "smallstep_device_collection" "aws" {
     disable_custom_sans = false
   }
 }
+```
 
-resource "smallstep_device_collection" "gcp" {
-  slug         = "gce"
-  display_name = "GCE"
-  admin_emails = ["[email protected]"]
-  device_type  = "gcp-vm"
-  gcp_vm = {
-    service_accounts    = ["[email protected]"]
-    project_ids         = ["prod-1234"]
-    disable_custom_sans = false
-  }
-}
+### Azure VM Device Collection
 
+```terraform
 resource "smallstep_device_collection" "azure" {
   slug         = "azure"
   display_name = "Azure VMs"
@@ -48,19 +86,6 @@ resource "smallstep_device_collection" "azure" {
     audience            = ""
   }
 }
-
-resource "smallstep_device_collection" "tpm" {
-  slug         = "tmpservers"
-  display_name = "TPM Servers"
-  admin_emails = ["[email protected]"]
-  device_type  = "tpm"
-  tpm = {
-    attestor_roots         = "-----BEGIN..."
-    attestor_intermediates = "-----BEGIN..."
-    force_cn               = false
-    require_eab            = false
-  }
-}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -129,5 +154,3 @@ Optional:
 - `attestor_roots` (String) The pem-encoded list of certificates used to verify the attestation certificates submitted by agents. Ignored if the team already has an attestation authority. Required if the team does not already have an attestation authority.
 - `force_cn` (Boolean) Force one of the SANs to become the Common Name, if a Common Name is not provided.
 - `require_eab` (Boolean) Only ACME clients that have been preconfigured with valid EAB credentials will be able to create an account with this provisioner.
-
-

docs/resources/workload.md

@@ -12,14 +12,48 @@ A workload represents anything that uses a certificate.
 
 ## Example Usage
 
+### Generic Workload on EC2
+
+```terraform
+resource "smallstep_device_collection" "ec2_west" {
+  slug         = "ec2west"
+  display_name = "EC2 West"
+  device_type  = "aws-vm"
+  aws_vm = {
+    accounts = ["0123456789"]
+  }
+  admin_emails = ["[email protected]"]
+}
+
+resource "smallstep_workload" "generic" {
+  depends_on             = [smallstep_device_collection.ec2_west]
+  workload_type          = "generic"
+  device_collection_slug = resource.smallstep_device_collection.ec2_west.slug
+  slug                   = "ec2generic"
+  display_name           = "Generic Workload"
+  admin_emails           = ["[email protected]"]
+
+  certificate_info = {
+    type = "X509"
+  }
+
+  key_info = {
+    format = "DEFAULT"
+    type   = "ECDSA_P256"
+  }
+}
+```
+
+### Redis Workload with All Optionas
+
 ```terraform
 resource "smallstep_workload" "redis" {
-  depends_on             = [smallstep_device_collection.ec2_east]
-  device_collection_slug = resource.smallstep_device_collection.ec2_east.slug
+  depends_on             = [smallstep_device_collection.ec2_west]
+  device_collection_slug = resource.smallstep_device_collection.ec2_west.slug
   workload_type          = "redis"
-  slug                   = "redisec2east"
-  display_name           = "Redis EC2 East"
-  admin_emails           = ["andrew@smallstep.com"]
+  slug                   = "redisec2west"
+  display_name           = "Redis EC2 West"
+  admin_emails           = ["admin@example.com"]
 
   certificate_info = {
     type      = "X509"
@@ -171,5 +205,3 @@ Optional:
 - `pid_file` (String) File that holds the pid of the process to signal. Required when method is SIGNAL.
 - `signal` (Number) The signal to send to a process when a certificate should be reloaded. Required when method is SIGNAL.
 - `unit_name` (String) The systemd unit name to reload when a certificate should be reloaded. Required when method is DBUS.
-
-

examples/resources/smallstep_device_collection/aws.tf

@@ -0,0 +1,11 @@
+
+resource "smallstep_device_collection" "aws" {
+  slug         = "ec2west"
+  display_name = "EC2 West"
+  admin_emails = ["[email protected]"]
+  device_type  = "aws-vm"
+  aws_vm = {
+    accounts            = ["0123456789"]
+    disable_custom_sans = false
+  }
+}

examples/resources/smallstep_device_collection/azure.tf

@@ -0,0 +1,13 @@
+
+resource "smallstep_device_collection" "azure" {
+  slug         = "azure"
+  display_name = "Azure VMs"
+  admin_emails = ["[email protected]"]
+  device_type  = "azure-vm"
+  azure_vm = {
+    tenant_id           = "76543210"
+    resource_groups     = ["0123456789"]
+    disable_custom_sans = false
+    audience            = ""
+  }
+}

examples/resources/smallstep_device_collection/provider.tf

@@ -0,0 +1,19 @@
+# This file is not shown in example docs but is used for testing
+terraform {
+  required_providers {
+    smallstep = {
+      source = "smallstep/smallstep"
+    }
+    google = {
+      source  = "hashicorp/google"
+      version = "5.2.0"
+    }
+  }
+}
+
+provider "smallstep" {}
+
+provider "google" {
+  project = "prod-1234"
+  region  = "us-central1"
+}

examples/resources/smallstep_device_collection/resource.tf

@@ -1,49 +1,26 @@
 
-resource "smallstep_device_collection" "aws" {
-  slug         = "ec2west"
-  display_name = "EC2 West"
-  admin_emails = ["[email protected]"]
-  device_type  = "aws-vm"
-  aws_vm = {
-    accounts            = ["0123456789"]
-    disable_custom_sans = false
-  }
-}
-
 resource "smallstep_device_collection" "gcp" {
   slug         = "gce"
   display_name = "GCE"
-  admin_emails = ["[email protected]"]
   device_type  = "gcp-vm"
   gcp_vm = {
-    service_accounts    = ["[email protected]"]
-    project_ids         = ["prod-1234"]
-    disable_custom_sans = false
+    service_accounts = ["[email protected]"]
   }
+  admin_emails = ["[email protected]"]
 }
 
-resource "smallstep_device_collection" "azure" {
-  slug         = "azure"
-  display_name = "Azure VMs"
-  admin_emails = ["[email protected]"]
-  device_type  = "azure-vm"
-  azure_vm = {
-    tenant_id           = "76543210"
-    resource_groups     = ["0123456789"]
-    disable_custom_sans = false
-    audience            = ""
-  }
+data "google_compute_instance" "dbserver" {
+  name = "dbserver"
+  zone = "us-central1-b"
 }
 
-resource "smallstep_device_collection" "tpm" {
-  slug         = "tmpservers"
-  display_name = "TPM Servers"
-  admin_emails = ["[email protected]"]
-  device_type  = "tpm"
-  tpm = {
-    attestor_roots         = "-----BEGIN..."
-    attestor_intermediates = "-----BEGIN..."
-    force_cn               = false
-    require_eab            = false
-  }
+resource "smallstep_collection_instance" "dbserver" {
+  depends_on      = [smallstep_device_collection.gcp]
+  collection_slug = smallstep_device_collection.gcp.slug
+  id              = data.google_compute_instance.dbserver.instance_id
+  data = jsonencode({
+    "hostname"   = data.google_compute_instance.dbserver.name
+    "private_ip" = data.google_compute_instance.dbserver.network_interface.0.network_ip
+    "public_ip"  = data.google_compute_instance.dbserver.network_interface.0.access_config[0].nat_ip
+  })
 }

examples/resources/smallstep_device_collection/tpm.tf

@@ -0,0 +1,10 @@
+
+resource "smallstep_device_collection" "tpm" {
+  slug         = "tmpservers"
+  display_name = "TPM Servers"
+  admin_emails = ["[email protected]"]
+  device_type  = "tpm"
+  tpm = {
+    attestor_roots = file("${path.module}/root.crt")
+  }
+}

examples/resources/smallstep_workload/redis.tf

@@ -0,0 +1,58 @@
+
+resource "smallstep_workload" "redis" {
+  depends_on             = [smallstep_device_collection.ec2_west]
+  device_collection_slug = resource.smallstep_device_collection.ec2_west.slug
+  workload_type          = "redis"
+  slug                   = "redisec2west"
+  display_name           = "Redis EC2 West"
+  admin_emails           = ["[email protected]"]
+
+  certificate_info = {
+    type      = "X509"
+    duration  = "168h"
+    crt_file  = "db.crt"
+    key_file  = "db.key"
+    root_file = "ca.crt"
+    uid       = 1001
+    gid       = 999
+    mode      = 256
+  }
+
+  hooks = {
+    renew = {
+      shell = "/bin/sh"
+      before = [
+        "echo renewing",
+      ]
+      after = [
+        "echo renewed",
+      ]
+      on_error = [
+        "echo failed renew",
+      ]
+    }
+    sign = {
+      shell = "/bin/bash"
+      before = [
+        "echo signing",
+      ]
+      after = [
+        "echo signed",
+      ]
+      on_error = [
+        "echo failed sign",
+      ]
+    }
+  }
+
+  key_info = {
+    format = "DEFAULT"
+    type   = "ECDSA_P256"
+  }
+
+  reload_info = {
+    method   = "SIGNAL"
+    pid_file = "db.pid"
+    signal   = 1
+  }
+}