Skip to content

Commit 4f9e7cb

Browse files
ravigfortanixravigfortanix
authored
Merge pull request #70 from fortanix/EXTREQ-1013
 On branch EXTREQ-1013
2 parents 8ebedb8 + ab5d1af commit 4f9e7cb

File tree

3 files changed

+612
-0
lines changed

3 files changed

+612
-0
lines changed

docs/resources/dsm_app_non_api_key.md

Lines changed: 314 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,314 @@
1+
# dsm\_app_non_api_key
2+
3+
## dsm\_app_non_api_key
4+
5+
Returns the Fortanix DSM App from the cluster as a resource
6+
7+
## Usage Reference
8+
9+
10+
11+
```
12+
13+
locals {
14+
app_other_group_permissions = zipmap(
15+
[
16+
dsm_group.group1.group_id,
17+
"<group_id>"
18+
],
19+
[
20+
"SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT,TRANSFORM",
21+
"SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT,TRANSFORM"
22+
]
23+
)
24+
}
25+
```
26+
How to create an AWS XKS app?
27+
```
28+
resource "dsm_app_non_api_key" "app" {
29+
name = <app_name>
30+
default_group = <group_id>
31+
other_group = [<group_id>,<group_id>]
32+
description = <app_description>
33+
other_group_permissions = local.app_other_group_permissions
34+
authentication_method = {
35+
type = "awsxks"
36+
}
37+
}
38+
```
39+
How to create an AWS IAM app?
40+
```
41+
resource "dsm_app_non_api_key" "app" {
42+
name = <app_name>
43+
default_group = <group_id>
44+
other_group = [<group_id>,<group_id>]
45+
description = <app_description>
46+
other_group_permissions = local.app_other_group_permissions
47+
authentication_method = {
48+
type = "awsiam"
49+
}
50+
}
51+
```
52+
How to create a Certificate app?
53+
```
54+
resource "dsm_app_non_api_key" "app" {
55+
name = <app_name>
56+
default_group = <group_id>
57+
other_group = [<group_id>,<group_id>]
58+
description = <app_description>
59+
other_group_permissions = local.app_other_group_permissions
60+
authentication_method = {
61+
type = "certificate"
62+
certificate = "<certificate_value>"
63+
}
64+
}
65+
```
66+
How to create a Trusted CA app?
67+
```
68+
Example of IP address
69+
70+
resource "dsm_app_non_api_key" "app" {
71+
name = <app_name>
72+
default_group = <group_id>
73+
other_group = [<group_id>,<group_id>]
74+
description = <app_description>
75+
other_group_permissions = local.app_other_group_permissions
76+
authentication_method = {
77+
type = "trustedca"
78+
ca_certificate = "<certificate_value>"
79+
ip_address = "<ip_address>"
80+
}
81+
}
82+
83+
Example of DNS name
84+
85+
resource "dsm_app_non_api_key" "app" {
86+
name = <app_name>
87+
default_group = <group_id>
88+
other_group = [<group_id>,<group_id>]
89+
description = <app_description>
90+
other_group_permissions = local.app_other_group_permissions
91+
authentication_method = {
92+
type = "trustedca"
93+
ca_certificate = "<certificate_value>"
94+
dns_name = "<dns_name>"
95+
}
96+
}
97+
```
98+
99+
100+
## Update the App
101+
102+
```
103+
104+
locals {
105+
app_mod_group_permissions = zipmap(
106+
[
107+
dsm_group.group1.group_id,
108+
"<group_id>"
109+
],
110+
[
111+
"SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT,TRANSFORM",
112+
"SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT,TRANSFORM"
113+
]
114+
)
115+
}
116+
117+
118+
resource "dsm_app_non_api_key" "app" {
119+
name = <app_name>
120+
default_group = <group_id>
121+
description = <app_description>
122+
other_group = [<group_id>,<group_id>]
123+
/* add the new groups: just add the new group_ids in this array.
124+
* delete the existing groups: just remove group_id from this array.
125+
*/
126+
other_group_permissions = local.app_other_group_permissions
127+
mod_group_permissions = local.app_mod_group_permissions
128+
}
129+
130+
```
131+
132+
How to create an AWS XKS app?
133+
```
134+
resource "dsm_app_non_api_key" "app" {
135+
name = <app_name>
136+
default_group = <group_id>
137+
other_group = [<group_id>,<group_id>]
138+
description = <app_description>
139+
authentication_method = {
140+
type = "awsxks"
141+
}
142+
/* add the new groups: just add the new group_ids in this array.
143+
* delete the existing groups: just remove group_id from this array.
144+
*/
145+
other_group_permissions = local.app_other_group_permissions
146+
mod_group_permissions = local.app_mod_group_permissions
147+
}
148+
```
149+
How to create an AWS IAM app?
150+
```
151+
resource "dsm_app_non_api_key" "app" {
152+
name = <app_name>
153+
default_group = <group_id>
154+
other_group = [<group_id>,<group_id>]
155+
description = <app_description>
156+
other_group_permissions = local.app_other_group_permissions
157+
authentication_method = {
158+
type = "awsiam"
159+
}
160+
/* add the new groups: just add the new group_ids in this array.
161+
* delete the existing groups: just remove group_id from this array.
162+
*/
163+
other_group_permissions = local.app_other_group_permissions
164+
mod_group_permissions = local.app_mod_group_permissions
165+
}
166+
```
167+
How to create a Certificate app?
168+
```
169+
resource "dsm_app_non_api_key" "app" {
170+
name = <app_name>
171+
default_group = <group_id>
172+
other_group = [<group_id>,<group_id>]
173+
description = <app_description>
174+
other_group_permissions = local.app_other_group_permissions
175+
authentication_method = {
176+
type = "certificate"
177+
certificate = "<certificate_value>"
178+
}
179+
/* add the new groups: just add the new group_ids in this array.
180+
* delete the existing groups: just remove group_id from this array.
181+
*/
182+
other_group_permissions = local.app_other_group_permissions
183+
mod_group_permissions = local.app_mod_group_permissions
184+
}
185+
```
186+
How to create a Trusted CA app?
187+
```
188+
Example of IP address
189+
190+
resource "dsm_app_non_api_key" "app" {
191+
name = <app_name>
192+
default_group = <group_id>
193+
other_group = [<group_id>,<group_id>]
194+
description = <app_description>
195+
other_group_permissions = local.app_other_group_permissions
196+
authentication_method = {
197+
type = "trustedca"
198+
ca_certificate = "<certificate_value>"
199+
ip_address = "<ip_address>"
200+
}
201+
/* add the new groups: just add the new group_ids in this array.
202+
* delete the existing groups: just remove group_id from this array.
203+
*/
204+
other_group_permissions = local.app_other_group_permissions
205+
mod_group_permissions = local.app_mod_group_permissions
206+
}
207+
208+
Example of DNS name
209+
210+
resource "dsm_app_non_api_key" "app" {
211+
name = <app_name>
212+
default_group = <group_id>
213+
other_group = [<group_id>,<group_id>]
214+
description = <app_description>
215+
other_group_permissions = local.app_other_group_permissions
216+
authentication_method = {
217+
type = "trustedca"
218+
ca_certificate = "<certificate_value>"
219+
dns_name = "<dns_name>"
220+
}
221+
/* add the new groups: just add the new group_ids in this array.
222+
* delete the existing groups: just remove group_id from this array.
223+
*/
224+
other_group_permissions = local.app_other_group_permissions
225+
mod_group_permissions = local.app_mod_group_permissions
226+
}
227+
```
228+
229+
230+
## Argument Reference
231+
232+
The following arguments are supported in the `dsm_app_non_api_key` resource block:
233+
234+
* **name**: The Fortanix DSM App name
235+
* **default_group**: The Fortanix DSM group object id to be mapped to the app by default
236+
* _**other_group (optional)**_: The Fortanix DSM group object id the app needs to be assigned to. If you want to
237+
delete the existing groups from an app, remove the ids during update.
238+
* _**description (optional)**_: The description of the app
239+
* _**other_group_permissions(optional)**_: Incase if you want to change the default permissions of a new group.
240+
* _**mod_group_permissions (optional)**_: To modify the permissions of any existing group
241+
* * _**authentication_method**_: To modify the permissions of any existing group
242+
* _**type**_: Following authentication types are supported.
243+
* awsxks
244+
* awsiam
245+
* certificate
246+
* trustedca
247+
* _**certificate**_: Certificate value, this should be configured when the type is certificate
248+
* _**ca_certificate**_: CA certificate value, this should be configure when the type is trustedca
249+
* One of the following values should be configured when the type is trustedca
250+
* _**ip_address**_: IP address value for trusted ca
251+
* _**dns_name**_: DNS name for trusted ca
252+
253+
```
254+
other_group_permissions example:
255+
256+
A variable should be declared as locals. Here it is named as app_other_group_permissions. Please follow the below
257+
varaible reference to provide the permissions. For each group_id permissions should be given in a string format. Permissions
258+
are separated by comma(","). Count of group_ids and permission strings should be same.
259+
First group_id in the first array will match to first string in the second array and so on.
260+
261+
other_group_permissions = local.app_other_group_permissions
262+
263+
locals {
264+
app_other_group_permissions = zipmap(
265+
[
266+
dsm_group.group1.group_id,
267+
"<group_id>"
268+
],
269+
[
270+
"SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT,TRANSFORM",
271+
"SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT,TRANSFORM"
272+
]
273+
)
274+
}
275+
276+
mod_group_permissions example:
277+
278+
A variable should be declared as locals. Here it is named as app_other_group_permissions. Please follow the below
279+
varaible reference to provide the permissions. For each group_id permissions should be given in a string format.
280+
Permissions are separated by comma(","). Count of group_ids and permission strings should be same.
281+
First group_id in the first array will match to first string in the second array and so on.
282+
283+
locals {
284+
app_mod_group_permissions = zipmap(
285+
[
286+
dsm_group.group1.group_id,
287+
"<group_id>"
288+
],
289+
[
290+
"SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT,TRANSFORM",
291+
"SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT,TRANSFORM"
292+
]
293+
)
294+
}
295+
296+
mod_group_permissions = local.app_mod_group_permissions
297+
```
298+
299+
300+
## Attribute Reference
301+
302+
The following attributes are stored in the `dsm_app_non_api_key` resource block:
303+
304+
* **id**: The unique ID of object from Terraform (matches the `app_id` from resource block)
305+
* **name**: The App name from Fortanix DSM (matches the name provided during creation)
306+
* **app\_id**: The unique ID of the app from Terraform
307+
* **default\_group**: The default group name mapped to the Fortanix DSM app
308+
* **acct\_id**: The account ID from Fortanix DSM
309+
* **creator**: The creator of the group object from Fortanix DSM
310+
* **user**: If the group was created by a user, the computed value will be the matching user id
311+
* **app**: If the group was created by a app, the computed value will be the matching app id
312+
* **description**: The Fortanix DSM App description
313+
* **credential**: The Fortanix DSM App credential, AWS xks access and secret key will be stored
314+
* **authentication_method**_: The Authentication method details

dsm/provider.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -101,6 +101,7 @@ func Provider() *schema.Provider {
101101
"dsm_acc_quorum_policy": resourceAccountQuorumPolicy(),
102102
"dsm_acc_crypto_policy": resourceAccountCryptoPolicy(),
103103
"dsm_plugin": resourcePlugin(),
104+
"dsm_app_non_api_key": resourceAppNonAPIKey(),
104105
},
105106
DataSourcesMap: map[string]*schema.Resource{
106107
"dsm_aws_group": dataSourceAWSGroup(),

0 commit comments

Comments
 (0)