Hold Your Own Key (HYOK) API Documentation #588
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…g onto api endpoints next
…ed to clean this up and add descriptions for the request bodies and such
|
|
Vercel Previews Deployed
|
Broken Link CheckerSummary
Errors per inputErrors in content/terraform-docs-common/docs/cloud-docs/api-docs/organizations.mdx |
dominic-retli-hashi
changed the title
| @@ -431,7 +431,8 @@ Properties without a default value are required. | |||
| | `data.attributes.assessments-enforced` | boolean | (false) | Whether or not to compel health assessments for all eligible workspaces. When true, health assessments occur on all compatible workspaces, regardless of the value of the workspace setting `assessments-enabled`. When false, health assessments only occur for workspaces that opt in by setting `assessments-enabled: true`. | | |||
| | `data.attributes.allow-force-delete-workspaces` | boolean | (false) | Whether workspace administrators can [delete workspaces with resources under management](/terraform/enterprise/users-teams-organizations/organizations#general). If false, only organization owners may delete these workspaces. | | |||
| | `data.attributes.default-execution-mode` | string | `remote` | Which [execution mode](/terraform/enterprise/workspaces/settings#execution-mode) to use by default. Valid values are `remote`, `local`, and `agent`. | | |||
| | `data.attributes.default-agent-pool-id` | string | (previous value) | Required when `default-execution-mode` is set to `agent`. The ID of the agent pool belonging to the organization. Do _not_ specify this value if you set `execution-mode` to `remote` or `local`. | | |||
There was a problem hiding this comment.
I believe that these changes to existing files (organizations, plans, state versions, and workspaces) should all be in this directory https://github.com/hashicorp/web-unified-docs/tree/main/content/terraform-docs-common/docs/cloud-docs/api-docs
My understanding is that we only modify the terraform-enterprise directory when we need to change a specific TFE version's docs. Otherwise it gets automatically populated as part of the TFE release
...terraform-docs-common/docs/cloud-docs/api-docs/hold-your-own-key/aws-oidc-configurations.mdx
Outdated
Show resolved
Hide resolved
...terraform-docs-common/docs/cloud-docs/api-docs/hold-your-own-key/aws-oidc-configurations.mdx
Outdated
Show resolved
Hide resolved
...terraform-docs-common/docs/cloud-docs/api-docs/hold-your-own-key/aws-oidc-configurations.mdx
Show resolved
Hide resolved
...terraform-docs-common/docs/cloud-docs/api-docs/hold-your-own-key/aws-oidc-configurations.mdx
Outdated
Show resolved
Hide resolved
...rraform-docs-common/docs/cloud-docs/api-docs/hold-your-own-key/azure-oidc-configurations.mdx
Outdated
Show resolved
Hide resolved
content/terraform-enterprise/v202507-1/docs/enterprise/api-docs/organizations.mdx
Outdated
Show resolved
Hide resolved
content/terraform-enterprise/v202507-1/docs/enterprise/api-docs/plans.mdx
Outdated
Show resolved
Hide resolved
| @@ -65,6 +66,7 @@ Some of the information returned in a state version API object might be **popula | |||
| | `terraform-version` | The Terraform version that created this state. Populated asynchronously. | | |||
| | `vcs-commit-sha` | The SHA of the configuration commit used in the Terraform run that produced this state. Only present if the workspace is connected to a VCS repository. | | |||
| | `vcs-commit-url` | A link to the configuration commit used in the Terraform run that produced this state. Only present if the workspace is connected to a VCS repository. | | |||
| | `hyok-encrypted-data-key` | A reference | | |||
There was a problem hiding this comment.
Is this missing some information here? 🤔
content/terraform-enterprise/v202507-1/docs/enterprise/api-docs/state-versions.mdx
Outdated
Show resolved
Hide resolved
content/terraform-enterprise/v202507-1/docs/enterprise/api-docs/workspaces.mdx
Outdated
Show resolved
Hide resolved
Co-authored-by: Julianna <[email protected]>
…larity Co-authored-by: Julianna <[email protected]>
Co-authored-by: Julianna <[email protected]>
Co-authored-by: Julianna <[email protected]>
Co-authored-by: Julianna <[email protected]>
….com:hashicorp/web-unified-docs into dominicretli/TF-26977/hyok-api-documentation
Comment on lines
+104
to
+116
| { | ||
| "title": "Hold Your Own Key", | ||
| "routes": [ | ||
| { "title": "Hold Your Own Key", "path": "api-docs/hold-your-own-key/hold-your-own-key" }, | ||
| { "title": "Configurations", "path": "api-docs/hold-your-own-key/hyok-configurations" }, | ||
| { "title": "Customer Key Versions", "path": "api-docs/hold-your-own-key/hyok-customer-key-versions" }, | ||
| { "title": "Encrypted Data Keys", "path": "api-docs/hold-your-own-key/hyok-encrypted-data-keys" }, | ||
| { "title": "Vault OIDC Configurations", "path": "api-docs/hold-your-own-key/vault-oidc-configurations" }, | ||
| { "title": "AWS OIDC Configurations", "path": "api-docs/hold-your-own-key/aws-oidc-configurations" }, | ||
| { "title": "Azure OIDC Configurations", "path": "api-docs/hold-your-own-key/azure-oidc-configurations" }, | ||
| { "title": "GCP OIDC Configurations", "path": "api-docs/hold-your-own-key/gcp-oidc-configurations" } | ||
| ] | ||
| }, |
There was a problem hiding this comment.
@rkoron007 or @robin-norwood do you know if it's possible to have these pages only appear for the HCP Terraform docs, but not for TFE? I see how to do individual sections of a page (with the <!-- BEGIN: TFC:only name:whatever-->) but Im not sure if we can exclude entire pages?
| [JSON API error object]: https://jsonapi.org/format/#error-objects | ||
|
|
||
| # AWS OIDC Configuration API reference | ||
|
|
There was a problem hiding this comment.
It could be worth calling out that these configurations are only available on HCP Terraform (not TFE), and that they require Premium Tier
Suggested change
| Hold Your Own Key (HYOK) is only available on the [HCP Terraform Premium plan](https://www.hashicorp.com/en/pricing?tab=terraform. This includes the management of OIDC configurations. | |
| [JSON API error object]: https://jsonapi.org/format/#error-objects | ||
|
|
||
| # Azure OIDC Configuration API reference | ||
|
|
There was a problem hiding this comment.
Suggested change
| Hold Your Own Key (HYOK) is only available on the [HCP Terraform Premium plan](https://www.hashicorp.com/en/pricing?tab=terraform. This includes the management of OIDC configurations. | |
| [JSON API error object]: https://jsonapi.org/format/#error-objects | ||
|
|
||
| # GCP OIDC Configuration API reference | ||
|
|
There was a problem hiding this comment.
Suggested change
| Hold Your Own Key (HYOK) is only available on the [HCP Terraform Premium plan](https://www.hashicorp.com/en/pricing?tab=terraform. This includes the management of OIDC configurations. | |
| --- | ||
|
|
||
| # Hold Your Own Key (HYOK) API Reference | ||
| Hold Your Own Key, or HYOK, lets you authenticate your own Key Management System (KMS) to encrypt HCP Terraform state and plan data. HCP Terraform agents do the actual work of securing and encrypting artifacts, so neither your key (from your KMS), nor unencrypted secrets need to be uploaded to HCP Terraform, and no out-of-network traffic needs to hit your KMS. |
There was a problem hiding this comment.
Suggested change
| Hold Your Own Key, or HYOK, lets you authenticate your own Key Management System (KMS) to encrypt HCP Terraform state and plan data. HCP Terraform agents do the actual work of securing and encrypting artifacts, so neither your key (from your KMS), nor unencrypted secrets need to be uploaded to HCP Terraform, and no out-of-network traffic needs to hit your KMS. | |
| Hold Your Own Key, or HYOK, lets you authenticate your own Key Management System (KMS) to encrypt HCP Terraform state and plan data. HCP Terraform agents do the actual work of securing and encrypting artifacts, so neither your key (from your KMS), nor unencrypted secrets need to be uploaded to HCP Terraform, and no out-of-network traffic needs to hit your KMS. | |
| HYOK is only available on the [HCP Terraform Premium plan](https://www.hashicorp.com/en/pricing?tab=terraform.) | |
| | `hosted-json-state-upload-url` | A URL to which you can upload state data in a [stable format](/terraform/internals/json-format) appropriate for external integrations to consume. You can upload JSON state content once per state version. | | ||
| | `hosted-state-upload-url` | A URL to which you can upload state data in the format used Terraform uses internally. You can upload state data once per state version. | | ||
| | `hyok-encrypted-data-key` | A reference to the HYOK encrypted data key used to secure this state version. | |
There was a problem hiding this comment.
Suggested change
| | `hyok-encrypted-data-key` | A reference to the HYOK encrypted data key used to secure this state version. | | |
| | `hyok-encrypted-data-key` | A reference to the HYOK encrypted data key used to secure this state version. HCP Terraform only, requires the [HCP Terraform Premium plan](https://www.hashicorp.com/en/pricing?tab=terraform.) | |
| @@ -141,6 +141,7 @@ By supplying the necessary attributes under a `vcs-repository` object, you can c | |||
| | `data.attributes.vcs-repo` | object | none | Settings for the workspace's VCS repository. If omitted, the workspace is created without a VCS repo. If included, you must specify at least the `oauth-token-id` and `identifier` keys. | | |||
| | `data.attributes.working-directory` | string | (nothing) | A relative path that Terraform will execute within. This defaults to the root of your repository and is typically set to a subdirectory matching the environment when multiple environments exist within the same repository. | | |||
| | `data.attributes.setting-overwrites` | object | none | The keys in this object are attributes that have project-level defaults. Each attribute key stores a boolean value which is `false` by default. To overwrite the default inherited value, set an attribute's value to `true`. For example, to set `execution-mode` as the project default, set `setting-overwrites.execution-mode` to `true`. | | |||
| | `data.attributes.hyok-enabled` | boolean | `false` | Whether this workspace will secure HCP Terraform artifacts using Hold Your Own Key (HYOK) encryption. Once enabled, this can not be disabled. | | |||
There was a problem hiding this comment.
Suggested change
| | `data.attributes.hyok-enabled` | boolean | `false` | Whether this workspace will secure HCP Terraform artifacts using Hold Your Own Key (HYOK) encryption. Once enabled, this can not be disabled. | | |
| | `data.attributes.hyok-enabled` | boolean | `false` | Whether this workspace will secure HCP Terraform artifacts using Hold Your Own Key (HYOK) encryption. Once enabled, this can not be disabled. HCP Terraform only, requires the [HCP Terraform Premium plan](https://www.hashicorp.com/en/pricing?tab=terraform.) | |
|
|
||
| | Key path | Type | Default | Description | | ||
| | -------------------------------- | ------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | `data.type` | string | | Must be `"azure-oidc-configurations"`. | |
There was a problem hiding this comment.
I think it would be worth including the required attributes here.
Suggested change
| | `data.type` | string | | Must be `"azure-oidc-configurations"`. | | |
| | `data.type` | string | | Must be `"azure-oidc-configurations"`. | | |
| | `data.attributes.client-id` | string | | The Client (or Application) ID of your Entra ID application. | | |
| | `data.attributes.subscription-id` | string | | The ID of your Azure subscription. | | |
| | `data.attributes.client-id` | string | | The Tenant (or Directory) ID of your Entra ID application. | |
|
|
||
| | Key path | Type | Default | Description | | ||
| | -------------------------------- | ------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | `data.type` | string | | Must be `"gcp-oidc-configurations"`. | |
There was a problem hiding this comment.
Suggested change
| | `data.type` | string | | Must be `"gcp-oidc-configurations"`. | | |
| | `data.type` | string | | Must be `"gcp-oidc-configurations"`. | | |
| | `data.attributes.service-account-email` | string | | The email of your GCP service account, with permissions to encrypt and decrypt using a Cloud KMS key. | | |
| | `data.attributes.workload-provider-name` | string | | The fully qualifies workload provider path. This should be in the format `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}`| | |
| | `data.attributes.project-number` | string | | The GCP Project containing the workload provider and service account. | | |
|
|
||
| | Key path | Type | Default | Description | | ||
| | -------------------------------- | ------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | `data.type` | string | | Must be `"vault-oidc-configurations"`. | |
There was a problem hiding this comment.
Suggested change
| | `data.type` | string | | Must be `"vault-oidc-configurations"`. | | |
| | `data.type` | string | | Must be `"vault-oidc-configurations"`. | | |
| | `data.attributes.address` | string | | The full address of your Vault instance. | | |
| | `data.attributes.role ` | string | | The name of a role in your Vault JWT auth path, with permission to encrypt and decrypt with a Transit secrets engine key | | |
| | `data.attributes.namespace ` | string | | The namespace your JWT auth path is mounted in. | | |
| | `data.attributes.auth-path ` | string | | The mounting path of JWT auth path of JWT auth. Defaults to `"jwt"` | | |
| | `data.attributes.encoded-cacert ` | string | | (Optional) A base64 encoded certificate which can be used to authenticate your Vault certificate. Only needed for self-hosted Vault Enterprise instances with a self-signed certificate. | | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://hashicorp.atlassian.net/jira/software/c/projects/TF/boards/438?selectedIssue=TF-26977