Identity and Identity auth resource

docs/resources/identity.md

@@ -0,0 +1,122 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "infisical_identity Resource - terraform-provider-infisical"
+subcategory: ""
+description: |-
+  Create and manage identity in Infisical.
+---
+
+# infisical_identity (Resource)
+
+Create and manage identity in Infisical.
+
+## Example Usage
+
+```terraform
+terraform {
+  required_providers {
+    infisical = {
+      # version = <latest version>
+      source = "infisical/infisical"
+    }
+  }
+}
+
+provider "infisical" {
+  host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
+  client_id     = "<machine-identity-client-id>"
+  client_secret = "<machine-identity-client-secret>"
+}
+
+# universal authentication identity
+resource "infisical_identity" "universal-auth" {
+  name   = "universal-auth"
+  role   = "member"
+  org_id = "<org_id>"
+}
+
+resource "infisical_identity_universal_auth" "ua-auth" {
+  identity_id                 = infisical_identity.universal-auth.id
+  access_token_ttl            = 2592000
+  access_token_max_ttl        = 2592000 * 2
+  access_token_num_uses_limit = 3
+}
+
+resource "infisical_identity_universal_auth_client_secret" "client-secret" {
+  identity_id = infisical_identity.universal-auth.id
+
+  depends_on = [infisical_identity_universal_auth.ua-auth]
+}
+
+output "client_secret" {
+  sensitive = true
+  value     = infisical_identity_universal_auth_client_secret.client-secret.client_secret
+}
+
+resource "infisical_identity" "aws-auth" {
+  name   = "aws-auth"
+  role   = "member"
+  org_id = "<org_id>"
+}
+
+resource "infisical_identity_aws_auth" "aws-auth" {
+  identity_id                 = infisical_identity.aws-auth.id
+  access_token_ttl            = 2592000
+  access_token_max_ttl        = 2592000 * 2
+  access_token_num_uses_limit = 3
+  allowed_principal_arns      = ["arn:aws:iam::123456789012:user/MyUserName"]
+  allowed_account_ids         = ["123456789012", "123456789013"]
+}
+
+resource "infisical_identity" "azure-auth" {
+  name   = "azure-auth"
+  role   = "member"
+  org_id = "<org_id>"
+}
+
+resource "infisical_identity_azure_auth" "azure-auth" {
+  identity_id = infisical_identity.azure-auth.id
+  tenant_id   = "TENANT_ID"
+}
+
+resource "infisical_identity" "gcp-auth" {
+  name   = "gcp-auth"
+  role   = "member"
+  org_id = "<org_id>"
+}
+
+resource "infisical_identity_gcp_auth" "gcp-auth" {
+  identity_id = infisical_identity.gcp-auth.id
+  type        = "gce"
+}
+
+resource "infisical_identity" "k8-auth" {
+  name   = "k8-auth"
+  role   = "member"
+  org_id = "<org_id>"
+}
+
+resource "infisical_identity_kubernetes_auth" "k8-auth" {
+  identity_id        = infisical_identity.k8-auth.id
+  kubernetes_host    = "http://example.com"
+  token_reviewer_jwt = "ey<example>"
+  allowed_namespaces = ["namespace-a", "namespace-b"]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name for the identity
+- `org_id` (String) The ID of the organization for the identity
+- `role` (String) The role for the identity. Available default role options are 'admin', 'member', and 'no-access'. If you've created custom roles, you can use their slugs as well.
+
+### Optional
+
+- `auth_mode` (String) The authentication type of the identity
+
+### Read-Only
+
+- `id` (String) The ID of the identity

docs/resources/identity_aws_auth.md

@@ -0,0 +1,41 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "infisical_identity_aws_auth Resource - terraform-provider-infisical"
+subcategory: ""
+description: |-
+  Create and manage identity aws auth in Infisical.
+---
+
+# infisical_identity_aws_auth (Resource)
+
+Create and manage identity aws auth in Infisical.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `identity_id` (String) The ID of the identity to attach the configuration onto.
+
+### Optional
+
+- `access_token_max_ttl` (Number) The maximum lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
+- `access_token_num_uses_limit` (Number) The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses. Default:0
+- `access_token_trusted_ips` (Attributes List) A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.. (see [below for nested schema](#nestedatt--access_token_trusted_ips))
+- `access_token_ttl` (Number) The lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
+- `allowed_account_ids` (List of String) List of trusted AWS account IDs that are allowed to authenticate with Infisical.
+- `allowed_principal_arns` (List of String) List of trusted IAM principal ARNs that are allowed to authenticate with Infisical. The values should take one of three forms: `arn:aws:iam::123456789012:user/MyUserName`, `arn:aws:iam::123456789012:role/MyRoleName`, or `arn:aws:iam::123456789012:*`. Using a wildcard in this case allows any IAM principal in the account `123456789012` to authenticate with Infisical under the identity
+- `sts_endpoint` (String) The endpoint URL for the AWS STS API. This value should be adjusted based on the AWS region you are operating in (e.g. `https://sts.us-east-1.amazonaws.com/`); refer to the list of regional STS endpoints [here](https://docs.aws.amazon.com/general/latest/gr/sts.html).
+
+### Read-Only
+
+- `id` (String) The ID of the aws auth
+
+<a id="nestedatt--access_token_trusted_ips"></a>
+### Nested Schema for `access_token_trusted_ips`
+
+Optional:
+
+- `ip_address` (String)

docs/resources/identity_azure_auth.md

@@ -0,0 +1,41 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "infisical_identity_azure_auth Resource - terraform-provider-infisical"
+subcategory: ""
+description: |-
+  Create and manage identity azure auth in Infisical.
+---
+
+# infisical_identity_azure_auth (Resource)
+
+Create and manage identity azure auth in Infisical.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `identity_id` (String) The ID of the identity to attach the configuration onto.
+- `tenant_id` (String) The [tenant ID](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) for the Azure AD organization.
+
+### Optional
+
+- `access_token_max_ttl` (Number) The maximum lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
+- `access_token_num_uses_limit` (Number) The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses. Default:0
+- `access_token_trusted_ips` (Attributes List) A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.. (see [below for nested schema](#nestedatt--access_token_trusted_ips))
+- `access_token_ttl` (Number) The lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
+- `allowed_service_principal_ids` (List of String) List of Azure AD service principal IDs that are allowed to authenticate with Infisical
+- `resource_url` (String) The resource URL for the application registered in Azure AD. The value is expected to match the `aud` claim of the access token JWT later used in the login operation against Infisical. See the [resource](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http) parameter for how the audience is set when requesting a JWT access token from the Azure Instance Metadata Service (IMDS) endpoint. In most cases, this value should be `https://management.azure.com/` which is the default
+
+### Read-Only
+
+- `id` (String) The ID of the azure auth
+
+<a id="nestedatt--access_token_trusted_ips"></a>
+### Nested Schema for `access_token_trusted_ips`
+
+Optional:
+
+- `ip_address` (String)

docs/resources/identity_gcp_auth.md

@@ -0,0 +1,42 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "infisical_identity_gcp_auth Resource - terraform-provider-infisical"
+subcategory: ""
+description: |-
+  Create and manage identity gcp auth in Infisical.
+---
+
+# infisical_identity_gcp_auth (Resource)
+
+Create and manage identity gcp auth in Infisical.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `identity_id` (String) The ID of the identity to attach the configuration onto.
+
+### Optional
+
+- `access_token_max_ttl` (Number) The maximum lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
+- `access_token_num_uses_limit` (Number) The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses. Default:0
+- `access_token_trusted_ips` (Attributes List) A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.. (see [below for nested schema](#nestedatt--access_token_trusted_ips))
+- `access_token_ttl` (Number) The lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
+- `allowed_projects` (List of String) List of trusted GCP projects that the GCE instance must belong to authenticate with Infisical. Note that this validation property will only work for GCE instances
+- `allowed_service_account_emails` (List of String) List of trusted service account emails corresponding to the GCE resource(s) allowed to authenticate with Infisical; this could be something like `[email protected]`, `[email protected]`, etc.
+- `allowed_zones` (List of String) List of trusted zones that the GCE instances must belong to authenticate with Infisical; this should be the fully-qualified zone name in the format `<region>-<zone>`like `us-central1-a`, `us-west1-b`, etc. Note that this validation property will only work for GCE instances.
+- `type` (String) The Type of GCP Auth Method to use: Options are gce, iam. Default:gce
+
+### Read-Only
+
+- `id` (String) The ID of the gcp auth
+
+<a id="nestedatt--access_token_trusted_ips"></a>
+### Nested Schema for `access_token_trusted_ips`
+
+Optional:
+
+- `ip_address` (String)

docs/resources/identity_kubernetes_auth.md

@@ -0,0 +1,44 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "infisical_identity_kubernetes_auth Resource - terraform-provider-infisical"
+subcategory: ""
+description: |-
+  Create and manage identity kubernetes auth in Infisical.
+---
+
+# infisical_identity_kubernetes_auth (Resource)
+
+Create and manage identity kubernetes auth in Infisical.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `identity_id` (String) The ID of the identity to attach the configuration onto.
+- `kubernetes_host` (String) The host string, host:port pair, or URL to the base of the Kubernetes API server. This can usually be obtained by running `kubectl cluster-info`.
+- `token_reviewer_jwt` (String) A long-lived service account JWT token for Infisical to access the [TokenReview API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) to validate other service account JWT tokens submitted by applications/pods. This is the JWT token obtained from step 1.5.
+
+### Optional
+
+- `access_token_max_ttl` (Number) The maximum lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
+- `access_token_num_uses_limit` (Number) The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses. Default:0
+- `access_token_trusted_ips` (Attributes List) A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.. (see [below for nested schema](#nestedatt--access_token_trusted_ips))
+- `access_token_ttl` (Number) The lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
+- `allowed_audience` (String) An optional audience claim that the service account JWT token must have to authenticate with Infisical.
+- `allowed_namespaces` (List of String) List of trusted namespaces that service accounts must belong to authenticate with Infisical.
+- `allowed_service_account_names` (List of String) List of trusted service account names that are allowed to authenticate with Infisical.
+- `kubernetes_ca_certificate` (String) The PEM-encoded CA cert for the Kubernetes API server. This is used by the TLS client for secure communication with the Kubernetes API server.
+
+### Read-Only
+
+- `id` (String) The ID of the kubernetes auth
+
+<a id="nestedatt--access_token_trusted_ips"></a>
+### Nested Schema for `access_token_trusted_ips`
+
+Optional:
+
+- `ip_address` (String)

docs/resources/identity_universal_auth.md

@@ -0,0 +1,47 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "infisical_identity_universal_auth Resource - terraform-provider-infisical"
+subcategory: ""
+description: |-
+  Create and manage identity universal auth in Infisical.
+---
+
+# infisical_identity_universal_auth (Resource)
+
+Create and manage identity universal auth in Infisical.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `identity_id` (String) The ID of the identity to attach the configuration onto.
+
+### Optional
+
+- `access_token_max_ttl` (Number) The maximum lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
+- `access_token_num_uses_limit` (Number) The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses. Default:0
+- `access_token_trusted_ips` (Attributes List) A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.. (see [below for nested schema](#nestedatt--access_token_trusted_ips))
+- `access_token_ttl` (Number) The lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
+- `client_secret_trusted_ips` (Attributes List) A list of IPs or CIDR ranges that the Client Secret can be used from together with the Client ID to get back an access token. You can use 0.0.0.0/0, to allow usage from any network address. (see [below for nested schema](#nestedatt--client_secret_trusted_ips))
+
+### Read-Only
+
+- `id` (String) The ID of the universal auth
+
+<a id="nestedatt--access_token_trusted_ips"></a>
+### Nested Schema for `access_token_trusted_ips`
+
+Optional:
+
+- `ip_address` (String)
+
+
+<a id="nestedatt--client_secret_trusted_ips"></a>
+### Nested Schema for `client_secret_trusted_ips`
+
+Optional:
+
+- `ip_address` (String)

docs/resources/identity_universal_auth_client_secret.md

@@ -0,0 +1,35 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "infisical_identity_universal_auth_client_secret Resource - terraform-provider-infisical"
+subcategory: ""
+description: |-
+  Create and manage identity universal auth client secret in Infisical.
+---
+
+# infisical_identity_universal_auth_client_secret (Resource)
+
+Create and manage identity universal auth client secret in Infisical.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `identity_id` (String) The ID of the identity to create a client secret for
+
+### Optional
+
+- `description` (String) The description of the client secret.
+- `number_of_uses_limit` (Number) The maximum number of times that the client secret can be used; a value of 0 implies infinite number of uses. Default: 0
+- `ttl` (Number) The lifetime for the client secret in seconds. Default: 0 - not expiring
+
+### Read-Only
+
+- `client_id` (String) The client ID of the secret.
+- `client_secret` (String, Sensitive) The client secret.
+- `created_at` (String) The UTC timestamp of the created at.
+- `id` (String) The ID of the universal auth client secret
+- `is_revoked` (Boolean) A flag indicating token has been revoked
+- `number_of_uses` (Number) The number of times that the client secret is used