Merge pull request #47 from jetstack/service_account_wif_example

Add docs for service account resources

Author: aidy

docs/resources/service_account.md

@@ -18,34 +18,58 @@ resource "tls_private_key" "rsa-key" {
   rsa_bits  = 4096
 }
 
-resource "tlspc_service_account" "sa" {
+resource "tlspc_service_account" "agent-credentials" {
   name                = "k8s-cluster"
   owner               = resource.tlspc_team.team.id
   scopes              = ["kubernetes-discovery"]
   credential_lifetime = 365
   public_key          = trimspace(resource.tls_private_key.rsa-key.public_key_pem)
 }
+
+resource "kubernetes_secret" "credentials" {
+  metadata {
+    name      = "agent-credentials"
+    namespace = "venafi"
+  }
+  data = {
+    "privatekey.pem" = tls_private_key.rsa-key.private_key_pem
+  }
+  type = "kubernetes.io/opaque"
+}
+
+resource "tlspc_service_account" "wif-issuer" {
+  name         = "test-issuer1"
+  owner        = resource.tlspc_team.team.id
+  scopes       = ["certificate-issuance"]
+  applications = [resource.tlspc_application.app.id]
+  jwks_uri     = "https://kubernetes/.well-known/jwks.json"
+  issuer_url   = "https://kubernetes.default.svc.cluster.local"
+  subject      = "system:serviceaccount:venafi:application-team-1"
+  audience     = "api.venafi.eu"
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
 ### Required
 
-- `name` (String)
-- `owner` (String)
-- `scopes` (Set of String)
+- `name` (String) The name of the service account
+- `owner` (String) ID of the team that owns this service account
+- `scopes` (Set of String) A list of scopes that this service account is authorised for. Available options include:
+    * certificate-issuance
+    * kubernetes-discovery
 
 ### Optional
 
-- `applications` (Set of String)
-- `audience` (String)
-- `credential_lifetime` (Number)
-- `issuer_url` (String)
-- `jwks_uri` (String)
-- `public_key` (String)
-- `subject` (String)
+- `applications` (Set of String) List of Applications which this service account is authorised for
+- `audience` (String) Audience for a WIF type service account
+- `credential_lifetime` (Number) Credential Lifetime in days (required for public_key type service accounts)
+- `issuer_url` (String) Issuer URL for a WIF type service account
+- `jwks_uri` (String) The JWKS URI for a Workload Identity Federation (WIF) type service account
+- `public_key` (String) Public Key
+- `subject` (String) Subject for a WIF type service account
 
 ### Read-Only
 
-- `id` (String) The ID of this resource.
+- `id` (String) The ID of this resource

examples/resources/tlspc_service_account/resource.tf

@@ -3,10 +3,32 @@ resource "tls_private_key" "rsa-key" {
   rsa_bits  = 4096
 }
 
-resource "tlspc_service_account" "sa" {
+resource "tlspc_service_account" "agent-credentials" {
   name                = "k8s-cluster"
   owner               = resource.tlspc_team.team.id
   scopes              = ["kubernetes-discovery"]
   credential_lifetime = 365
   public_key          = trimspace(resource.tls_private_key.rsa-key.public_key_pem)
 }
+
+resource "kubernetes_secret" "credentials" {
+  metadata {
+    name      = "agent-credentials"
+    namespace = "venafi"
+  }
+  data = {
+    "privatekey.pem" = tls_private_key.rsa-key.private_key_pem
+  }
+  type = "kubernetes.io/opaque"
+}
+
+resource "tlspc_service_account" "wif-issuer" {
+  name         = "test-issuer1"
+  owner        = resource.tlspc_team.team.id
+  scopes       = ["certificate-issuance"]
+  applications = [resource.tlspc_application.app.id]
+  jwks_uri     = "https://kubernetes/.well-known/jwks.json"
+  issuer_url   = "https://kubernetes.default.svc.cluster.local"
+  subject      = "system:serviceaccount:venafi:application-team-1"
+  audience     = "api.venafi.eu"
+}

internal/provider/service_account_resource.go

@@ -43,40 +43,55 @@ func (r *serviceAccountResource) Schema(_ context.Context, _ resource.SchemaRequ
 				PlanModifiers: []planmodifier.String{
 					stringplanmodifier.UseStateForUnknown(),
 				},
+				MarkdownDescription: "The ID of this resource",
 			},
 			"name": schema.StringAttribute{
-				Required: true,
+				Required:            true,
+				MarkdownDescription: "The name of the service account",
 			},
 			"owner": schema.StringAttribute{
-				Required: true,
+				Required:            true,
+				MarkdownDescription: "ID of the team that owns this service account",
 			},
 			"scopes": schema.SetAttribute{
 				Required:    true,
 				ElementType: types.StringType,
+				MarkdownDescription: `
+A list of scopes that this service account is authorised for. Available options include:
+    * certificate-issuance
+    * kubernetes-discovery
+`,
 			},
 			// Agent service account
 			"public_key": schema.StringAttribute{
-				Optional: true,
+				Optional:            true,
+				MarkdownDescription: "Public Key",
 			},
 			"credential_lifetime": schema.Int32Attribute{
-				Optional: true,
+				Optional:            true,
+				MarkdownDescription: "Credential Lifetime in days (required for public_key type service accounts)",
 			},
 			// Issuer service account (jwks)
 			"jwks_uri": schema.StringAttribute{
-				Optional: true,
+				Optional:            true,
+				MarkdownDescription: "The JWKS URI for a Workload Identity Federation (WIF) type service account",
 			},
 			"issuer_url": schema.StringAttribute{
-				Optional: true,
+				Optional:            true,
+				MarkdownDescription: "Issuer URL for a WIF type service account",
 			},
 			"audience": schema.StringAttribute{
-				Optional: true,
+				Optional:            true,
+				MarkdownDescription: "Audience for a WIF type service account",
 			},
 			"subject": schema.StringAttribute{
-				Optional: true,
+				Optional:            true,
+				MarkdownDescription: "Subject for a WIF type service account",
 			},
 			"applications": schema.SetAttribute{
-				Optional:    true,
-				ElementType: types.StringType,
+				Optional:            true,
+				ElementType:         types.StringType,
+				MarkdownDescription: "List of Applications which this service account is authorised for",
 			},
 		},
 	}