ENG-13675: update documentation for identity_provider field

cyral/internal/repository/confauth/resource_cyral_repository_conf_auth.go

@@ -215,9 +215,16 @@ func repositoryConfAuthResourceSchemaV0() *schema.Resource {
 				Default:     DefaultClientTLS,
 			},
 			"identity_provider": {
-				Description: "The ID (Alias) of the identity provider integration.",
-				Type:        schema.TypeString,
-				Optional:    true,
+				Description: fmt.Sprintf(
+					"The semantics of this field are as follows:\nIf not supplied, then end-user "+
+						"authentication is disabled.\nIf end-user authentication with Cyral "+
+						"Access Token is desired, then this must be any non-empty string (the exact value is "+
+						"irrelevant).\nIf end-user authentication with AWS IAM is desired, then this must "+
+						"be the ID of an AWS IAM integration, and the <auth_type> must be set to %s.",
+					AwsIAMAuthType,
+				),
+				Type:     schema.TypeString,
+				Optional: true,
 			},
 			"repo_tls": {
 				Description: fmt.Sprintf("Is TLS enabled for the repository? Default is %q.", DefaultRepoTLS),

docs/resources/repository_conf_auth.md

@@ -37,7 +37,10 @@ resource "cyral_repository_conf_auth" "some_resource_name" {
   - `ACCESS_TOKEN`
   - `AWS_IAM`
 - `client_tls` (String) Is the repo Client using TLS? Default is "disable".
-- `identity_provider` (String) The ID (Alias) of the identity provider integration.
+- `identity_provider` (String) The semantics of this field are as follows:
+  If not supplied, then end-user authentication is disabled.
+  If end-user authentication with Cyral Access Token is desired, then this must be any non-empty string (the exact value is irrelevant).
+  If end-user authentication with AWS IAM is desired, then this must be the ID of an AWS IAM integration, and the <auth_type> must be set to AWS_IAM.
 - `repo_tls` (String) Is TLS enabled for the repository? Default is "disable".
 
 ### Read-Only