From 751264e41a5695c44b502ba833d5bbbc5e05875d Mon Sep 17 00:00:00 2001 From: Victor Moraes Date: Thu, 21 Mar 2024 18:40:23 -0300 Subject: [PATCH] Format docs --- docs/data-sources/access_token_settings.md | 12 +- docs/data-sources/datalabel.md | 34 +-- docs/data-sources/integration_idp.md | 18 +- docs/data-sources/integration_idp_saml.md | 54 ++--- docs/data-sources/integration_logging.md | 58 +++--- docs/data-sources/permission.md | 12 +- docs/data-sources/repository.md | 70 +++---- docs/data-sources/role.md | 28 +-- docs/data-sources/saml_certificate.md | 8 +- docs/data-sources/saml_configuration.md | 56 ++--- docs/data-sources/sidecar_bound_ports.md | 6 +- docs/data-sources/sidecar_cft_template.md | 16 +- docs/data-sources/sidecar_health.md | 8 +- docs/data-sources/sidecar_id.md | 6 +- docs/data-sources/sidecar_instance.md | 44 ++-- docs/data-sources/sidecar_instance_ids.md | 8 +- docs/data-sources/sidecar_instance_stats.md | 12 +- docs/data-sources/sidecar_listener.md | 70 +++---- docs/data-sources/system_info.md | 8 +- docs/guides/4.0-migration-guide.md | 34 +-- docs/guides/repo_level_policy.md | 10 +- docs/index.md | 12 +- docs/resources/access_token_settings.md | 12 +- docs/resources/datalabel.md | 26 +-- docs/resources/integration_aws_iam.md | 10 +- docs/resources/integration_datadog.md | 8 +- docs/resources/integration_elk.md | 10 +- docs/resources/integration_hc_vault.md | 12 +- docs/resources/integration_idp_aad.md | 72 +++---- docs/resources/integration_idp_adfs.md | 72 +++---- docs/resources/integration_idp_forgerock.md | 72 +++---- docs/resources/integration_idp_gsuite.md | 72 +++---- docs/resources/integration_idp_okta.md | 72 +++---- docs/resources/integration_idp_ping_one.md | 72 +++---- docs/resources/integration_idp_saml.md | 10 +- docs/resources/integration_idp_saml_draft.md | 36 ++-- docs/resources/integration_logging.md | 52 ++--- docs/resources/integration_logstash.md | 14 +- docs/resources/integration_looker.md | 10 +- docs/resources/integration_mfa_duo.md | 12 +- docs/resources/integration_microsoft_teams.md | 8 +- docs/resources/integration_pager_duty.md | 8 +- docs/resources/integration_slack_alerts.md | 8 +- docs/resources/integration_splunk.md | 16 +- docs/resources/integration_sumo_logic.md | 8 +- docs/resources/policy.md | 26 +-- docs/resources/policy_rule.md | 84 ++++---- docs/resources/rego_policy_instance.md | 194 +++++++++--------- docs/resources/repository.md | 102 ++++----- docs/resources/repository_access_gateway.md | 8 +- docs/resources/repository_access_rules.md | 28 +-- docs/resources/repository_binding.md | 16 +- docs/resources/repository_conf_analysis.md | 62 +++--- docs/resources/repository_conf_auth.md | 18 +- docs/resources/repository_datamap.md | 12 +- .../repository_network_access_policy.md | 30 +-- docs/resources/repository_user_account.md | 64 +++--- docs/resources/role.md | 34 +-- docs/resources/role_sso_groups.md | 16 +- docs/resources/service_account.md | 10 +- docs/resources/sidecar.md | 30 +-- docs/resources/sidecar_credentials.md | 14 +- docs/resources/sidecar_listener.md | 60 +++--- 63 files changed, 1042 insertions(+), 1042 deletions(-) diff --git a/docs/data-sources/access_token_settings.md b/docs/data-sources/access_token_settings.md index 92580939..bb13d16c 100644 --- a/docs/data-sources/access_token_settings.md +++ b/docs/data-sources/access_token_settings.md @@ -34,9 +34,9 @@ output "token_length" { ### Read-Only -- `default_validity` (String) The default duration used for access token validity. Defaults to `36000s`. Should follow the protobuf duration string format, which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds. For example: `300s`, `60s`, `10.50s`, etc. -- `id` (String) The data source identifier. It's set as `settings/access_token`. -- `max_number_of_tokens_per_user` (Number) The maximum number of access tokens that a user can have at the same time. Must be between `1` and `5` (inclusive). Defaults to `3`. -- `max_validity` (String) The maximum duration that a user can request for access token validity. Defaults to `36000s`. Should follow the protobuf duration string format, which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds. For example: `300s`, `60s`, `10.50s`, etc. -- `offline_token_validation` (Boolean) The configuration that determines if the sidecar should perform access token validation independently using cached token values. If this is `true`, the sidecar will be able to validate and authenticate database access even when it cannot reach the Control Plane. Defaults to `true`. -- `token_length` (Number) The number of characters of the access token plaintext value. Valid values are `8`, `12` and `16`. Defaults to `16`. +- `default_validity` (String) The default duration used for access token validity. Defaults to `36000s`. Should follow the protobuf duration string format, which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds. For example: `300s`, `60s`, `10.50s`, etc. +- `id` (String) The data source identifier. It's set as `settings/access_token`. +- `max_number_of_tokens_per_user` (Number) The maximum number of access tokens that a user can have at the same time. Must be between `1` and `5` (inclusive). Defaults to `3`. +- `max_validity` (String) The maximum duration that a user can request for access token validity. Defaults to `36000s`. Should follow the protobuf duration string format, which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds. For example: `300s`, `60s`, `10.50s`, etc. +- `offline_token_validation` (Boolean) The configuration that determines if the sidecar should perform access token validation independently using cached token values. If this is `true`, the sidecar will be able to validate and authenticate database access even when it cannot reach the Control Plane. Defaults to `true`. +- `token_length` (Number) The number of characters of the access token plaintext value. Valid values are `8`, `12` and `16`. Defaults to `16`. diff --git a/docs/data-sources/datalabel.md b/docs/data-sources/datalabel.md index 6845b607..392ac9ed 100644 --- a/docs/data-sources/datalabel.md +++ b/docs/data-sources/datalabel.md @@ -3,7 +3,7 @@ page_title: "cyral_datalabel Data Source - terraform-provider-cyral" subcategory: "" description: |- - Retrieve and filter data labels. See also resource cyral_datalabel ../resources/datalabel.md. + Retrieve and filter data labels. See also resource cyral_datalabel ../resources/datalabel.md. --- # cyral_datalabel (Data Source) @@ -27,16 +27,16 @@ data "cyral_datalabel" "some_data_source_name" { ### Optional -- `name` (String) Retrieve the unique label with this name, if it exists. -- `type` (String) Filter the results by type of data label. Defaults to `UNKNOWN`, which will return all label types. The labels you create will always have type `CUSTOM`. Labels that come pre-configured in the control plane have type `PREDEFINED`. List of supported types: - - `UNKNOWN` - - `PREDEFINED` - - `CUSTOM` +- `name` (String) Retrieve the unique label with this name, if it exists. +- `type` (String) Filter the results by type of data label. Defaults to `UNKNOWN`, which will return all label types. The labels you create will always have type `CUSTOM`. Labels that come pre-configured in the control plane have type `PREDEFINED`. List of supported types: + - `UNKNOWN` + - `PREDEFINED` + - `CUSTOM` ### Read-Only -- `datalabel_list` (List of Object) List of existing data labels satisfying the filter criteria. (see [below for nested schema](#nestedatt--datalabel_list)) -- `id` (String) The ID of this resource. +- `datalabel_list` (List of Object) List of existing data labels satisfying the filter criteria. (see [below for nested schema](#nestedatt--datalabel_list)) +- `id` (String) The ID of this resource. @@ -44,12 +44,12 @@ data "cyral_datalabel" "some_data_source_name" { Read-Only: -- `classification_rule` (Set of Object) (see [below for nested schema](#nestedobjatt--datalabel_list--classification_rule)) -- `description` (String) -- `implicit` (Boolean) -- `name` (String) -- `tags` (List of String) -- `type` (String) +- `classification_rule` (Set of Object) (see [below for nested schema](#nestedobjatt--datalabel_list--classification_rule)) +- `description` (String) +- `implicit` (Boolean) +- `name` (String) +- `tags` (List of String) +- `type` (String) @@ -57,6 +57,6 @@ Read-Only: Read-Only: -- `rule_code` (String) -- `rule_status` (String) -- `rule_type` (String) +- `rule_code` (String) +- `rule_status` (String) +- `rule_type` (String) diff --git a/docs/data-sources/integration_idp.md b/docs/data-sources/integration_idp.md index 9d17b845..dd530304 100644 --- a/docs/data-sources/integration_idp.md +++ b/docs/data-sources/integration_idp.md @@ -3,7 +3,7 @@ page_title: "cyral_integration_idp Data Source - terraform-provider-cyral" subcategory: "" description: |- - ~> DEPRECATED Use resource and data source cyral_integration_idp_saml instead. + ~> DEPRECATED Use resource and data source cyral_integration_idp_saml instead. --- # cyral_integration_idp (Data Source) @@ -16,13 +16,13 @@ description: |- ### Optional -- `display_name` (String) Filter results by the name of an existing IdP integration. -- `type` (String) Filter results by the IdP integration type. +- `display_name` (String) Filter results by the name of an existing IdP integration. +- `type` (String) Filter results by the IdP integration type. ### Read-Only -- `id` (String) The ID of this resource. -- `idp_list` (List of Object) List of existing IdP integrations for the given filter criteria. (see [below for nested schema](#nestedatt--idp_list)) +- `id` (String) The ID of this resource. +- `idp_list` (List of Object) List of existing IdP integrations for the given filter criteria. (see [below for nested schema](#nestedatt--idp_list)) @@ -30,7 +30,7 @@ description: |- Read-Only: -- `alias` (String) -- `display_name` (String) -- `enabled` (Boolean) -- `single_sign_on_service_url` (String) +- `alias` (String) +- `display_name` (String) +- `enabled` (Boolean) +- `single_sign_on_service_url` (String) diff --git a/docs/data-sources/integration_idp_saml.md b/docs/data-sources/integration_idp_saml.md index 9e0e8736..e4faac04 100644 --- a/docs/data-sources/integration_idp_saml.md +++ b/docs/data-sources/integration_idp_saml.md @@ -3,7 +3,7 @@ page_title: "cyral_integration_idp_saml Data Source - terraform-provider-cyral" subcategory: "" description: |- - Retrieve and filter SAML IdP integrations. + Retrieve and filter SAML IdP integrations. --- # cyral_integration_idp_saml (Data Source) @@ -26,13 +26,13 @@ data "cyral_integration_idp_saml" "some_data_source_name" { ### Optional -- `display_name` (String) Filter results by the display name (as seen in the control plane UI) of existing SAML IdP integrations. -- `idp_type` (String) Filter results by the SAML IdP integration type. +- `display_name` (String) Filter results by the display name (as seen in the control plane UI) of existing SAML IdP integrations. +- `idp_type` (String) Filter results by the SAML IdP integration type. ### Read-Only -- `id` (String) The ID of this resource. -- `idp_list` (List of Object) List of existing SAML IdP integrations that match the given filter criteria. (see [below for nested schema](#nestedatt--idp_list)) +- `id` (String) The ID of this resource. +- `idp_list` (List of Object) List of existing SAML IdP integrations that match the given filter criteria. (see [below for nested schema](#nestedatt--idp_list)) @@ -40,13 +40,13 @@ data "cyral_integration_idp_saml" "some_data_source_name" { Read-Only: -- `attributes` (Set of Object) (see [below for nested schema](#nestedobjatt--idp_list--attributes)) -- `disabled` (Boolean) -- `display_name` (String) -- `id` (String) -- `idp_descriptor` (Set of Object) (see [below for nested schema](#nestedobjatt--idp_list--idp_descriptor)) -- `idp_type` (String) -- `sp_metadata` (Set of Object) (see [below for nested schema](#nestedobjatt--idp_list--sp_metadata)) +- `attributes` (Set of Object) (see [below for nested schema](#nestedobjatt--idp_list--attributes)) +- `disabled` (Boolean) +- `display_name` (String) +- `id` (String) +- `idp_descriptor` (Set of Object) (see [below for nested schema](#nestedobjatt--idp_list--idp_descriptor)) +- `idp_type` (String) +- `sp_metadata` (Set of Object) (see [below for nested schema](#nestedobjatt--idp_list--sp_metadata)) @@ -54,10 +54,10 @@ Read-Only: Read-Only: -- `email` (String) -- `first_name` (String) -- `groups` (String) -- `last_name` (String) +- `email` (String) +- `first_name` (String) +- `groups` (String) +- `last_name` (String) @@ -65,10 +65,10 @@ Read-Only: Read-Only: -- `disable_force_authentication` (Boolean) -- `signing_certificate` (String) -- `single_logout_service_url` (String) -- `single_sign_on_service_url` (String) +- `disable_force_authentication` (Boolean) +- `signing_certificate` (String) +- `single_logout_service_url` (String) +- `single_sign_on_service_url` (String) @@ -76,11 +76,11 @@ Read-Only: Read-Only: -- `assertion_consumer_services` (List of Object) (see [below for nested schema](#nestedobjatt--idp_list--sp_metadata--assertion_consumer_services)) -- `entity_id` (String) -- `single_logout_url` (String) -- `url` (String) -- `xml_document` (String) +- `assertion_consumer_services` (List of Object) (see [below for nested schema](#nestedobjatt--idp_list--sp_metadata--assertion_consumer_services)) +- `entity_id` (String) +- `single_logout_url` (String) +- `url` (String) +- `xml_document` (String) @@ -88,5 +88,5 @@ Read-Only: Read-Only: -- `index` (Number) -- `url` (String) +- `index` (Number) +- `url` (String) diff --git a/docs/data-sources/integration_logging.md b/docs/data-sources/integration_logging.md index 19913ca7..12514e71 100644 --- a/docs/data-sources/integration_logging.md +++ b/docs/data-sources/integration_logging.md @@ -22,12 +22,12 @@ data "cyral_integration_logging" "another_data_source_name" { ### Optional -- `type` (String) The type of logging integration config to filter by. +- `type` (String) The type of logging integration config to filter by. ### Read-Only -- `id` (String) The ID of this resource. -- `integrations` (List of Object) List of existing integration configs for the given filter criteria. (see [below for nested schema](#nestedatt--integrations)) +- `id` (String) The ID of this resource. +- `integrations` (List of Object) List of existing integration configs for the given filter criteria. (see [below for nested schema](#nestedatt--integrations)) @@ -35,15 +35,15 @@ data "cyral_integration_logging" "another_data_source_name" { Read-Only: -- `cloudwatch` (Set of Object) (see [below for nested schema](#nestedobjatt--integrations--cloudwatch)) -- `datadog` (Set of Object) (see [below for nested schema](#nestedobjatt--integrations--datadog)) -- `elk` (Set of Object) (see [below for nested schema](#nestedobjatt--integrations--elk)) -- `fluent_bit` (Set of Object) (see [below for nested schema](#nestedobjatt--integrations--fluent_bit)) -- `id` (String) -- `name` (String) -- `receive_audit_logs` (Boolean) -- `splunk` (Set of Object) (see [below for nested schema](#nestedobjatt--integrations--splunk)) -- `sumo_logic` (Set of Object) (see [below for nested schema](#nestedobjatt--integrations--sumo_logic)) +- `cloudwatch` (Set of Object) (see [below for nested schema](#nestedobjatt--integrations--cloudwatch)) +- `datadog` (Set of Object) (see [below for nested schema](#nestedobjatt--integrations--datadog)) +- `elk` (Set of Object) (see [below for nested schema](#nestedobjatt--integrations--elk)) +- `fluent_bit` (Set of Object) (see [below for nested schema](#nestedobjatt--integrations--fluent_bit)) +- `id` (String) +- `name` (String) +- `receive_audit_logs` (Boolean) +- `splunk` (Set of Object) (see [below for nested schema](#nestedobjatt--integrations--splunk)) +- `sumo_logic` (Set of Object) (see [below for nested schema](#nestedobjatt--integrations--sumo_logic)) @@ -51,9 +51,9 @@ Read-Only: Read-Only: -- `group` (String) -- `region` (String) -- `stream` (String) +- `group` (String) +- `region` (String) +- `stream` (String) @@ -61,7 +61,7 @@ Read-Only: Read-Only: -- `api_key` (String) +- `api_key` (String) @@ -69,9 +69,9 @@ Read-Only: Read-Only: -- `es_credentials` (Set of Object) (see [below for nested schema](#nestedobjatt--integrations--elk--es_credentials)) -- `es_url` (String) -- `kibana_url` (String) +- `es_credentials` (Set of Object) (see [below for nested schema](#nestedobjatt--integrations--elk--es_credentials)) +- `es_url` (String) +- `kibana_url` (String) @@ -79,8 +79,8 @@ Read-Only: Read-Only: -- `password` (String) -- `username` (String) +- `password` (String) +- `username` (String) @@ -88,8 +88,8 @@ Read-Only: Read-Only: -- `config` (String) -- `skip_validate` (Boolean) +- `config` (String) +- `skip_validate` (Boolean) @@ -97,11 +97,11 @@ Read-Only: Read-Only: -- `access_token` (String) -- `hec_port` (String) -- `hostname` (String) -- `index` (String) -- `use_tls` (Boolean) +- `access_token` (String) +- `hec_port` (String) +- `hostname` (String) +- `index` (String) +- `use_tls` (Boolean) @@ -109,4 +109,4 @@ Read-Only: Read-Only: -- `address` (String) +- `address` (String) diff --git a/docs/data-sources/permission.md b/docs/data-sources/permission.md index df1b7b3e..1740b439 100644 --- a/docs/data-sources/permission.md +++ b/docs/data-sources/permission.md @@ -3,7 +3,7 @@ page_title: "cyral_permission Data Source - terraform-provider-cyral" subcategory: "" description: |- - Retrieve all Cyral permissions. See also resource cyral_service_account ../resources/service_account.md. + Retrieve all Cyral permissions. See also resource cyral_service_account ../resources/service_account.md. --- # cyral_permission (Data Source) @@ -16,8 +16,8 @@ Retrieve all Cyral permissions. See also resource [`cyral_service_account`](../r ### Read-Only -- `id` (String) The data source identifier. -- `permission_list` (List of Object) List of all existing Cyral permissions. (see [below for nested schema](#nestedatt--permission_list)) +- `id` (String) The data source identifier. +- `permission_list` (List of Object) List of all existing Cyral permissions. (see [below for nested schema](#nestedatt--permission_list)) @@ -25,6 +25,6 @@ Retrieve all Cyral permissions. See also resource [`cyral_service_account`](../r Read-Only: -- `description` (String) -- `id` (String) -- `name` (String) +- `description` (String) +- `id` (String) +- `name` (String) diff --git a/docs/data-sources/repository.md b/docs/data-sources/repository.md index 7ceaf46e..c0900848 100644 --- a/docs/data-sources/repository.md +++ b/docs/data-sources/repository.md @@ -76,27 +76,27 @@ output "all_mysql_repo_ids" { ### Optional -- `name` (String) Filter the results by a regular expression (regex) that matches names of existing repositories. -- `type` (String) Filter the results by type of repository. List of supported types: - - `denodo` - - `dremio` - - `dynamodb` - - `dynamodbstreams` - - `galera` - - `mariadb` - - `mongodb` - - `mysql` - - `oracle` - - `postgresql` - - `redshift` - - `s3` - - `snowflake` - - `sqlserver` +- `name` (String) Filter the results by a regular expression (regex) that matches names of existing repositories. +- `type` (String) Filter the results by type of repository. List of supported types: + - `denodo` + - `dremio` + - `dynamodb` + - `dynamodbstreams` + - `galera` + - `mariadb` + - `mongodb` + - `mysql` + - `oracle` + - `postgresql` + - `redshift` + - `s3` + - `snowflake` + - `sqlserver` ### Read-Only -- `id` (String) The ID of this resource. -- `repository_list` (List of Object) List of existing repositories satisfying the filter criteria. (see [below for nested schema](#nestedatt--repository_list)) +- `id` (String) The ID of this resource. +- `repository_list` (List of Object) List of existing repositories satisfying the filter criteria. (see [below for nested schema](#nestedatt--repository_list)) @@ -104,13 +104,13 @@ output "all_mysql_repo_ids" { Read-Only: -- `connection_draining` (Set of Object) (see [below for nested schema](#nestedobjatt--repository_list--connection_draining)) -- `id` (String) -- `labels` (List of String) -- `mongodb_settings` (Set of Object) (see [below for nested schema](#nestedobjatt--repository_list--mongodb_settings)) -- `name` (String) -- `repo_node` (List of Object) (see [below for nested schema](#nestedobjatt--repository_list--repo_node)) -- `type` (String) +- `connection_draining` (Set of Object) (see [below for nested schema](#nestedobjatt--repository_list--connection_draining)) +- `id` (String) +- `labels` (List of String) +- `mongodb_settings` (Set of Object) (see [below for nested schema](#nestedobjatt--repository_list--mongodb_settings)) +- `name` (String) +- `repo_node` (List of Object) (see [below for nested schema](#nestedobjatt--repository_list--repo_node)) +- `type` (String) @@ -118,8 +118,8 @@ Read-Only: Read-Only: -- `auto` (Boolean) -- `wait_time` (Number) +- `auto` (Boolean) +- `wait_time` (Number) @@ -127,10 +127,10 @@ Read-Only: Read-Only: -- `flavor` (String) -- `replica_set_name` (String) -- `server_type` (String) -- `srv_record_name` (String) +- `flavor` (String) +- `replica_set_name` (String) +- `server_type` (String) +- `srv_record_name` (String) @@ -138,7 +138,7 @@ Read-Only: Read-Only: -- `dynamic` (Boolean) -- `host` (String) -- `name` (String) -- `port` (Number) +- `dynamic` (Boolean) +- `host` (String) +- `name` (String) +- `port` (Number) diff --git a/docs/data-sources/role.md b/docs/data-sources/role.md index fe3b5a41..d8278171 100644 --- a/docs/data-sources/role.md +++ b/docs/data-sources/role.md @@ -3,7 +3,7 @@ page_title: "cyral_role Data Source - terraform-provider-cyral" subcategory: "" description: |- - Retrieve and filter roles https://cyral.com/docs/account-administration/acct-manage-cyral-roles/ that exist in the Cyral Control Plane. + Retrieve and filter roles https://cyral.com/docs/account-administration/acct-manage-cyral-roles/ that exist in the Cyral Control Plane. --- # cyral_role (Data Source) @@ -25,12 +25,12 @@ data "cyral_role" "admin_roles" { ### Optional -- `name` (String) Filter the results by a regular expression (regex) that matches names of existing roles. +- `name` (String) Filter the results by a regular expression (regex) that matches names of existing roles. ### Read-Only -- `id` (String) The ID of this resource. -- `role_list` (List of Object) List of existing roles satisfying the filter criteria. (see [below for nested schema](#nestedatt--role_list)) +- `id` (String) The ID of this resource. +- `role_list` (List of Object) List of existing roles satisfying the filter criteria. (see [below for nested schema](#nestedatt--role_list)) @@ -38,12 +38,12 @@ data "cyral_role" "admin_roles" { Read-Only: -- `description` (String) -- `id` (String) -- `members` (List of String) -- `name` (String) -- `roles` (List of String) -- `sso_groups` (List of Object) (see [below for nested schema](#nestedobjatt--role_list--sso_groups)) +- `description` (String) +- `id` (String) +- `members` (List of String) +- `name` (String) +- `roles` (List of String) +- `sso_groups` (List of Object) (see [below for nested schema](#nestedobjatt--role_list--sso_groups)) @@ -51,7 +51,7 @@ Read-Only: Read-Only: -- `group_name` (String) -- `id` (String) -- `idp_id` (String) -- `idp_name` (String) +- `group_name` (String) +- `id` (String) +- `idp_id` (String) +- `idp_name` (String) diff --git a/docs/data-sources/saml_certificate.md b/docs/data-sources/saml_certificate.md index 85c2998b..c011ef7b 100644 --- a/docs/data-sources/saml_certificate.md +++ b/docs/data-sources/saml_certificate.md @@ -3,8 +3,8 @@ page_title: "cyral_saml_certificate Data Source - terraform-provider-cyral" subcategory: "" description: |- - Retrieves a X.509 certificate used for signing SAML requests. - See also the remaining SAML-related resources and data sources. + Retrieves a X.509 certificate used for signing SAML requests. + See also the remaining SAML-related resources and data sources. --- # cyral_saml_certificate (Data Source) @@ -26,5 +26,5 @@ data "cyral_saml_certificate" "some_data_source_name" { ### Read-Only -- `certificate` (String) The X.509 certificate used for signing SAML requests. -- `id` (String) Computed ID for this data source (locally computed to be used in Terraform state). +- `certificate` (String) The X.509 certificate used for signing SAML requests. +- `id` (String) Computed ID for this data source (locally computed to be used in Terraform state). diff --git a/docs/data-sources/saml_configuration.md b/docs/data-sources/saml_configuration.md index 43ad7949..0c390a82 100644 --- a/docs/data-sources/saml_configuration.md +++ b/docs/data-sources/saml_configuration.md @@ -3,8 +3,8 @@ page_title: "cyral_saml_configuration Data Source - terraform-provider-cyral" subcategory: "" description: |- - Parses a SAML metadata URL or a Base64 document into a SAML configuration. - See also the remaining SAML-related resources and data sources. + Parses a SAML metadata URL or a Base64 document into a SAML configuration. + See also the remaining SAML-related resources and data sources. --- # cyral_saml_configuration (Data Source) @@ -33,32 +33,32 @@ data "cyral_saml_configuration" "some_data_source_name" { ### Optional -- `base_64_saml_metadata_document` (String) (Required unless using `saml_metadata_url`) This is the full SAML metadata document that should be used to parse a SAML configuration, Base64 encoded. -- `saml_metadata_url` (String) (Required unless using `base_64_saml_metadata_document`) This is the full SAML metadata URL we should use to parse to a SAML configuration. +- `base_64_saml_metadata_document` (String) (Required unless using `saml_metadata_url`) This is the full SAML metadata document that should be used to parse a SAML configuration, Base64 encoded. +- `saml_metadata_url` (String) (Required unless using `base_64_saml_metadata_document`) This is the full SAML metadata URL we should use to parse to a SAML configuration. ### Read-Only -- `allowed_clock_skew` (Number) Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is `0`. -- `back_channel_supported` (Boolean) Defaults to `false` if unset. -- `disable_force_authentication` (Boolean) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. -- `disable_post_binding_authn_request` (Boolean) Indicates whether the AuthnRequest must be sent using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. -- `disable_post_binding_logout` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. -- `disable_post_binding_response` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. -- `disable_using_jwks_url` (Boolean) By default, the jwks URL is used for all SAML connections. -- `disable_validate_signature` (Boolean) Enable/Disable signature validation of SAML responses. Highly recommended for minimum security. -- `disable_want_assertions_signed` (Boolean) Indicates whether the service provider expects a signed Assertion. -- `disable_want_authn_requests_signed` (Boolean) Indicates whether the identity provider expects a signed AuthnRequest. -- `gui_order` (String) GUI order. -- `hide_on_login_page` (Boolean) Defaults to `false` if unset. -- `id` (String) Computed ID for this data source (locally computed to be used in Terraform state). -- `ldap_group_attribute` (String) Type of `LDAP Group RDN` that identifies the name of a group within a DN. For example, if an LDAP DN sent in a SAML assertion is `cn=Everyone`, `ou=groups`, `dc=openam`, `dc=forgerock`, `dc=org` and the `LDAP Group RDN` Type is `cn` Cyral will interpret `Everyone` as the group name. -- `name_id_policy_format` (String) Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` if unset. -- `principal_type` (String) Defaults to `SUBJECT` if unset. -- `saml_xml_key_name_tranformer` (String) Defaults to `KEY_ID` if unset. -- `signature_type` (String) Defaults to `RSA_SHA256` if unset. -- `signing_certificate` (String) Signing certificate used to validate signatures. Required if signature validation is enabled. -- `single_logout_service_url` (String) URL that must be used to send logout requests. -- `single_sign_on_service_url` (String) URL that must be used to send authentication requests (SAML AuthnRequest). -- `sync_mode` (String) Defaults to `FORCE` if unset. -- `want_assertions_encrypted` (Boolean) Indicates whether the service provider expects an encrypted Assertion. -- `xml_sig_key_info_key_name_transformer` (String) Defaults to `KEY_ID` if unset. +- `allowed_clock_skew` (Number) Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is `0`. +- `back_channel_supported` (Boolean) Defaults to `false` if unset. +- `disable_force_authentication` (Boolean) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. +- `disable_post_binding_authn_request` (Boolean) Indicates whether the AuthnRequest must be sent using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. +- `disable_post_binding_logout` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. +- `disable_post_binding_response` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. +- `disable_using_jwks_url` (Boolean) By default, the jwks URL is used for all SAML connections. +- `disable_validate_signature` (Boolean) Enable/Disable signature validation of SAML responses. Highly recommended for minimum security. +- `disable_want_assertions_signed` (Boolean) Indicates whether the service provider expects a signed Assertion. +- `disable_want_authn_requests_signed` (Boolean) Indicates whether the identity provider expects a signed AuthnRequest. +- `gui_order` (String) GUI order. +- `hide_on_login_page` (Boolean) Defaults to `false` if unset. +- `id` (String) Computed ID for this data source (locally computed to be used in Terraform state). +- `ldap_group_attribute` (String) Type of `LDAP Group RDN` that identifies the name of a group within a DN. For example, if an LDAP DN sent in a SAML assertion is `cn=Everyone`, `ou=groups`, `dc=openam`, `dc=forgerock`, `dc=org` and the `LDAP Group RDN` Type is `cn` Cyral will interpret `Everyone` as the group name. +- `name_id_policy_format` (String) Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` if unset. +- `principal_type` (String) Defaults to `SUBJECT` if unset. +- `saml_xml_key_name_tranformer` (String) Defaults to `KEY_ID` if unset. +- `signature_type` (String) Defaults to `RSA_SHA256` if unset. +- `signing_certificate` (String) Signing certificate used to validate signatures. Required if signature validation is enabled. +- `single_logout_service_url` (String) URL that must be used to send logout requests. +- `single_sign_on_service_url` (String) URL that must be used to send authentication requests (SAML AuthnRequest). +- `sync_mode` (String) Defaults to `FORCE` if unset. +- `want_assertions_encrypted` (Boolean) Indicates whether the service provider expects an encrypted Assertion. +- `xml_sig_key_info_key_name_transformer` (String) Defaults to `KEY_ID` if unset. diff --git a/docs/data-sources/sidecar_bound_ports.md b/docs/data-sources/sidecar_bound_ports.md index 31e91629..0cc56c57 100644 --- a/docs/data-sources/sidecar_bound_ports.md +++ b/docs/data-sources/sidecar_bound_ports.md @@ -91,9 +91,9 @@ output "sidecar_bound_ports" { ### Required -- `sidecar_id` (String) The ID of the sidecar. +- `sidecar_id` (String) The ID of the sidecar. ### Read-Only -- `bound_ports` (List of Number) All the sidecar ports that are currently bound to repositories. -- `id` (String) Computed ID for this data source (locally computed to be used in Terraform state). +- `bound_ports` (List of Number) All the sidecar ports that are currently bound to repositories. +- `id` (String) Computed ID for this data source (locally computed to be used in Terraform state). diff --git a/docs/data-sources/sidecar_cft_template.md b/docs/data-sources/sidecar_cft_template.md index 03169d95..a75424be 100644 --- a/docs/data-sources/sidecar_cft_template.md +++ b/docs/data-sources/sidecar_cft_template.md @@ -24,18 +24,18 @@ data "cyral_sidecar_cft_template" "some_data_source_name" { ### Required -- `aws_configuration` (Block Set, Min: 1) AWS parameters for `cft-ec2` deployment method. (see [below for nested schema](#nestedblock--aws_configuration)) -- `sidecar_id` (String) ID of the sidecar which the template will be generated. +- `aws_configuration` (Block Set, Min: 1) AWS parameters for `cft-ec2` deployment method. (see [below for nested schema](#nestedblock--aws_configuration)) +- `sidecar_id` (String) ID of the sidecar which the template will be generated. ### Optional -- `log_integration_id` (String) ID of the log integration that will be used by this template. -- `metrics_integration_id` (String) ID of the metrics integration that will be used by this template. -- `template` (String) Output variable with the template. +- `log_integration_id` (String) ID of the log integration that will be used by this template. +- `metrics_integration_id` (String) ID of the metrics integration that will be used by this template. +- `template` (String) Output variable with the template. ### Read-Only -- `id` (String) Same as `sidecar_id`. +- `id` (String) Same as `sidecar_id`. @@ -43,8 +43,8 @@ data "cyral_sidecar_cft_template" "some_data_source_name" { Required: -- `publicly_accessible` (Boolean) Defines a public IP and an internet-facing LB if set to `true`. +- `publicly_accessible` (Boolean) Defines a public IP and an internet-facing LB if set to `true`. Optional: -- `key_name` (String) Key-pair name that will be associated to the sidecar EC2 instances. +- `key_name` (String) Key-pair name that will be associated to the sidecar EC2 instances. diff --git a/docs/data-sources/sidecar_health.md b/docs/data-sources/sidecar_health.md index 05aa05dd..4534d76f 100644 --- a/docs/data-sources/sidecar_health.md +++ b/docs/data-sources/sidecar_health.md @@ -3,7 +3,7 @@ page_title: "cyral_sidecar_health Data Source - terraform-provider-cyral" subcategory: "" description: |- - Retrieve aggregated information about the sidecar's health https://cyral.com/docs/sidecars/sidecar-manage/#check-sidecar-cluster-status, considering all instances of the sidecar. + Retrieve aggregated information about the sidecar's health https://cyral.com/docs/sidecars/sidecar-manage/#check-sidecar-cluster-status, considering all instances of the sidecar. --- # cyral_sidecar_health (Data Source) @@ -16,9 +16,9 @@ Retrieve aggregated information about the [sidecar's health](https://cyral.com/d ### Required -- `sidecar_id` (String) ID of the Sidecar that will be used to retrieve health information. +- `sidecar_id` (String) ID of the Sidecar that will be used to retrieve health information. ### Read-Only -- `id` (String) Data source identifier. -- `status` (String) Sidecar health status. Possible values are: `HEALTHY`, `DEGRADED`, `UNHEALTHY` and `UNKNOWN`. For more information, see [Sidecar Status](https://cyral.com/docs/sidecars/sidecar-manage/#check-sidecar-cluster-status). +- `id` (String) Data source identifier. +- `status` (String) Sidecar health status. Possible values are: `HEALTHY`, `DEGRADED`, `UNHEALTHY` and `UNKNOWN`. For more information, see [Sidecar Status](https://cyral.com/docs/sidecars/sidecar-manage/#check-sidecar-cluster-status). diff --git a/docs/data-sources/sidecar_id.md b/docs/data-sources/sidecar_id.md index f015eb6d..f8af8e13 100644 --- a/docs/data-sources/sidecar_id.md +++ b/docs/data-sources/sidecar_id.md @@ -3,7 +3,7 @@ page_title: "cyral_sidecar_id Data Source - terraform-provider-cyral" subcategory: "" description: |- - Given a sidecar name, retrieves the respective sidecar ID. + Given a sidecar name, retrieves the respective sidecar ID. --- # cyral_sidecar_id (Data Source) @@ -33,8 +33,8 @@ output "sidecar_id" { ### Required -- `sidecar_name` (String) The name of the sidecar. +- `sidecar_name` (String) The name of the sidecar. ### Read-Only -- `id` (String) The ID of the sidecar. +- `id` (String) The ID of the sidecar. diff --git a/docs/data-sources/sidecar_instance.md b/docs/data-sources/sidecar_instance.md index b803d877..bae25bdf 100644 --- a/docs/data-sources/sidecar_instance.md +++ b/docs/data-sources/sidecar_instance.md @@ -6,12 +6,12 @@ Retrieve sidecar instances. ### Required -- `sidecar_id` (String) Sidecar identifier. +- `sidecar_id` (String) Sidecar identifier. ### Read-Only -- `id` (String) Data source identifier. -- `instance_list` (List of Object) List of existing sidecar instances. (see [below for nested schema](#nestedatt--instance_list)) +- `id` (String) Data source identifier. +- `instance_list` (List of Object) List of existing sidecar instances. (see [below for nested schema](#nestedatt--instance_list)) @@ -19,9 +19,9 @@ Retrieve sidecar instances. Read-Only: -- `id` (String) Instance identifier. Varies according to the computing platform that the sidecar is deployed to. -- `metadata` (Set of Object) Instance metadata. (see [below for nested schema](#nestedatt--instance_list--metadata)) -- `monitoring` (Set of Object) Instance monitoring information, such as its overall health. (see [below for nested schema](#nestedatt--instance_list--monitoring)) +- `id` (String) Instance identifier. Varies according to the computing platform that the sidecar is deployed to. +- `metadata` (Set of Object) Instance metadata. (see [below for nested schema](#nestedatt--instance_list--metadata)) +- `monitoring` (Set of Object) Instance monitoring information, such as its overall health. (see [below for nested schema](#nestedatt--instance_list--monitoring)) @@ -29,12 +29,12 @@ Read-Only: Read-Only: -- `capabilities` (Set of Object) Set of capabilities that can be enabled or disabled. **Note**: This field is per-instance, not per-sidecar, because not all sidecar instances might be in sync at some point in time. (see [below for nested schema](#nestedatt--instance_list--metadata--capabilities)) -- `dynamic_version` (Boolean) If true, indicates that the instance has dynamic versioning, that means that the version is not fixed at template level and it can be automatically upgraded. -- `last_registration` (String) The last time the instance reported to the Control Plane. -- `recycling` (Boolean) Indicates whether the Control Plane has asked the instance to mark itself unhealthy so that it is recycled by the infrastructure. -- `start_timestamp` (String) The time when the instance started. -- `version` (String) Sidecar version that the instance is using. +- `capabilities` (Set of Object) Set of capabilities that can be enabled or disabled. **Note**: This field is per-instance, not per-sidecar, because not all sidecar instances might be in sync at some point in time. (see [below for nested schema](#nestedatt--instance_list--metadata--capabilities)) +- `dynamic_version` (Boolean) If true, indicates that the instance has dynamic versioning, that means that the version is not fixed at template level and it can be automatically upgraded. +- `last_registration` (String) The last time the instance reported to the Control Plane. +- `recycling` (Boolean) Indicates whether the Control Plane has asked the instance to mark itself unhealthy so that it is recycled by the infrastructure. +- `start_timestamp` (String) The time when the instance started. +- `version` (String) Sidecar version that the instance is using. @@ -42,7 +42,7 @@ Read-Only: Read-Only: -- `recyclable` (Boolean) Indicates if sidecar instance will be recycled (e.g., by an ASG) if it reports itself as unhealthy. +- `recyclable` (Boolean) Indicates if sidecar instance will be recycled (e.g., by an ASG) if it reports itself as unhealthy. @@ -50,8 +50,8 @@ Read-Only: Read-Only: -- `services` (Map of Set of Object) Sidecar instance services monitoring information. (see [below for nested schema](#nestedatt--instance_list--monitoring--services)) -- `status` (String) Aggregated status of all the sidecar services. +- `services` (Map of Set of Object) Sidecar instance services monitoring information. (see [below for nested schema](#nestedatt--instance_list--monitoring--services)) +- `status` (String) Aggregated status of all the sidecar services. @@ -59,10 +59,10 @@ Read-Only: Read-Only: -- `status` (String) Aggregated status of sidecar service. -- `metrics_port` (Number) Metrics port for service monitoring. -- `components` (Map of Set of Object) Map of name to monitoring component. A component is a monitored check on the service that has its own status. (see [below for nested schema](#nestedatt--instance_list--monitoring--services--components)) -- `host` (String) Service host on the deployment. +- `status` (String) Aggregated status of sidecar service. +- `metrics_port` (Number) Metrics port for service monitoring. +- `components` (Map of Set of Object) Map of name to monitoring component. A component is a monitored check on the service that has its own status. (see [below for nested schema](#nestedatt--instance_list--monitoring--services--components)) +- `host` (String) Service host on the deployment. @@ -70,6 +70,6 @@ Read-Only: Read-Only: -- `status` (String) Component status. -- `description` (String) Describes what the type of check the component represents. -- `error` (String) Error that describes what caused the current status. +- `status` (String) Component status. +- `description` (String) Describes what the type of check the component represents. +- `error` (String) Error that describes what caused the current status. diff --git a/docs/data-sources/sidecar_instance_ids.md b/docs/data-sources/sidecar_instance_ids.md index 4e831322..78ff0e59 100644 --- a/docs/data-sources/sidecar_instance_ids.md +++ b/docs/data-sources/sidecar_instance_ids.md @@ -3,7 +3,7 @@ page_title: "cyral_sidecar_instance_ids Data Source - terraform-provider-cyral" subcategory: "" description: |- - ~> DEPRECATED This data source was deprecated. It will be removed in the next major version of the provider. Use the data source cyral_sidecar_instance instead + ~> DEPRECATED This data source was deprecated. It will be removed in the next major version of the provider. Use the data source cyral_sidecar_instance instead --- # cyral_sidecar_instance_ids (Data Source) @@ -28,9 +28,9 @@ output "sidecar_instance_ids" { ### Required -- `sidecar_id` (String) The ID of the sidecar. +- `sidecar_id` (String) The ID of the sidecar. ### Read-Only -- `id` (String) Computed ID for this data source (locally computed to be used in Terraform state). -- `instance_ids` (List of String) All the current instance IDs of the sidecar. +- `id` (String) Computed ID for this data source (locally computed to be used in Terraform state). +- `instance_ids` (List of String) All the current instance IDs of the sidecar. diff --git a/docs/data-sources/sidecar_instance_stats.md b/docs/data-sources/sidecar_instance_stats.md index 43f46e63..7466dd8b 100644 --- a/docs/data-sources/sidecar_instance_stats.md +++ b/docs/data-sources/sidecar_instance_stats.md @@ -3,7 +3,7 @@ page_title: "cyral_sidecar_instance_stats Data Source - terraform-provider-cyral" subcategory: "" description: |- - Retrieve sidecar instance statistics. See also data source cyral_sidecar_instance ../data-sources/sidecar_instance.md. + Retrieve sidecar instance statistics. See also data source cyral_sidecar_instance ../data-sources/sidecar_instance.md. --- # cyral_sidecar_instance_stats (Data Source) @@ -16,11 +16,11 @@ Retrieve sidecar instance statistics. See also data source [`cyral_sidecar_insta ### Required -- `instance_id` (String) Sidecar instance identifier. See also data source [`cyral_sidecar_instance`](../data-sources/sidecar_instance.md). -- `sidecar_id` (String) Sidecar identifier. +- `instance_id` (String) Sidecar instance identifier. See also data source [`cyral_sidecar_instance`](../data-sources/sidecar_instance.md). +- `sidecar_id` (String) Sidecar identifier. ### Read-Only -- `active_connections` (Number) Number of active connections. -- `id` (String) Data source identifier. It's equal to `instance_id`. -- `queries_per_second` (Number) Amount of queries that the sidecar instance receives per second. +- `active_connections` (Number) Number of active connections. +- `id` (String) Data source identifier. It's equal to `instance_id`. +- `queries_per_second` (Number) Amount of queries that the sidecar instance receives per second. diff --git a/docs/data-sources/sidecar_listener.md b/docs/data-sources/sidecar_listener.md index 28436a6d..da01b016 100644 --- a/docs/data-sources/sidecar_listener.md +++ b/docs/data-sources/sidecar_listener.md @@ -3,7 +3,7 @@ page_title: "cyral_sidecar_listener Data Source - terraform-provider-cyral" subcategory: "" description: |- - Retrieve and filter sidecar listeners. + Retrieve and filter sidecar listeners. --- # cyral_sidecar_listener (Data Source) @@ -16,31 +16,31 @@ Retrieve and filter sidecar listeners. ### Required -- `sidecar_id` (String) Filter the results by sidecar ID. +- `sidecar_id` (String) Filter the results by sidecar ID. ### Optional -- `port` (Number) Filter the results per port. -- `repo_type` (String) Filter the results per repository type. Supported repo types: - - `denodo` - - `dremio` - - `dynamodb` - - `dynamodbstreams` - - `galera` - - `mariadb` - - `mongodb` - - `mysql` - - `oracle` - - `postgresql` - - `redshift` - - `s3` - - `snowflake` - - `sqlserver` +- `port` (Number) Filter the results per port. +- `repo_type` (String) Filter the results per repository type. Supported repo types: + - `denodo` + - `dremio` + - `dynamodb` + - `dynamodbstreams` + - `galera` + - `mariadb` + - `mongodb` + - `mysql` + - `oracle` + - `postgresql` + - `redshift` + - `s3` + - `snowflake` + - `sqlserver` ### Read-Only -- `id` (String) The ID of this resource. -- `listener_list` (List of Object) List of existing listeners satisfying the filter criteria. (see [below for nested schema](#nestedatt--listener_list)) +- `id` (String) The ID of this resource. +- `listener_list` (List of Object) List of existing listeners satisfying the filter criteria. (see [below for nested schema](#nestedatt--listener_list)) @@ -48,14 +48,14 @@ Retrieve and filter sidecar listeners. Read-Only: -- `dynamodb_settings` (Set of Object) (see [below for nested schema](#nestedobjatt--listener_list--dynamodb_settings)) -- `listener_id` (String) -- `mysql_settings` (Set of Object) (see [below for nested schema](#nestedobjatt--listener_list--mysql_settings)) -- `network_address` (Set of Object) (see [below for nested schema](#nestedobjatt--listener_list--network_address)) -- `repo_types` (List of String) -- `s3_settings` (Set of Object) (see [below for nested schema](#nestedobjatt--listener_list--s3_settings)) -- `sidecar_id` (String) -- `sqlserver_settings` (Set of Object) (see [below for nested schema](#nestedobjatt--listener_list--sqlserver_settings)) +- `dynamodb_settings` (Set of Object) (see [below for nested schema](#nestedobjatt--listener_list--dynamodb_settings)) +- `listener_id` (String) +- `mysql_settings` (Set of Object) (see [below for nested schema](#nestedobjatt--listener_list--mysql_settings)) +- `network_address` (Set of Object) (see [below for nested schema](#nestedobjatt--listener_list--network_address)) +- `repo_types` (List of String) +- `s3_settings` (Set of Object) (see [below for nested schema](#nestedobjatt--listener_list--s3_settings)) +- `sidecar_id` (String) +- `sqlserver_settings` (Set of Object) (see [below for nested schema](#nestedobjatt--listener_list--sqlserver_settings)) @@ -63,7 +63,7 @@ Read-Only: Read-Only: -- `proxy_mode` (Boolean) +- `proxy_mode` (Boolean) @@ -71,8 +71,8 @@ Read-Only: Read-Only: -- `character_set` (String) -- `db_version` (String) +- `character_set` (String) +- `db_version` (String) @@ -80,8 +80,8 @@ Read-Only: Read-Only: -- `host` (String) -- `port` (Number) +- `host` (String) +- `port` (Number) @@ -89,7 +89,7 @@ Read-Only: Read-Only: -- `proxy_mode` (Boolean) +- `proxy_mode` (Boolean) @@ -97,4 +97,4 @@ Read-Only: Read-Only: -- `version` (String) +- `version` (String) diff --git a/docs/data-sources/system_info.md b/docs/data-sources/system_info.md index 8b7de107..39fb5e5f 100644 --- a/docs/data-sources/system_info.md +++ b/docs/data-sources/system_info.md @@ -3,7 +3,7 @@ page_title: "cyral_system_info Data Source - terraform-provider-cyral" subcategory: "" description: |- - Retrieve information from Cyral system. + Retrieve information from Cyral system. --- # cyral_system_info (Data Source) @@ -16,6 +16,6 @@ Retrieve information from Cyral system. ### Read-Only -- `control_plane_version` (String) Control Plane version. -- `id` (String) Data source identifier. -- `sidecar_latest_version` (String) Latest Sidecar version available to this Control Plane. +- `control_plane_version` (String) Control Plane version. +- `id` (String) Data source identifier. +- `sidecar_latest_version` (String) Latest Sidecar version available to this Control Plane. diff --git a/docs/guides/4.0-migration-guide.md b/docs/guides/4.0-migration-guide.md index 2b49f68b..689d5924 100644 --- a/docs/guides/4.0-migration-guide.md +++ b/docs/guides/4.0-migration-guide.md @@ -27,16 +27,16 @@ Cyral Terraform Provider v4 introduces [Smart Ports](https://cyral.com/docs/side With the introduction of [Smart Ports](https://cyral.com/docs/sidecars/manage/bind-repo#smart-ports), it is now possible to define multiple listener configurations for a single sidecar. This feature required some breaking changes to the schema of [`cyral_repository`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/repository) and [`cyral_repository_binding`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/repository_binding) while also adding new resources. Here is the summary of the changes: -- New resources named [`cyral_sidecar_listener`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/sidecar_listener) and [`cyral_repository_access_gateway`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/repository_access_gateway) were introduced. -- Argument `cyral_repository.host` was moved to `cyral_repository.repo_node.host`. -- Argument `cyral_repository.port` was moved to `cyral_repository.repo_node.port`. -- Argument `cyral_repository.properties.mongodb_replica_set.max_nodes` was removed. The argument is no - longer used and is automatically inferred from the number of `repo_node` blocks declared in - `cyral_repository`. -- Argument `cyral_repository.properties.mongodb_replica_set.replica_set_id` was moved to `cyral_repository.mongodb_settings.replica_set_name`. -- Argument `cyral_repository_binding.listener_host` was moved to `cyral_sidecar_listener.network_address.host`. -- Argument `cyral_repository_binding.listener_port` was moved to `cyral_sidecar_listener.network_address.port`. -- Argument `cyral_repository_binding.sidecar_as_idp_access_gateway` was moved to the resource [`cyral_repository_access_gateway`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/repository_access_gateway). Please check the resource documentation. +- New resources named [`cyral_sidecar_listener`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/sidecar_listener) and [`cyral_repository_access_gateway`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/repository_access_gateway) were introduced. +- Argument `cyral_repository.host` was moved to `cyral_repository.repo_node.host`. +- Argument `cyral_repository.port` was moved to `cyral_repository.repo_node.port`. +- Argument `cyral_repository.properties.mongodb_replica_set.max_nodes` was removed. The argument is no + longer used and is automatically inferred from the number of `repo_node` blocks declared in + `cyral_repository`. +- Argument `cyral_repository.properties.mongodb_replica_set.replica_set_id` was moved to `cyral_repository.mongodb_settings.replica_set_name`. +- Argument `cyral_repository_binding.listener_host` was moved to `cyral_sidecar_listener.network_address.host`. +- Argument `cyral_repository_binding.listener_port` was moved to `cyral_sidecar_listener.network_address.port`. +- Argument `cyral_repository_binding.sidecar_as_idp_access_gateway` was moved to the resource [`cyral_repository_access_gateway`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/repository_access_gateway). Please check the resource documentation. Please see the example below of how resource definitions for `cyral_repository` and `cyral_repository_binding` resources would be rewritten upon upgrading to Cyral Terraform Provider v4. @@ -126,16 +126,16 @@ for information on the provider changes from v2 to v3. The migration script requires the following tools: -- Bash Version 4 or higher. The script will check your `$BASH_VERSION` environment variable, and exit if it is not set to a version 4.0 or higher. +- Bash Version 4 or higher. The script will check your `$BASH_VERSION` environment variable, and exit if it is not set to a version 4.0 or higher. -- Terraform CLI. Download instructions can be found [here](https://learn.hashicorp.com/tutorials/terraform/install-cli). +- Terraform CLI. Download instructions can be found [here](https://learn.hashicorp.com/tutorials/terraform/install-cli). -- JQ. Download instructions can be found [here](https://stedolan.github.io/jq/download/). +- JQ. Download instructions can be found [here](https://stedolan.github.io/jq/download/). -- Access configuration to your Cyral Control Plane set to the following environment variables before running the script: - - `CYRAL_TF_CONTROL_PLANE` (`[tenant].app.cyral.com`) - - `CYRAL_TF_CLIENT_ID` - - `CYRAL_TF_CLIENT_SECRET`. +- Access configuration to your Cyral Control Plane set to the following environment variables before running the script: + - `CYRAL_TF_CONTROL_PLANE` (`[tenant].app.cyral.com`) + - `CYRAL_TF_CLIENT_ID` + - `CYRAL_TF_CLIENT_SECRET`. The script will exit if either of these tools are not installed or the environment variables are not set. diff --git a/docs/guides/repo_level_policy.md b/docs/guides/repo_level_policy.md index 9c497537..06ec61d2 100644 --- a/docs/guides/repo_level_policy.md +++ b/docs/guides/repo_level_policy.md @@ -7,11 +7,11 @@ In this guide, we provide different examples on how to use them. Recommended further reading: -- Refer to the [Cyral policies](https://cyral.com/docs/policy/overview/) page in our public - docs for a complete documentation about the Cyral policy framework. -- Refer to the [`cyral_rego_policy_instance`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance) - resource for more details about the [template parameters](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance#template-parameters) - and how to use the pre-built repo-level policies in Terraform. +- Refer to the [Cyral policies](https://cyral.com/docs/policy/overview/) page in our public + docs for a complete documentation about the Cyral policy framework. +- Refer to the [`cyral_rego_policy_instance`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance) + resource for more details about the [template parameters](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance#template-parameters) + and how to use the pre-built repo-level policies in Terraform. ## Example: data firewall diff --git a/docs/index.md b/docs/index.md index 0cc83e41..fd27a27d 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,7 +1,7 @@ --- page_title: "Provider: Cyral" description: |- - Terraform provider to interact with Cyral API. + Terraform provider to interact with Cyral API. --- -> If you are upgrading from versions `v2` or `v3` of this provider, please refer to our @@ -30,7 +30,7 @@ history with its features, bug fixes and Control Plane compatibility. To install this provider, copy and paste this code into your Terraform configuration. Then, run `terraform init`. -- Terraform 0.13+ +- Terraform 0.13+ ```terraform terraform { @@ -82,10 +82,10 @@ the old one. ### Required -- `control_plane` (String) Control plane host and API port (ex: `tenant.app.cyral.com`) +- `control_plane` (String) Control plane host and API port (ex: `tenant.app.cyral.com`) ### Optional -- `client_id` (String, Sensitive) Client id used to authenticate against the control plane. Can be ommited and declared using the environment variable `CYRAL_TF_CLIENT_ID`. -- `client_secret` (String, Sensitive) Client secret used to authenticate against the control plane. Can be ommited and declared using the environment variable `CYRAL_TF_CLIENT_SECRET`. -- `tls_skip_verify` (Boolean) Specifies if the client will verify the TLS server certificate used by the control plane. If set to `true`, the client will not verify the server certificate, hence, it will allow insecure connections to be established. This should be set only for testing and is not recommended to be used in production environments. Can be set through the `CYRAL_TF_TLS_SKIP_VERIFY` environment variable. Defaults to `false`. +- `client_id` (String, Sensitive) Client id used to authenticate against the control plane. Can be ommited and declared using the environment variable `CYRAL_TF_CLIENT_ID`. +- `client_secret` (String, Sensitive) Client secret used to authenticate against the control plane. Can be ommited and declared using the environment variable `CYRAL_TF_CLIENT_SECRET`. +- `tls_skip_verify` (Boolean) Specifies if the client will verify the TLS server certificate used by the control plane. If set to `true`, the client will not verify the server certificate, hence, it will allow insecure connections to be established. This should be set only for testing and is not recommended to be used in production environments. Can be set through the `CYRAL_TF_TLS_SKIP_VERIFY` environment variable. Defaults to `false`. diff --git a/docs/resources/access_token_settings.md b/docs/resources/access_token_settings.md index 69828379..632f8471 100644 --- a/docs/resources/access_token_settings.md +++ b/docs/resources/access_token_settings.md @@ -22,12 +22,12 @@ resource "cyral_access_token_settings" "current" { ### Optional -- `default_validity` (String) The default duration used for access token validity. Defaults to `36000s`. Should follow the protobuf duration string format, which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds. For example: `300s`, `60s`, `10.50s`, etc. -- `max_number_of_tokens_per_user` (Number) The maximum number of access tokens that a user can have at the same time. Must be between `1` and `5` (inclusive). Defaults to `3`. -- `max_validity` (String) The maximum duration that a user can request for access token validity. Defaults to `36000s`. Should follow the protobuf duration string format, which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds. For example: `300s`, `60s`, `10.50s`, etc. -- `offline_token_validation` (Boolean) The configuration that determines if the sidecar should perform access token validation independently using cached token values. If this is `true`, the sidecar will be able to validate and authenticate database access even when it cannot reach the Control Plane. Defaults to `true`. -- `token_length` (Number) The number of characters of the access token plaintext value. Valid values are `8`, `12` and `16`. Defaults to `16`. +- `default_validity` (String) The default duration used for access token validity. Defaults to `36000s`. Should follow the protobuf duration string format, which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds. For example: `300s`, `60s`, `10.50s`, etc. +- `max_number_of_tokens_per_user` (Number) The maximum number of access tokens that a user can have at the same time. Must be between `1` and `5` (inclusive). Defaults to `3`. +- `max_validity` (String) The maximum duration that a user can request for access token validity. Defaults to `36000s`. Should follow the protobuf duration string format, which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds. For example: `300s`, `60s`, `10.50s`, etc. +- `offline_token_validation` (Boolean) The configuration that determines if the sidecar should perform access token validation independently using cached token values. If this is `true`, the sidecar will be able to validate and authenticate database access even when it cannot reach the Control Plane. Defaults to `true`. +- `token_length` (Number) The number of characters of the access token plaintext value. Valid values are `8`, `12` and `16`. Defaults to `16`. ### Read-Only -- `id` (String) The resource identifier. It's set as `settings/access_token`. +- `id` (String) The resource identifier. It's set as `settings/access_token`. diff --git a/docs/resources/datalabel.md b/docs/resources/datalabel.md index f4e03b49..e0ff078f 100644 --- a/docs/resources/datalabel.md +++ b/docs/resources/datalabel.md @@ -3,7 +3,7 @@ page_title: "cyral_datalabel Resource - terraform-provider-cyral" subcategory: "" description: |- - Manages data labels. Data labels are part of the Cyral Data Map https://cyral.com/docs/policy/datamap. + Manages data labels. Data labels are part of the Cyral Data Map https://cyral.com/docs/policy/datamap. --- # cyral_datalabel (Resource) @@ -31,17 +31,17 @@ resource "cyral_datalabel" "NAME" { ### Required -- `name` (String) Name of the data label. +- `name` (String) Name of the data label. ### Optional -- `classification_rule` (Block Set, Max: 1) Classification rules are used by the [Automatic Data Map](https://cyral.com/docs/policy/automatic-datamap) feature to automatically map data locations to labels. (see [below for nested schema](#nestedblock--classification_rule)) -- `description` (String) Description of the data label. -- `tags` (List of String) Tags that can be used to categorize data labels. +- `classification_rule` (Block Set, Max: 1) Classification rules are used by the [Automatic Data Map](https://cyral.com/docs/policy/automatic-datamap) feature to automatically map data locations to labels. (see [below for nested schema](#nestedblock--classification_rule)) +- `description` (String) Description of the data label. +- `tags` (List of String) Tags that can be used to categorize data labels. ### Read-Only -- `id` (String) The ID of this resource. +- `id` (String) The ID of this resource. @@ -49,10 +49,10 @@ resource "cyral_datalabel" "NAME" { Optional: -- `rule_code` (String) Actual code of the classification rule. For example, this attribute may contain REGO code for `REGO`-type classification rules. -- `rule_status` (String) Status of the classification rule. List of supported values: - - `ENABLED` - - `DISABLED` -- `rule_type` (String) Type of the classification rule. List of supported values: - - `UNKNOWN` - - `REGO` +- `rule_code` (String) Actual code of the classification rule. For example, this attribute may contain REGO code for `REGO`-type classification rules. +- `rule_status` (String) Status of the classification rule. List of supported values: + - `ENABLED` + - `DISABLED` +- `rule_type` (String) Type of the classification rule. List of supported values: + - `UNKNOWN` + - `REGO` diff --git a/docs/resources/integration_aws_iam.md b/docs/resources/integration_aws_iam.md index cc3e45c0..4a9757c3 100644 --- a/docs/resources/integration_aws_iam.md +++ b/docs/resources/integration_aws_iam.md @@ -3,7 +3,7 @@ page_title: "cyral_integration_aws_iam Resource - terraform-provider-cyral" subcategory: "" description: |- - Authenticate users based on AWS IAM credentials. + Authenticate users based on AWS IAM credentials. --- # cyral_integration_aws_iam (Resource) @@ -16,13 +16,13 @@ Authenticate users based on AWS IAM credentials. ### Required -- `name` (String) The name of this AWS IAM Authentication integration. -- `role_arns` (List of String) List of role ARNs which will be used for authentication. +- `name` (String) The name of this AWS IAM Authentication integration. +- `role_arns` (List of String) List of role ARNs which will be used for authentication. ### Optional -- `description` (String) Optional description of this integration. +- `description` (String) Optional description of this integration. ### Read-Only -- `id` (String) ID of this resource in Cyral environment. +- `id` (String) ID of this resource in Cyral environment. diff --git a/docs/resources/integration_datadog.md b/docs/resources/integration_datadog.md index cbd47c60..16d96453 100644 --- a/docs/resources/integration_datadog.md +++ b/docs/resources/integration_datadog.md @@ -3,7 +3,7 @@ page_title: "cyral_integration_datadog Resource - terraform-provider-cyral" subcategory: "" description: |- - ~> DEPRECATED If configuring Datadog for logging purposes, use resource cyral_integration_logging instead. + ~> DEPRECATED If configuring Datadog for logging purposes, use resource cyral_integration_logging instead. --- # cyral_integration_datadog (Resource) @@ -25,9 +25,9 @@ resource "cyral_integration_datadog" "some_resource_name" { ### Required -- `api_key` (String, Sensitive) Datadog API key. -- `name` (String) Integration name that will be used internally in the control plane. +- `api_key` (String, Sensitive) Datadog API key. +- `name` (String) Integration name that will be used internally in the control plane. ### Read-Only -- `id` (String) ID of this resource in Cyral environment +- `id` (String) ID of this resource in Cyral environment diff --git a/docs/resources/integration_elk.md b/docs/resources/integration_elk.md index e0f8e860..0770b324 100644 --- a/docs/resources/integration_elk.md +++ b/docs/resources/integration_elk.md @@ -3,7 +3,7 @@ page_title: "cyral_integration_elk Resource - terraform-provider-cyral" subcategory: "" description: |- - ~> DEPRECATED Use resource cyral_integration_logging instead. + ~> DEPRECATED Use resource cyral_integration_logging instead. --- # cyral_integration_elk (Resource) @@ -26,10 +26,10 @@ resource "cyral_integration_elk" "some_resource_name" { ### Required -- `es_url` (String) Elastic Search URL. -- `kibana_url` (String) Kibana URL. -- `name` (String) Integration name that will be used internally in the control plane. +- `es_url` (String) Elastic Search URL. +- `kibana_url` (String) Kibana URL. +- `name` (String) Integration name that will be used internally in the control plane. ### Read-Only -- `id` (String) ID of this resource in Cyral environment +- `id` (String) ID of this resource in Cyral environment diff --git a/docs/resources/integration_hc_vault.md b/docs/resources/integration_hc_vault.md index 75d960d4..94493bef 100644 --- a/docs/resources/integration_hc_vault.md +++ b/docs/resources/integration_hc_vault.md @@ -3,7 +3,7 @@ page_title: "cyral_integration_hc_vault Resource - terraform-provider-cyral" subcategory: "" description: |- - Manages integration with Hashicorp Vault to store secrets. + Manages integration with Hashicorp Vault to store secrets. --- # cyral_integration_hc_vault (Resource) @@ -27,11 +27,11 @@ resource "cyral_integration_hc_vault" "some_resource_name" { ### Required -- `auth_method` (String) Authentication method for the integration. -- `auth_type` (String) Authentication type for the integration. -- `name` (String) Integration name that will be used internally in the control plane. -- `server` (String, Sensitive) Server on which the vault service is running. +- `auth_method` (String) Authentication method for the integration. +- `auth_type` (String) Authentication type for the integration. +- `name` (String) Integration name that will be used internally in the control plane. +- `server` (String, Sensitive) Server on which the vault service is running. ### Read-Only -- `id` (String) ID of this resource in Cyral environment +- `id` (String) ID of this resource in Cyral environment diff --git a/docs/resources/integration_idp_aad.md b/docs/resources/integration_idp_aad.md index d653c208..8904f71f 100644 --- a/docs/resources/integration_idp_aad.md +++ b/docs/resources/integration_idp_aad.md @@ -74,15 +74,15 @@ resource "cyral_integration_idp_aad" "some_resource_name" { ### Required -- `samlp` (Block Set, Min: 1, Max: 1) It contains the top-level configuration for an identity provider. (see [below for nested schema](#nestedblock--samlp)) +- `samlp` (Block Set, Min: 1, Max: 1) It contains the top-level configuration for an identity provider. (see [below for nested schema](#nestedblock--samlp)) ### Optional -- `draft_alias` (String) An `alias` that uniquely identifies a IdP Integration draft. If set, will delete any correspondent draft and create a new IdP Integration with the same `alias`. Defaults to `""`. +- `draft_alias` (String) An `alias` that uniquely identifies a IdP Integration draft. If set, will delete any correspondent draft and create a new IdP Integration with the same `alias`. Defaults to `""`. ### Read-Only -- `id` (String) ID of this resource, which corresponds to the IdP Integration `alias`. +- `id` (String) ID of this resource, which corresponds to the IdP Integration `alias`. @@ -90,23 +90,23 @@ resource "cyral_integration_idp_aad" "some_resource_name" { Required: -- `config` (Block Set, Min: 1, Max: 1) SAML configuration for this IdP Integration. (see [below for nested schema](#nestedblock--samlp--config)) +- `config` (Block Set, Min: 1, Max: 1) SAML configuration for this IdP Integration. (see [below for nested schema](#nestedblock--samlp--config)) Optional: -- `add_read_token_role_on_create` (Boolean) Adds read token role on creation. Defaults to `false`. -- `disabled` (Boolean) Disable maps to Keycloak's `enabled` field. Defaults to `false`. -- `display_name` (String) Name of the IdP Integration displayed in the control plane. Defaults to `Azure Active Directory` -- `first_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after `First Login` with this identity provider. Term `First Login` means that no Keycloak account is currently linked to the authenticated identity provider account. Defaults to `SAML_First_Broker`. -- `link_only` (Boolean) If true, users cannot log in through this identity provider. They can only link to this identity provider. This is useful if you don't want to allow login from the identity provider, but want to integrate with an identity provider. Defaults to `false`. -- `post_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you need no any additional authenticators to be triggered after login with this identity provider. Defaults to `""`. -- `provider_id` (String) This is the provider ID of `saml`. Defaults to `saml`. -- `store_token` (Boolean) Enable if tokens must be stored after authenticating users. Defaults to `false`. -- `trust_email` (Boolean) If the identity provider supplies an email address this email address will be trusted. If the realm required email validation, users that log in from this identity provider will not have to go through the email verification process. Defaults to `false`. +- `add_read_token_role_on_create` (Boolean) Adds read token role on creation. Defaults to `false`. +- `disabled` (Boolean) Disable maps to Keycloak's `enabled` field. Defaults to `false`. +- `display_name` (String) Name of the IdP Integration displayed in the control plane. Defaults to `Azure Active Directory` +- `first_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after `First Login` with this identity provider. Term `First Login` means that no Keycloak account is currently linked to the authenticated identity provider account. Defaults to `SAML_First_Broker`. +- `link_only` (Boolean) If true, users cannot log in through this identity provider. They can only link to this identity provider. This is useful if you don't want to allow login from the identity provider, but want to integrate with an identity provider. Defaults to `false`. +- `post_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you need no any additional authenticators to be triggered after login with this identity provider. Defaults to `""`. +- `provider_id` (String) This is the provider ID of `saml`. Defaults to `saml`. +- `store_token` (Boolean) Enable if tokens must be stored after authenticating users. Defaults to `false`. +- `trust_email` (Boolean) If the identity provider supplies an email address this email address will be trusted. If the realm required email validation, users that log in from this identity provider will not have to go through the email verification process. Defaults to `false`. Read-Only: -- `internal_id` (String) An ID that is auto-generated internally for this IdP Integration. +- `internal_id` (String) An ID that is auto-generated internally for this IdP Integration. @@ -114,28 +114,28 @@ Read-Only: Required: -- `single_sign_on_service_url` (String) URL that must be used to send authentication requests (SAML AuthnRequest). +- `single_sign_on_service_url` (String) URL that must be used to send authentication requests (SAML AuthnRequest). Optional: -- `allowed_clock_skew` (Number) Clock skew in seconds that is tolerated when validating identity provider tokens. Defaults to `0`. -- `back_channel_supported` (Boolean) Defaults to `false` if unset. -- `base_64_saml_metadata_document` (String) Full SAML metadata document that was used to import the SAML configuration, Base64 encoded. Defaults to `""`. -- `disable_force_authentication` (Boolean) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. Defaults to `false` -- `disable_post_binding_authn_request` (Boolean) Indicates whether the AuthnRequest must be sent using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_post_binding_logout` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_post_binding_response` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_using_jwks_url` (Boolean) By default, the jwks URL is used for all SAML connections. Defaults to `false`. -- `gui_order` (String) GUI order. Defaults to `""`. -- `hide_on_login_page` (Boolean) Defaults to `false` if unset. -- `ldap_group_attribute` (String) Type of `LDAP Group RDN` that identifies the name of a group within a DN. For example, if an LDAP DN sent in a SAML assertion is `cn=Everyone`, `ou=groups`, `dc=openam`, `dc=forgerock`, `dc=org` and the `LDAP Group RDN` Type is `cn` Cyral will interpret `Everyone` as the group name. -- `name_id_policy_format` (String) Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` if unset. -- `principal_type` (String) Defaults to `SUBJECT` if unset. -- `saml_metadata_url` (String) This is the full SAML metadata URL that was used to import the SAML configuration. Defaults to `""`. -- `saml_xml_key_name_tranformer` (String) Defaults to `KEY_ID` if unset. -- `signature_type` (String) Defaults to `RSA_SHA256` if unset. -- `signing_certificate` (String) Signing certificate used to validate signatures. Required if signature validation is enabled. Defaults to `""`. -- `single_logout_service_url` (String) URL that must be used to send logout requests. Defaults to `""`. -- `sync_mode` (String) Defaults to `FORCE` if unset. -- `want_assertions_encrypted` (Boolean) Indicates whether the service provider expects an encrypted Assertion. Defaults to `false`. -- `xml_sig_key_info_key_name_transformer` (String) Defaults to `KEY_ID` if unset. +- `allowed_clock_skew` (Number) Clock skew in seconds that is tolerated when validating identity provider tokens. Defaults to `0`. +- `back_channel_supported` (Boolean) Defaults to `false` if unset. +- `base_64_saml_metadata_document` (String) Full SAML metadata document that was used to import the SAML configuration, Base64 encoded. Defaults to `""`. +- `disable_force_authentication` (Boolean) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. Defaults to `false` +- `disable_post_binding_authn_request` (Boolean) Indicates whether the AuthnRequest must be sent using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_post_binding_logout` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_post_binding_response` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_using_jwks_url` (Boolean) By default, the jwks URL is used for all SAML connections. Defaults to `false`. +- `gui_order` (String) GUI order. Defaults to `""`. +- `hide_on_login_page` (Boolean) Defaults to `false` if unset. +- `ldap_group_attribute` (String) Type of `LDAP Group RDN` that identifies the name of a group within a DN. For example, if an LDAP DN sent in a SAML assertion is `cn=Everyone`, `ou=groups`, `dc=openam`, `dc=forgerock`, `dc=org` and the `LDAP Group RDN` Type is `cn` Cyral will interpret `Everyone` as the group name. +- `name_id_policy_format` (String) Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` if unset. +- `principal_type` (String) Defaults to `SUBJECT` if unset. +- `saml_metadata_url` (String) This is the full SAML metadata URL that was used to import the SAML configuration. Defaults to `""`. +- `saml_xml_key_name_tranformer` (String) Defaults to `KEY_ID` if unset. +- `signature_type` (String) Defaults to `RSA_SHA256` if unset. +- `signing_certificate` (String) Signing certificate used to validate signatures. Required if signature validation is enabled. Defaults to `""`. +- `single_logout_service_url` (String) URL that must be used to send logout requests. Defaults to `""`. +- `sync_mode` (String) Defaults to `FORCE` if unset. +- `want_assertions_encrypted` (Boolean) Indicates whether the service provider expects an encrypted Assertion. Defaults to `false`. +- `xml_sig_key_info_key_name_transformer` (String) Defaults to `KEY_ID` if unset. diff --git a/docs/resources/integration_idp_adfs.md b/docs/resources/integration_idp_adfs.md index 2d35dac8..b914108f 100644 --- a/docs/resources/integration_idp_adfs.md +++ b/docs/resources/integration_idp_adfs.md @@ -74,15 +74,15 @@ resource "cyral_integration_idp_adfs" "some_resource_name" { ### Required -- `samlp` (Block Set, Min: 1, Max: 1) It contains the top-level configuration for an identity provider. (see [below for nested schema](#nestedblock--samlp)) +- `samlp` (Block Set, Min: 1, Max: 1) It contains the top-level configuration for an identity provider. (see [below for nested schema](#nestedblock--samlp)) ### Optional -- `draft_alias` (String) An `alias` that uniquely identifies a IdP Integration draft. If set, will delete any correspondent draft and create a new IdP Integration with the same `alias`. Defaults to `""`. +- `draft_alias` (String) An `alias` that uniquely identifies a IdP Integration draft. If set, will delete any correspondent draft and create a new IdP Integration with the same `alias`. Defaults to `""`. ### Read-Only -- `id` (String) ID of this resource, which corresponds to the IdP Integration `alias`. +- `id` (String) ID of this resource, which corresponds to the IdP Integration `alias`. @@ -90,23 +90,23 @@ resource "cyral_integration_idp_adfs" "some_resource_name" { Required: -- `config` (Block Set, Min: 1, Max: 1) SAML configuration for this IdP Integration. (see [below for nested schema](#nestedblock--samlp--config)) +- `config` (Block Set, Min: 1, Max: 1) SAML configuration for this IdP Integration. (see [below for nested schema](#nestedblock--samlp--config)) Optional: -- `add_read_token_role_on_create` (Boolean) Adds read token role on creation. Defaults to `false`. -- `disabled` (Boolean) Disable maps to Keycloak's `enabled` field. Defaults to `false`. -- `display_name` (String) Name of the IdP Integration displayed in the control plane. Defaults to `Active Directory` -- `first_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after `First Login` with this identity provider. Term `First Login` means that no Keycloak account is currently linked to the authenticated identity provider account. Defaults to `SAML_First_Broker`. -- `link_only` (Boolean) If true, users cannot log in through this identity provider. They can only link to this identity provider. This is useful if you don't want to allow login from the identity provider, but want to integrate with an identity provider. Defaults to `false`. -- `post_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you need no any additional authenticators to be triggered after login with this identity provider. Defaults to `""`. -- `provider_id` (String) This is the provider ID of `saml`. Defaults to `saml`. -- `store_token` (Boolean) Enable if tokens must be stored after authenticating users. Defaults to `false`. -- `trust_email` (Boolean) If the identity provider supplies an email address this email address will be trusted. If the realm required email validation, users that log in from this identity provider will not have to go through the email verification process. Defaults to `false`. +- `add_read_token_role_on_create` (Boolean) Adds read token role on creation. Defaults to `false`. +- `disabled` (Boolean) Disable maps to Keycloak's `enabled` field. Defaults to `false`. +- `display_name` (String) Name of the IdP Integration displayed in the control plane. Defaults to `Active Directory` +- `first_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after `First Login` with this identity provider. Term `First Login` means that no Keycloak account is currently linked to the authenticated identity provider account. Defaults to `SAML_First_Broker`. +- `link_only` (Boolean) If true, users cannot log in through this identity provider. They can only link to this identity provider. This is useful if you don't want to allow login from the identity provider, but want to integrate with an identity provider. Defaults to `false`. +- `post_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you need no any additional authenticators to be triggered after login with this identity provider. Defaults to `""`. +- `provider_id` (String) This is the provider ID of `saml`. Defaults to `saml`. +- `store_token` (Boolean) Enable if tokens must be stored after authenticating users. Defaults to `false`. +- `trust_email` (Boolean) If the identity provider supplies an email address this email address will be trusted. If the realm required email validation, users that log in from this identity provider will not have to go through the email verification process. Defaults to `false`. Read-Only: -- `internal_id` (String) An ID that is auto-generated internally for this IdP Integration. +- `internal_id` (String) An ID that is auto-generated internally for this IdP Integration. @@ -114,28 +114,28 @@ Read-Only: Required: -- `single_sign_on_service_url` (String) URL that must be used to send authentication requests (SAML AuthnRequest). +- `single_sign_on_service_url` (String) URL that must be used to send authentication requests (SAML AuthnRequest). Optional: -- `allowed_clock_skew` (Number) Clock skew in seconds that is tolerated when validating identity provider tokens. Defaults to `0`. -- `back_channel_supported` (Boolean) Defaults to `false` if unset. -- `base_64_saml_metadata_document` (String) Full SAML metadata document that was used to import the SAML configuration, Base64 encoded. Defaults to `""`. -- `disable_force_authentication` (Boolean) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. Defaults to `false` -- `disable_post_binding_authn_request` (Boolean) Indicates whether the AuthnRequest must be sent using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_post_binding_logout` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_post_binding_response` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_using_jwks_url` (Boolean) By default, the jwks URL is used for all SAML connections. Defaults to `false`. -- `gui_order` (String) GUI order. Defaults to `""`. -- `hide_on_login_page` (Boolean) Defaults to `false` if unset. -- `ldap_group_attribute` (String) Type of `LDAP Group RDN` that identifies the name of a group within a DN. For example, if an LDAP DN sent in a SAML assertion is `cn=Everyone`, `ou=groups`, `dc=openam`, `dc=forgerock`, `dc=org` and the `LDAP Group RDN` Type is `cn` Cyral will interpret `Everyone` as the group name. -- `name_id_policy_format` (String) Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` if unset. -- `principal_type` (String) Defaults to `SUBJECT` if unset. -- `saml_metadata_url` (String) This is the full SAML metadata URL that was used to import the SAML configuration. Defaults to `""`. -- `saml_xml_key_name_tranformer` (String) Defaults to `KEY_ID` if unset. -- `signature_type` (String) Defaults to `RSA_SHA256` if unset. -- `signing_certificate` (String) Signing certificate used to validate signatures. Required if signature validation is enabled. Defaults to `""`. -- `single_logout_service_url` (String) URL that must be used to send logout requests. Defaults to `""`. -- `sync_mode` (String) Defaults to `FORCE` if unset. -- `want_assertions_encrypted` (Boolean) Indicates whether the service provider expects an encrypted Assertion. Defaults to `false`. -- `xml_sig_key_info_key_name_transformer` (String) Defaults to `KEY_ID` if unset. +- `allowed_clock_skew` (Number) Clock skew in seconds that is tolerated when validating identity provider tokens. Defaults to `0`. +- `back_channel_supported` (Boolean) Defaults to `false` if unset. +- `base_64_saml_metadata_document` (String) Full SAML metadata document that was used to import the SAML configuration, Base64 encoded. Defaults to `""`. +- `disable_force_authentication` (Boolean) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. Defaults to `false` +- `disable_post_binding_authn_request` (Boolean) Indicates whether the AuthnRequest must be sent using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_post_binding_logout` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_post_binding_response` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_using_jwks_url` (Boolean) By default, the jwks URL is used for all SAML connections. Defaults to `false`. +- `gui_order` (String) GUI order. Defaults to `""`. +- `hide_on_login_page` (Boolean) Defaults to `false` if unset. +- `ldap_group_attribute` (String) Type of `LDAP Group RDN` that identifies the name of a group within a DN. For example, if an LDAP DN sent in a SAML assertion is `cn=Everyone`, `ou=groups`, `dc=openam`, `dc=forgerock`, `dc=org` and the `LDAP Group RDN` Type is `cn` Cyral will interpret `Everyone` as the group name. +- `name_id_policy_format` (String) Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` if unset. +- `principal_type` (String) Defaults to `SUBJECT` if unset. +- `saml_metadata_url` (String) This is the full SAML metadata URL that was used to import the SAML configuration. Defaults to `""`. +- `saml_xml_key_name_tranformer` (String) Defaults to `KEY_ID` if unset. +- `signature_type` (String) Defaults to `RSA_SHA256` if unset. +- `signing_certificate` (String) Signing certificate used to validate signatures. Required if signature validation is enabled. Defaults to `""`. +- `single_logout_service_url` (String) URL that must be used to send logout requests. Defaults to `""`. +- `sync_mode` (String) Defaults to `FORCE` if unset. +- `want_assertions_encrypted` (Boolean) Indicates whether the service provider expects an encrypted Assertion. Defaults to `false`. +- `xml_sig_key_info_key_name_transformer` (String) Defaults to `KEY_ID` if unset. diff --git a/docs/resources/integration_idp_forgerock.md b/docs/resources/integration_idp_forgerock.md index 67855c7d..c3938dda 100644 --- a/docs/resources/integration_idp_forgerock.md +++ b/docs/resources/integration_idp_forgerock.md @@ -74,15 +74,15 @@ resource "cyral_integration_idp_forgerock" "some_resource_name" { ### Required -- `samlp` (Block Set, Min: 1, Max: 1) It contains the top-level configuration for an identity provider. (see [below for nested schema](#nestedblock--samlp)) +- `samlp` (Block Set, Min: 1, Max: 1) It contains the top-level configuration for an identity provider. (see [below for nested schema](#nestedblock--samlp)) ### Optional -- `draft_alias` (String) An `alias` that uniquely identifies a IdP Integration draft. If set, will delete any correspondent draft and create a new IdP Integration with the same `alias`. Defaults to `""`. +- `draft_alias` (String) An `alias` that uniquely identifies a IdP Integration draft. If set, will delete any correspondent draft and create a new IdP Integration with the same `alias`. Defaults to `""`. ### Read-Only -- `id` (String) ID of this resource, which corresponds to the IdP Integration `alias`. +- `id` (String) ID of this resource, which corresponds to the IdP Integration `alias`. @@ -90,23 +90,23 @@ resource "cyral_integration_idp_forgerock" "some_resource_name" { Required: -- `config` (Block Set, Min: 1, Max: 1) SAML configuration for this IdP Integration. (see [below for nested schema](#nestedblock--samlp--config)) +- `config` (Block Set, Min: 1, Max: 1) SAML configuration for this IdP Integration. (see [below for nested schema](#nestedblock--samlp--config)) Optional: -- `add_read_token_role_on_create` (Boolean) Adds read token role on creation. Defaults to `false`. -- `disabled` (Boolean) Disable maps to Keycloak's `enabled` field. Defaults to `false`. -- `display_name` (String) Name of the IdP Integration displayed in the control plane. Defaults to `Forgerock` -- `first_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after `First Login` with this identity provider. Term `First Login` means that no Keycloak account is currently linked to the authenticated identity provider account. Defaults to `SAML_First_Broker`. -- `link_only` (Boolean) If true, users cannot log in through this identity provider. They can only link to this identity provider. This is useful if you don't want to allow login from the identity provider, but want to integrate with an identity provider. Defaults to `false`. -- `post_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you need no any additional authenticators to be triggered after login with this identity provider. Defaults to `""`. -- `provider_id` (String) This is the provider ID of `saml`. Defaults to `saml`. -- `store_token` (Boolean) Enable if tokens must be stored after authenticating users. Defaults to `false`. -- `trust_email` (Boolean) If the identity provider supplies an email address this email address will be trusted. If the realm required email validation, users that log in from this identity provider will not have to go through the email verification process. Defaults to `false`. +- `add_read_token_role_on_create` (Boolean) Adds read token role on creation. Defaults to `false`. +- `disabled` (Boolean) Disable maps to Keycloak's `enabled` field. Defaults to `false`. +- `display_name` (String) Name of the IdP Integration displayed in the control plane. Defaults to `Forgerock` +- `first_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after `First Login` with this identity provider. Term `First Login` means that no Keycloak account is currently linked to the authenticated identity provider account. Defaults to `SAML_First_Broker`. +- `link_only` (Boolean) If true, users cannot log in through this identity provider. They can only link to this identity provider. This is useful if you don't want to allow login from the identity provider, but want to integrate with an identity provider. Defaults to `false`. +- `post_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you need no any additional authenticators to be triggered after login with this identity provider. Defaults to `""`. +- `provider_id` (String) This is the provider ID of `saml`. Defaults to `saml`. +- `store_token` (Boolean) Enable if tokens must be stored after authenticating users. Defaults to `false`. +- `trust_email` (Boolean) If the identity provider supplies an email address this email address will be trusted. If the realm required email validation, users that log in from this identity provider will not have to go through the email verification process. Defaults to `false`. Read-Only: -- `internal_id` (String) An ID that is auto-generated internally for this IdP Integration. +- `internal_id` (String) An ID that is auto-generated internally for this IdP Integration. @@ -114,28 +114,28 @@ Read-Only: Required: -- `single_sign_on_service_url` (String) URL that must be used to send authentication requests (SAML AuthnRequest). +- `single_sign_on_service_url` (String) URL that must be used to send authentication requests (SAML AuthnRequest). Optional: -- `allowed_clock_skew` (Number) Clock skew in seconds that is tolerated when validating identity provider tokens. Defaults to `0`. -- `back_channel_supported` (Boolean) Defaults to `false` if unset. -- `base_64_saml_metadata_document` (String) Full SAML metadata document that was used to import the SAML configuration, Base64 encoded. Defaults to `""`. -- `disable_force_authentication` (Boolean) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. Defaults to `false` -- `disable_post_binding_authn_request` (Boolean) Indicates whether the AuthnRequest must be sent using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_post_binding_logout` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_post_binding_response` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_using_jwks_url` (Boolean) By default, the jwks URL is used for all SAML connections. Defaults to `false`. -- `gui_order` (String) GUI order. Defaults to `""`. -- `hide_on_login_page` (Boolean) Defaults to `false` if unset. -- `ldap_group_attribute` (String) Type of `LDAP Group RDN` that identifies the name of a group within a DN. For example, if an LDAP DN sent in a SAML assertion is `cn=Everyone`, `ou=groups`, `dc=openam`, `dc=forgerock`, `dc=org` and the `LDAP Group RDN` Type is `cn` Cyral will interpret `Everyone` as the group name. -- `name_id_policy_format` (String) Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` if unset. -- `principal_type` (String) Defaults to `SUBJECT` if unset. -- `saml_metadata_url` (String) This is the full SAML metadata URL that was used to import the SAML configuration. Defaults to `""`. -- `saml_xml_key_name_tranformer` (String) Defaults to `KEY_ID` if unset. -- `signature_type` (String) Defaults to `RSA_SHA256` if unset. -- `signing_certificate` (String) Signing certificate used to validate signatures. Required if signature validation is enabled. Defaults to `""`. -- `single_logout_service_url` (String) URL that must be used to send logout requests. Defaults to `""`. -- `sync_mode` (String) Defaults to `FORCE` if unset. -- `want_assertions_encrypted` (Boolean) Indicates whether the service provider expects an encrypted Assertion. Defaults to `false`. -- `xml_sig_key_info_key_name_transformer` (String) Defaults to `KEY_ID` if unset. +- `allowed_clock_skew` (Number) Clock skew in seconds that is tolerated when validating identity provider tokens. Defaults to `0`. +- `back_channel_supported` (Boolean) Defaults to `false` if unset. +- `base_64_saml_metadata_document` (String) Full SAML metadata document that was used to import the SAML configuration, Base64 encoded. Defaults to `""`. +- `disable_force_authentication` (Boolean) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. Defaults to `false` +- `disable_post_binding_authn_request` (Boolean) Indicates whether the AuthnRequest must be sent using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_post_binding_logout` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_post_binding_response` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_using_jwks_url` (Boolean) By default, the jwks URL is used for all SAML connections. Defaults to `false`. +- `gui_order` (String) GUI order. Defaults to `""`. +- `hide_on_login_page` (Boolean) Defaults to `false` if unset. +- `ldap_group_attribute` (String) Type of `LDAP Group RDN` that identifies the name of a group within a DN. For example, if an LDAP DN sent in a SAML assertion is `cn=Everyone`, `ou=groups`, `dc=openam`, `dc=forgerock`, `dc=org` and the `LDAP Group RDN` Type is `cn` Cyral will interpret `Everyone` as the group name. +- `name_id_policy_format` (String) Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` if unset. +- `principal_type` (String) Defaults to `SUBJECT` if unset. +- `saml_metadata_url` (String) This is the full SAML metadata URL that was used to import the SAML configuration. Defaults to `""`. +- `saml_xml_key_name_tranformer` (String) Defaults to `KEY_ID` if unset. +- `signature_type` (String) Defaults to `RSA_SHA256` if unset. +- `signing_certificate` (String) Signing certificate used to validate signatures. Required if signature validation is enabled. Defaults to `""`. +- `single_logout_service_url` (String) URL that must be used to send logout requests. Defaults to `""`. +- `sync_mode` (String) Defaults to `FORCE` if unset. +- `want_assertions_encrypted` (Boolean) Indicates whether the service provider expects an encrypted Assertion. Defaults to `false`. +- `xml_sig_key_info_key_name_transformer` (String) Defaults to `KEY_ID` if unset. diff --git a/docs/resources/integration_idp_gsuite.md b/docs/resources/integration_idp_gsuite.md index 87104be8..8b591019 100644 --- a/docs/resources/integration_idp_gsuite.md +++ b/docs/resources/integration_idp_gsuite.md @@ -74,15 +74,15 @@ resource "cyral_integration_idp_gsuite" "some_resource_name" { ### Required -- `samlp` (Block Set, Min: 1, Max: 1) It contains the top-level configuration for an identity provider. (see [below for nested schema](#nestedblock--samlp)) +- `samlp` (Block Set, Min: 1, Max: 1) It contains the top-level configuration for an identity provider. (see [below for nested schema](#nestedblock--samlp)) ### Optional -- `draft_alias` (String) An `alias` that uniquely identifies a IdP Integration draft. If set, will delete any correspondent draft and create a new IdP Integration with the same `alias`. Defaults to `""`. +- `draft_alias` (String) An `alias` that uniquely identifies a IdP Integration draft. If set, will delete any correspondent draft and create a new IdP Integration with the same `alias`. Defaults to `""`. ### Read-Only -- `id` (String) ID of this resource, which corresponds to the IdP Integration `alias`. +- `id` (String) ID of this resource, which corresponds to the IdP Integration `alias`. @@ -90,23 +90,23 @@ resource "cyral_integration_idp_gsuite" "some_resource_name" { Required: -- `config` (Block Set, Min: 1, Max: 1) SAML configuration for this IdP Integration. (see [below for nested schema](#nestedblock--samlp--config)) +- `config` (Block Set, Min: 1, Max: 1) SAML configuration for this IdP Integration. (see [below for nested schema](#nestedblock--samlp--config)) Optional: -- `add_read_token_role_on_create` (Boolean) Adds read token role on creation. Defaults to `false`. -- `disabled` (Boolean) Disable maps to Keycloak's `enabled` field. Defaults to `false`. -- `display_name` (String) Name of the IdP Integration displayed in the control plane. Defaults to `GSuite` -- `first_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after `First Login` with this identity provider. Term `First Login` means that no Keycloak account is currently linked to the authenticated identity provider account. Defaults to `SAML_First_Broker`. -- `link_only` (Boolean) If true, users cannot log in through this identity provider. They can only link to this identity provider. This is useful if you don't want to allow login from the identity provider, but want to integrate with an identity provider. Defaults to `false`. -- `post_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you need no any additional authenticators to be triggered after login with this identity provider. Defaults to `""`. -- `provider_id` (String) This is the provider ID of `saml`. Defaults to `saml`. -- `store_token` (Boolean) Enable if tokens must be stored after authenticating users. Defaults to `false`. -- `trust_email` (Boolean) If the identity provider supplies an email address this email address will be trusted. If the realm required email validation, users that log in from this identity provider will not have to go through the email verification process. Defaults to `false`. +- `add_read_token_role_on_create` (Boolean) Adds read token role on creation. Defaults to `false`. +- `disabled` (Boolean) Disable maps to Keycloak's `enabled` field. Defaults to `false`. +- `display_name` (String) Name of the IdP Integration displayed in the control plane. Defaults to `GSuite` +- `first_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after `First Login` with this identity provider. Term `First Login` means that no Keycloak account is currently linked to the authenticated identity provider account. Defaults to `SAML_First_Broker`. +- `link_only` (Boolean) If true, users cannot log in through this identity provider. They can only link to this identity provider. This is useful if you don't want to allow login from the identity provider, but want to integrate with an identity provider. Defaults to `false`. +- `post_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you need no any additional authenticators to be triggered after login with this identity provider. Defaults to `""`. +- `provider_id` (String) This is the provider ID of `saml`. Defaults to `saml`. +- `store_token` (Boolean) Enable if tokens must be stored after authenticating users. Defaults to `false`. +- `trust_email` (Boolean) If the identity provider supplies an email address this email address will be trusted. If the realm required email validation, users that log in from this identity provider will not have to go through the email verification process. Defaults to `false`. Read-Only: -- `internal_id` (String) An ID that is auto-generated internally for this IdP Integration. +- `internal_id` (String) An ID that is auto-generated internally for this IdP Integration. @@ -114,28 +114,28 @@ Read-Only: Required: -- `single_sign_on_service_url` (String) URL that must be used to send authentication requests (SAML AuthnRequest). +- `single_sign_on_service_url` (String) URL that must be used to send authentication requests (SAML AuthnRequest). Optional: -- `allowed_clock_skew` (Number) Clock skew in seconds that is tolerated when validating identity provider tokens. Defaults to `0`. -- `back_channel_supported` (Boolean) Defaults to `false` if unset. -- `base_64_saml_metadata_document` (String) Full SAML metadata document that was used to import the SAML configuration, Base64 encoded. Defaults to `""`. -- `disable_force_authentication` (Boolean) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. Defaults to `false` -- `disable_post_binding_authn_request` (Boolean) Indicates whether the AuthnRequest must be sent using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_post_binding_logout` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_post_binding_response` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_using_jwks_url` (Boolean) By default, the jwks URL is used for all SAML connections. Defaults to `false`. -- `gui_order` (String) GUI order. Defaults to `""`. -- `hide_on_login_page` (Boolean) Defaults to `false` if unset. -- `ldap_group_attribute` (String) Type of `LDAP Group RDN` that identifies the name of a group within a DN. For example, if an LDAP DN sent in a SAML assertion is `cn=Everyone`, `ou=groups`, `dc=openam`, `dc=forgerock`, `dc=org` and the `LDAP Group RDN` Type is `cn` Cyral will interpret `Everyone` as the group name. -- `name_id_policy_format` (String) Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` if unset. -- `principal_type` (String) Defaults to `SUBJECT` if unset. -- `saml_metadata_url` (String) This is the full SAML metadata URL that was used to import the SAML configuration. Defaults to `""`. -- `saml_xml_key_name_tranformer` (String) Defaults to `KEY_ID` if unset. -- `signature_type` (String) Defaults to `RSA_SHA256` if unset. -- `signing_certificate` (String) Signing certificate used to validate signatures. Required if signature validation is enabled. Defaults to `""`. -- `single_logout_service_url` (String) URL that must be used to send logout requests. Defaults to `""`. -- `sync_mode` (String) Defaults to `FORCE` if unset. -- `want_assertions_encrypted` (Boolean) Indicates whether the service provider expects an encrypted Assertion. Defaults to `false`. -- `xml_sig_key_info_key_name_transformer` (String) Defaults to `KEY_ID` if unset. +- `allowed_clock_skew` (Number) Clock skew in seconds that is tolerated when validating identity provider tokens. Defaults to `0`. +- `back_channel_supported` (Boolean) Defaults to `false` if unset. +- `base_64_saml_metadata_document` (String) Full SAML metadata document that was used to import the SAML configuration, Base64 encoded. Defaults to `""`. +- `disable_force_authentication` (Boolean) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. Defaults to `false` +- `disable_post_binding_authn_request` (Boolean) Indicates whether the AuthnRequest must be sent using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_post_binding_logout` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_post_binding_response` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_using_jwks_url` (Boolean) By default, the jwks URL is used for all SAML connections. Defaults to `false`. +- `gui_order` (String) GUI order. Defaults to `""`. +- `hide_on_login_page` (Boolean) Defaults to `false` if unset. +- `ldap_group_attribute` (String) Type of `LDAP Group RDN` that identifies the name of a group within a DN. For example, if an LDAP DN sent in a SAML assertion is `cn=Everyone`, `ou=groups`, `dc=openam`, `dc=forgerock`, `dc=org` and the `LDAP Group RDN` Type is `cn` Cyral will interpret `Everyone` as the group name. +- `name_id_policy_format` (String) Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` if unset. +- `principal_type` (String) Defaults to `SUBJECT` if unset. +- `saml_metadata_url` (String) This is the full SAML metadata URL that was used to import the SAML configuration. Defaults to `""`. +- `saml_xml_key_name_tranformer` (String) Defaults to `KEY_ID` if unset. +- `signature_type` (String) Defaults to `RSA_SHA256` if unset. +- `signing_certificate` (String) Signing certificate used to validate signatures. Required if signature validation is enabled. Defaults to `""`. +- `single_logout_service_url` (String) URL that must be used to send logout requests. Defaults to `""`. +- `sync_mode` (String) Defaults to `FORCE` if unset. +- `want_assertions_encrypted` (Boolean) Indicates whether the service provider expects an encrypted Assertion. Defaults to `false`. +- `xml_sig_key_info_key_name_transformer` (String) Defaults to `KEY_ID` if unset. diff --git a/docs/resources/integration_idp_okta.md b/docs/resources/integration_idp_okta.md index a55babdc..1ed02d7e 100644 --- a/docs/resources/integration_idp_okta.md +++ b/docs/resources/integration_idp_okta.md @@ -79,15 +79,15 @@ resource "cyral_integration_idp_okta" "some_resource_name" { ### Required -- `samlp` (Block Set, Min: 1, Max: 1) It contains the top-level configuration for an identity provider. (see [below for nested schema](#nestedblock--samlp)) +- `samlp` (Block Set, Min: 1, Max: 1) It contains the top-level configuration for an identity provider. (see [below for nested schema](#nestedblock--samlp)) ### Optional -- `draft_alias` (String) An `alias` that uniquely identifies a IdP Integration draft. If set, will delete any correspondent draft and create a new IdP Integration with the same `alias`. Defaults to `""`. +- `draft_alias` (String) An `alias` that uniquely identifies a IdP Integration draft. If set, will delete any correspondent draft and create a new IdP Integration with the same `alias`. Defaults to `""`. ### Read-Only -- `id` (String) ID of this resource, which corresponds to the IdP Integration `alias`. +- `id` (String) ID of this resource, which corresponds to the IdP Integration `alias`. @@ -95,23 +95,23 @@ resource "cyral_integration_idp_okta" "some_resource_name" { Required: -- `config` (Block Set, Min: 1, Max: 1) SAML configuration for this IdP Integration. (see [below for nested schema](#nestedblock--samlp--config)) +- `config` (Block Set, Min: 1, Max: 1) SAML configuration for this IdP Integration. (see [below for nested schema](#nestedblock--samlp--config)) Optional: -- `add_read_token_role_on_create` (Boolean) Adds read token role on creation. Defaults to `false`. -- `disabled` (Boolean) Disable maps to Keycloak's `enabled` field. Defaults to `false`. -- `display_name` (String) Name of the IdP Integration displayed in the control plane. Defaults to `Okta` -- `first_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after `First Login` with this identity provider. Term `First Login` means that no Keycloak account is currently linked to the authenticated identity provider account. Defaults to `SAML_First_Broker`. -- `link_only` (Boolean) If true, users cannot log in through this identity provider. They can only link to this identity provider. This is useful if you don't want to allow login from the identity provider, but want to integrate with an identity provider. Defaults to `false`. -- `post_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you need no any additional authenticators to be triggered after login with this identity provider. Defaults to `""`. -- `provider_id` (String) This is the provider ID of `saml`. Defaults to `saml`. -- `store_token` (Boolean) Enable if tokens must be stored after authenticating users. Defaults to `false`. -- `trust_email` (Boolean) If the identity provider supplies an email address this email address will be trusted. If the realm required email validation, users that log in from this identity provider will not have to go through the email verification process. Defaults to `false`. +- `add_read_token_role_on_create` (Boolean) Adds read token role on creation. Defaults to `false`. +- `disabled` (Boolean) Disable maps to Keycloak's `enabled` field. Defaults to `false`. +- `display_name` (String) Name of the IdP Integration displayed in the control plane. Defaults to `Okta` +- `first_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after `First Login` with this identity provider. Term `First Login` means that no Keycloak account is currently linked to the authenticated identity provider account. Defaults to `SAML_First_Broker`. +- `link_only` (Boolean) If true, users cannot log in through this identity provider. They can only link to this identity provider. This is useful if you don't want to allow login from the identity provider, but want to integrate with an identity provider. Defaults to `false`. +- `post_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you need no any additional authenticators to be triggered after login with this identity provider. Defaults to `""`. +- `provider_id` (String) This is the provider ID of `saml`. Defaults to `saml`. +- `store_token` (Boolean) Enable if tokens must be stored after authenticating users. Defaults to `false`. +- `trust_email` (Boolean) If the identity provider supplies an email address this email address will be trusted. If the realm required email validation, users that log in from this identity provider will not have to go through the email verification process. Defaults to `false`. Read-Only: -- `internal_id` (String) An ID that is auto-generated internally for this IdP Integration. +- `internal_id` (String) An ID that is auto-generated internally for this IdP Integration. @@ -119,28 +119,28 @@ Read-Only: Required: -- `single_sign_on_service_url` (String) URL that must be used to send authentication requests (SAML AuthnRequest). +- `single_sign_on_service_url` (String) URL that must be used to send authentication requests (SAML AuthnRequest). Optional: -- `allowed_clock_skew` (Number) Clock skew in seconds that is tolerated when validating identity provider tokens. Defaults to `0`. -- `back_channel_supported` (Boolean) Defaults to `false` if unset. -- `base_64_saml_metadata_document` (String) Full SAML metadata document that was used to import the SAML configuration, Base64 encoded. Defaults to `""`. -- `disable_force_authentication` (Boolean) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. Defaults to `false` -- `disable_post_binding_authn_request` (Boolean) Indicates whether the AuthnRequest must be sent using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_post_binding_logout` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_post_binding_response` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_using_jwks_url` (Boolean) By default, the jwks URL is used for all SAML connections. Defaults to `false`. -- `gui_order` (String) GUI order. Defaults to `""`. -- `hide_on_login_page` (Boolean) Defaults to `false` if unset. -- `ldap_group_attribute` (String) Type of `LDAP Group RDN` that identifies the name of a group within a DN. For example, if an LDAP DN sent in a SAML assertion is `cn=Everyone`, `ou=groups`, `dc=openam`, `dc=forgerock`, `dc=org` and the `LDAP Group RDN` Type is `cn` Cyral will interpret `Everyone` as the group name. -- `name_id_policy_format` (String) Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` if unset. -- `principal_type` (String) Defaults to `SUBJECT` if unset. -- `saml_metadata_url` (String) This is the full SAML metadata URL that was used to import the SAML configuration. Defaults to `""`. -- `saml_xml_key_name_tranformer` (String) Defaults to `KEY_ID` if unset. -- `signature_type` (String) Defaults to `RSA_SHA256` if unset. -- `signing_certificate` (String) Signing certificate used to validate signatures. Required if signature validation is enabled. Defaults to `""`. -- `single_logout_service_url` (String) URL that must be used to send logout requests. Defaults to `""`. -- `sync_mode` (String) Defaults to `FORCE` if unset. -- `want_assertions_encrypted` (Boolean) Indicates whether the service provider expects an encrypted Assertion. Defaults to `false`. -- `xml_sig_key_info_key_name_transformer` (String) Defaults to `KEY_ID` if unset. +- `allowed_clock_skew` (Number) Clock skew in seconds that is tolerated when validating identity provider tokens. Defaults to `0`. +- `back_channel_supported` (Boolean) Defaults to `false` if unset. +- `base_64_saml_metadata_document` (String) Full SAML metadata document that was used to import the SAML configuration, Base64 encoded. Defaults to `""`. +- `disable_force_authentication` (Boolean) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. Defaults to `false` +- `disable_post_binding_authn_request` (Boolean) Indicates whether the AuthnRequest must be sent using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_post_binding_logout` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_post_binding_response` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_using_jwks_url` (Boolean) By default, the jwks URL is used for all SAML connections. Defaults to `false`. +- `gui_order` (String) GUI order. Defaults to `""`. +- `hide_on_login_page` (Boolean) Defaults to `false` if unset. +- `ldap_group_attribute` (String) Type of `LDAP Group RDN` that identifies the name of a group within a DN. For example, if an LDAP DN sent in a SAML assertion is `cn=Everyone`, `ou=groups`, `dc=openam`, `dc=forgerock`, `dc=org` and the `LDAP Group RDN` Type is `cn` Cyral will interpret `Everyone` as the group name. +- `name_id_policy_format` (String) Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` if unset. +- `principal_type` (String) Defaults to `SUBJECT` if unset. +- `saml_metadata_url` (String) This is the full SAML metadata URL that was used to import the SAML configuration. Defaults to `""`. +- `saml_xml_key_name_tranformer` (String) Defaults to `KEY_ID` if unset. +- `signature_type` (String) Defaults to `RSA_SHA256` if unset. +- `signing_certificate` (String) Signing certificate used to validate signatures. Required if signature validation is enabled. Defaults to `""`. +- `single_logout_service_url` (String) URL that must be used to send logout requests. Defaults to `""`. +- `sync_mode` (String) Defaults to `FORCE` if unset. +- `want_assertions_encrypted` (Boolean) Indicates whether the service provider expects an encrypted Assertion. Defaults to `false`. +- `xml_sig_key_info_key_name_transformer` (String) Defaults to `KEY_ID` if unset. diff --git a/docs/resources/integration_idp_ping_one.md b/docs/resources/integration_idp_ping_one.md index f67f5ab2..26ee4735 100644 --- a/docs/resources/integration_idp_ping_one.md +++ b/docs/resources/integration_idp_ping_one.md @@ -75,15 +75,15 @@ resource "cyral_integration_idp_ping_one" "some_resource_name" { ### Required -- `samlp` (Block Set, Min: 1, Max: 1) It contains the top-level configuration for an identity provider. (see [below for nested schema](#nestedblock--samlp)) +- `samlp` (Block Set, Min: 1, Max: 1) It contains the top-level configuration for an identity provider. (see [below for nested schema](#nestedblock--samlp)) ### Optional -- `draft_alias` (String) An `alias` that uniquely identifies a IdP Integration draft. If set, will delete any correspondent draft and create a new IdP Integration with the same `alias`. Defaults to `""`. +- `draft_alias` (String) An `alias` that uniquely identifies a IdP Integration draft. If set, will delete any correspondent draft and create a new IdP Integration with the same `alias`. Defaults to `""`. ### Read-Only -- `id` (String) ID of this resource, which corresponds to the IdP Integration `alias`. +- `id` (String) ID of this resource, which corresponds to the IdP Integration `alias`. @@ -91,23 +91,23 @@ resource "cyral_integration_idp_ping_one" "some_resource_name" { Required: -- `config` (Block Set, Min: 1, Max: 1) SAML configuration for this IdP Integration. (see [below for nested schema](#nestedblock--samlp--config)) +- `config` (Block Set, Min: 1, Max: 1) SAML configuration for this IdP Integration. (see [below for nested schema](#nestedblock--samlp--config)) Optional: -- `add_read_token_role_on_create` (Boolean) Adds read token role on creation. Defaults to `false`. -- `disabled` (Boolean) Disable maps to Keycloak's `enabled` field. Defaults to `false`. -- `display_name` (String) Name of the IdP Integration displayed in the control plane. Defaults to `PingOne` -- `first_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after `First Login` with this identity provider. Term `First Login` means that no Keycloak account is currently linked to the authenticated identity provider account. Defaults to `SAML_First_Broker`. -- `link_only` (Boolean) If true, users cannot log in through this identity provider. They can only link to this identity provider. This is useful if you don't want to allow login from the identity provider, but want to integrate with an identity provider. Defaults to `false`. -- `post_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you need no any additional authenticators to be triggered after login with this identity provider. Defaults to `""`. -- `provider_id` (String) This is the provider ID of `saml`. Defaults to `saml`. -- `store_token` (Boolean) Enable if tokens must be stored after authenticating users. Defaults to `false`. -- `trust_email` (Boolean) If the identity provider supplies an email address this email address will be trusted. If the realm required email validation, users that log in from this identity provider will not have to go through the email verification process. Defaults to `false`. +- `add_read_token_role_on_create` (Boolean) Adds read token role on creation. Defaults to `false`. +- `disabled` (Boolean) Disable maps to Keycloak's `enabled` field. Defaults to `false`. +- `display_name` (String) Name of the IdP Integration displayed in the control plane. Defaults to `PingOne` +- `first_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after `First Login` with this identity provider. Term `First Login` means that no Keycloak account is currently linked to the authenticated identity provider account. Defaults to `SAML_First_Broker`. +- `link_only` (Boolean) If true, users cannot log in through this identity provider. They can only link to this identity provider. This is useful if you don't want to allow login from the identity provider, but want to integrate with an identity provider. Defaults to `false`. +- `post_broker_login_flow_alias` (String) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you need no any additional authenticators to be triggered after login with this identity provider. Defaults to `""`. +- `provider_id` (String) This is the provider ID of `saml`. Defaults to `saml`. +- `store_token` (Boolean) Enable if tokens must be stored after authenticating users. Defaults to `false`. +- `trust_email` (Boolean) If the identity provider supplies an email address this email address will be trusted. If the realm required email validation, users that log in from this identity provider will not have to go through the email verification process. Defaults to `false`. Read-Only: -- `internal_id` (String) An ID that is auto-generated internally for this IdP Integration. +- `internal_id` (String) An ID that is auto-generated internally for this IdP Integration. @@ -115,28 +115,28 @@ Read-Only: Required: -- `single_sign_on_service_url` (String) URL that must be used to send authentication requests (SAML AuthnRequest). +- `single_sign_on_service_url` (String) URL that must be used to send authentication requests (SAML AuthnRequest). Optional: -- `allowed_clock_skew` (Number) Clock skew in seconds that is tolerated when validating identity provider tokens. Defaults to `0`. -- `back_channel_supported` (Boolean) Defaults to `false` if unset. -- `base_64_saml_metadata_document` (String) Full SAML metadata document that was used to import the SAML configuration, Base64 encoded. Defaults to `""`. -- `disable_force_authentication` (Boolean) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. Defaults to `false` -- `disable_post_binding_authn_request` (Boolean) Indicates whether the AuthnRequest must be sent using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_post_binding_logout` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_post_binding_response` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. -- `disable_using_jwks_url` (Boolean) By default, the jwks URL is used for all SAML connections. Defaults to `false`. -- `gui_order` (String) GUI order. Defaults to `""`. -- `hide_on_login_page` (Boolean) Defaults to `false` if unset. -- `ldap_group_attribute` (String) Type of `LDAP Group RDN` that identifies the name of a group within a DN. For example, if an LDAP DN sent in a SAML assertion is `cn=Everyone`, `ou=groups`, `dc=openam`, `dc=forgerock`, `dc=org` and the `LDAP Group RDN` Type is `cn` Cyral will interpret `Everyone` as the group name. -- `name_id_policy_format` (String) Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` if unset. -- `principal_type` (String) Defaults to `SUBJECT` if unset. -- `saml_metadata_url` (String) This is the full SAML metadata URL that was used to import the SAML configuration. Defaults to `""`. -- `saml_xml_key_name_tranformer` (String) Defaults to `KEY_ID` if unset. -- `signature_type` (String) Defaults to `RSA_SHA256` if unset. -- `signing_certificate` (String) Signing certificate used to validate signatures. Required if signature validation is enabled. Defaults to `""`. -- `single_logout_service_url` (String) URL that must be used to send logout requests. Defaults to `""`. -- `sync_mode` (String) Defaults to `FORCE` if unset. -- `want_assertions_encrypted` (Boolean) Indicates whether the service provider expects an encrypted Assertion. Defaults to `false`. -- `xml_sig_key_info_key_name_transformer` (String) Defaults to `KEY_ID` if unset. +- `allowed_clock_skew` (Number) Clock skew in seconds that is tolerated when validating identity provider tokens. Defaults to `0`. +- `back_channel_supported` (Boolean) Defaults to `false` if unset. +- `base_64_saml_metadata_document` (String) Full SAML metadata document that was used to import the SAML configuration, Base64 encoded. Defaults to `""`. +- `disable_force_authentication` (Boolean) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. Defaults to `false` +- `disable_post_binding_authn_request` (Boolean) Indicates whether the AuthnRequest must be sent using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_post_binding_logout` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_post_binding_response` (Boolean) Indicates whether to respond to requests using `HTTP-POST` binding. If `true`, `HTTP-REDIRECT` binding will be used. Defaults to `false`. +- `disable_using_jwks_url` (Boolean) By default, the jwks URL is used for all SAML connections. Defaults to `false`. +- `gui_order` (String) GUI order. Defaults to `""`. +- `hide_on_login_page` (Boolean) Defaults to `false` if unset. +- `ldap_group_attribute` (String) Type of `LDAP Group RDN` that identifies the name of a group within a DN. For example, if an LDAP DN sent in a SAML assertion is `cn=Everyone`, `ou=groups`, `dc=openam`, `dc=forgerock`, `dc=org` and the `LDAP Group RDN` Type is `cn` Cyral will interpret `Everyone` as the group name. +- `name_id_policy_format` (String) Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` if unset. +- `principal_type` (String) Defaults to `SUBJECT` if unset. +- `saml_metadata_url` (String) This is the full SAML metadata URL that was used to import the SAML configuration. Defaults to `""`. +- `saml_xml_key_name_tranformer` (String) Defaults to `KEY_ID` if unset. +- `signature_type` (String) Defaults to `RSA_SHA256` if unset. +- `signing_certificate` (String) Signing certificate used to validate signatures. Required if signature validation is enabled. Defaults to `""`. +- `single_logout_service_url` (String) URL that must be used to send logout requests. Defaults to `""`. +- `sync_mode` (String) Defaults to `FORCE` if unset. +- `want_assertions_encrypted` (Boolean) Indicates whether the service provider expects an encrypted Assertion. Defaults to `false`. +- `xml_sig_key_info_key_name_transformer` (String) Defaults to `KEY_ID` if unset. diff --git a/docs/resources/integration_idp_saml.md b/docs/resources/integration_idp_saml.md index 2aa25e5d..1873bf52 100644 --- a/docs/resources/integration_idp_saml.md +++ b/docs/resources/integration_idp_saml.md @@ -44,14 +44,14 @@ resource "cyral_integration_idp_saml" "example_integration" { ### Required -- `saml_draft_id` (String) A valid id for a SAML Draft. Must be at least 5 character long. See attribute `id` in resource `cyral_integration_idp_saml_draft`. +- `saml_draft_id` (String) A valid id for a SAML Draft. Must be at least 5 character long. See attribute `id` in resource `cyral_integration_idp_saml_draft`. ### Optional -- `idp_metadata_url` (String) The web address of an IdP SAML Metadata XML document. Conflicts with `idp_metadata_xml`. -- `idp_metadata_xml` (String) Full SAML metadata XML document. Must be base64 encoded. Conflicts with `idp_metadata_url`. +- `idp_metadata_url` (String) The web address of an IdP SAML Metadata XML document. Conflicts with `idp_metadata_xml`. +- `idp_metadata_xml` (String) Full SAML metadata XML document. Must be base64 encoded. Conflicts with `idp_metadata_url`. ### Read-Only -- `id` (String) ID of this resource in the Cyral environment. -- `single_sign_on_service_url` (String) The IdP’s Single Sign-on Service (SSO) URL, where Cyral SP will send SAML AuthnRequests via SAML-POST binding. +- `id` (String) ID of this resource in the Cyral environment. +- `single_sign_on_service_url` (String) The IdP’s Single Sign-on Service (SSO) URL, where Cyral SP will send SAML AuthnRequests via SAML-POST binding. diff --git a/docs/resources/integration_idp_saml_draft.md b/docs/resources/integration_idp_saml_draft.md index c0dd79b7..4a9ade03 100644 --- a/docs/resources/integration_idp_saml_draft.md +++ b/docs/resources/integration_idp_saml_draft.md @@ -30,19 +30,19 @@ resource "cyral_integration_idp_saml_draft" "example_draft" { ### Required -- `display_name` (String) Display name used in the Cyral control plane. +- `display_name` (String) Display name used in the Cyral control plane. ### Optional -- `attributes` (Block Set, Max: 1) SAML Attribute names for the identity attributes required by the Cyral SP. Each attribute name MUST be at least 3 characters long. (see [below for nested schema](#nestedblock--attributes)) -- `disable_idp_initiated_login` (Boolean) Whether or not IdP-Initiated login should be disabled for this generic SAML integration draft. Defaults to `false`. -- `idp_type` (String) Identity provider type. The value provided can be used as a filter when retrieving SAML integrations. See data source `cyral_integration_idp_saml`. +- `attributes` (Block Set, Max: 1) SAML Attribute names for the identity attributes required by the Cyral SP. Each attribute name MUST be at least 3 characters long. (see [below for nested schema](#nestedblock--attributes)) +- `disable_idp_initiated_login` (Boolean) Whether or not IdP-Initiated login should be disabled for this generic SAML integration draft. Defaults to `false`. +- `idp_type` (String) Identity provider type. The value provided can be used as a filter when retrieving SAML integrations. See data source `cyral_integration_idp_saml`. ### Read-Only -- `id` (String) ID of this resource in the Cyral environment. -- `service_provider_metadata` (Set of Object) The SP Metadata fields describing the Cyral service provider for this integration. (see [below for nested schema](#nestedatt--service_provider_metadata)) -- `sp_metadata` (String, Deprecated) The SP Metadata document describing the Cyral service provider for this integration. +- `id` (String) ID of this resource in the Cyral environment. +- `service_provider_metadata` (Set of Object) The SP Metadata fields describing the Cyral service provider for this integration. (see [below for nested schema](#nestedatt--service_provider_metadata)) +- `sp_metadata` (String, Deprecated) The SP Metadata document describing the Cyral service provider for this integration. @@ -50,10 +50,10 @@ resource "cyral_integration_idp_saml_draft" "example_draft" { Optional: -- `email` (String) The name of the attribute in the incoming SAML assertion containing the users email address. Defaults to `email`. -- `first_name` (String) The name of the attribute in the incoming SAML assertion containing the users first name (given name). Defaults to `firstName`. -- `groups` (String) The name of the attribute in the incoming SAML assertion containing the users group membership in the IdP. Defaults to `memberOf`. -- `last_name` (String) The name of the attribute in the incoming SAML assertion containing the users last name (family name). Defaults to `lastName`. +- `email` (String) The name of the attribute in the incoming SAML assertion containing the users email address. Defaults to `email`. +- `first_name` (String) The name of the attribute in the incoming SAML assertion containing the users first name (given name). Defaults to `firstName`. +- `groups` (String) The name of the attribute in the incoming SAML assertion containing the users group membership in the IdP. Defaults to `memberOf`. +- `last_name` (String) The name of the attribute in the incoming SAML assertion containing the users last name (family name). Defaults to `lastName`. @@ -61,11 +61,11 @@ Optional: Read-Only: -- `assertion_consumer_services` (List of Object) (see [below for nested schema](#nestedobjatt--service_provider_metadata--assertion_consumer_services)) -- `entity_id` (String) -- `single_logout_url` (String) -- `url` (String) -- `xml_document` (String) +- `assertion_consumer_services` (List of Object) (see [below for nested schema](#nestedobjatt--service_provider_metadata--assertion_consumer_services)) +- `entity_id` (String) +- `single_logout_url` (String) +- `url` (String) +- `xml_document` (String) @@ -73,5 +73,5 @@ Read-Only: Read-Only: -- `index` (Number) -- `url` (String) +- `index` (Number) +- `url` (String) diff --git a/docs/resources/integration_logging.md b/docs/resources/integration_logging.md index 23fdd5c5..f8ec0db1 100644 --- a/docs/resources/integration_logging.md +++ b/docs/resources/integration_logging.md @@ -103,21 +103,21 @@ resource "cyral_integration_logging" "elk_integration" { ### Required -- `name` (String) Name of the logging integration config. +- `name` (String) Name of the logging integration config. ### Optional -- `cloudwatch` (Block Set, Max: 1) Represents the configuration data required for the `AWS` CloudWatch log management system. (see [below for nested schema](#nestedblock--cloudwatch)) -- `datadog` (Block Set, Max: 1) Represents the configuration data required for the Datadog's log management system. (see [below for nested schema](#nestedblock--datadog)) -- `elk` (Block Set, Max: 1) Represents the configuration data required for the ELK stack log management system. (see [below for nested schema](#nestedblock--elk)) -- `fluent_bit` (Block Set, Max: 1) Represents a custom Fluent Bit configuration which will be utilized by the sidecar's log shipper. (see [below for nested schema](#nestedblock--fluent_bit)) -- `receive_audit_logs` (Boolean) Whether or not Cyral audit logs should be forwarded to this logging integration. Declaration not supported in conjunction with `fluent_bit` block. -- `splunk` (Block Set, Max: 1) Represents the configuration data required for the Splunk log management system. (see [below for nested schema](#nestedblock--splunk)) -- `sumo_logic` (Block Set, Max: 1) Represents the configuration data required for the Sumo Logic log management system. (see [below for nested schema](#nestedblock--sumo_logic)) +- `cloudwatch` (Block Set, Max: 1) Represents the configuration data required for the `AWS` CloudWatch log management system. (see [below for nested schema](#nestedblock--cloudwatch)) +- `datadog` (Block Set, Max: 1) Represents the configuration data required for the Datadog's log management system. (see [below for nested schema](#nestedblock--datadog)) +- `elk` (Block Set, Max: 1) Represents the configuration data required for the ELK stack log management system. (see [below for nested schema](#nestedblock--elk)) +- `fluent_bit` (Block Set, Max: 1) Represents a custom Fluent Bit configuration which will be utilized by the sidecar's log shipper. (see [below for nested schema](#nestedblock--fluent_bit)) +- `receive_audit_logs` (Boolean) Whether or not Cyral audit logs should be forwarded to this logging integration. Declaration not supported in conjunction with `fluent_bit` block. +- `splunk` (Block Set, Max: 1) Represents the configuration data required for the Splunk log management system. (see [below for nested schema](#nestedblock--splunk)) +- `sumo_logic` (Block Set, Max: 1) Represents the configuration data required for the Sumo Logic log management system. (see [below for nested schema](#nestedblock--sumo_logic)) ### Read-Only -- `id` (String) Unique identifier of the logging integration. +- `id` (String) Unique identifier of the logging integration. @@ -125,12 +125,12 @@ resource "cyral_integration_logging" "elk_integration" { Required: -- `group` (String) CloudWatch log group. -- `region` (String) AWS region. +- `group` (String) CloudWatch log group. +- `region` (String) AWS region. Optional: -- `stream` (String) CloudWatch log stream. Defaults to `cyral-sidecar` if not set. +- `stream` (String) CloudWatch log stream. Defaults to `cyral-sidecar` if not set. @@ -138,7 +138,7 @@ Optional: Required: -- `api_key` (String, Sensitive) DataDog API key. +- `api_key` (String, Sensitive) DataDog API key. @@ -146,12 +146,12 @@ Required: Required: -- `es_url` (String) Elasticsearch URL. +- `es_url` (String) Elasticsearch URL. Optional: -- `es_credentials` (Block Set, Max: 1) Credentials used to authenticate to Elastic Search.Can be omitted for unprotected instances. (see [below for nested schema](#nestedblock--elk--es_credentials)) -- `kibana_url` (String) Kibana URL. +- `es_credentials` (Block Set, Max: 1) Credentials used to authenticate to Elastic Search.Can be omitted for unprotected instances. (see [below for nested schema](#nestedblock--elk--es_credentials)) +- `kibana_url` (String) Kibana URL. @@ -159,8 +159,8 @@ Optional: Required: -- `password` (String, Sensitive) Elasticsearch password. -- `username` (String) Elasticsearch username. +- `password` (String, Sensitive) Elasticsearch password. +- `username` (String) Elasticsearch username. @@ -168,11 +168,11 @@ Required: Required: -- `config` (String) Fluent Bit configuration, in 'classic mode' INI format. For more details, see: https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/configuration-file +- `config` (String) Fluent Bit configuration, in 'classic mode' INI format. For more details, see: https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/configuration-file Optional: -- `skip_validate` (Boolean) Whether to validate the Fluent Bit config. +- `skip_validate` (Boolean) Whether to validate the Fluent Bit config. @@ -180,14 +180,14 @@ Optional: Required: -- `access_token` (String, Sensitive) Splunk access token. -- `hec_port` (String) Splunk HTTP Event Collector (HEC) port. -- `hostname` (String) Splunk hostname. +- `access_token` (String, Sensitive) Splunk access token. +- `hec_port` (String) Splunk HTTP Event Collector (HEC) port. +- `hostname` (String) Splunk hostname. Optional: -- `index` (String) Splunk index which logs should be indexed to. -- `use_tls` (Boolean) Whether or not to use TLS. +- `index` (String) Splunk index which logs should be indexed to. +- `use_tls` (Boolean) Whether or not to use TLS. @@ -195,4 +195,4 @@ Optional: Required: -- `address` (String) Sumo Logic HTTP collector address. A full URL is expected +- `address` (String) Sumo Logic HTTP collector address. A full URL is expected diff --git a/docs/resources/integration_logstash.md b/docs/resources/integration_logstash.md index 673bb7e2..2d46975e 100644 --- a/docs/resources/integration_logstash.md +++ b/docs/resources/integration_logstash.md @@ -3,7 +3,7 @@ page_title: "cyral_integration_logstash Resource - terraform-provider-cyral" subcategory: "" description: |- - ~> DEPRECATED Use resource cyral_integration_logging instead. + ~> DEPRECATED Use resource cyral_integration_logging instead. --- # cyral_integration_logstash (Resource) @@ -28,12 +28,12 @@ resource "cyral_integration_logstash" "some_resource_name" { ### Required -- `endpoint` (String, Sensitive) The endpoint used to connect to Logstash. -- `name` (String) Integration name that will be used internally in the control plane. -- `use_mutual_authentication` (Boolean) Logstash configured to use mutual authentication. -- `use_private_certificate_chain` (Boolean) Logstash configured to use private certificate chain. -- `use_tls` (Boolean) Logstash configured to use mutual TLS. +- `endpoint` (String, Sensitive) The endpoint used to connect to Logstash. +- `name` (String) Integration name that will be used internally in the control plane. +- `use_mutual_authentication` (Boolean) Logstash configured to use mutual authentication. +- `use_private_certificate_chain` (Boolean) Logstash configured to use private certificate chain. +- `use_tls` (Boolean) Logstash configured to use mutual TLS. ### Read-Only -- `id` (String) ID of this resource in Cyral environment +- `id` (String) ID of this resource in Cyral environment diff --git a/docs/resources/integration_looker.md b/docs/resources/integration_looker.md index defbcad5..c75faf12 100644 --- a/docs/resources/integration_looker.md +++ b/docs/resources/integration_looker.md @@ -3,7 +3,7 @@ page_title: "cyral_integration_looker Resource - terraform-provider-cyral" subcategory: "" description: |- - ~> DEPRECATED Integration no longer supported. + ~> DEPRECATED Integration no longer supported. --- # cyral_integration_looker (Resource) @@ -26,10 +26,10 @@ resource "cyral_integration_looker" "some_resource_name" { ### Required -- `client_id` (String, Sensitive) Looker client id. -- `client_secret` (String, Sensitive) Looker client secret. -- `url` (String) Looker integration url. +- `client_id` (String, Sensitive) Looker client id. +- `client_secret` (String, Sensitive) Looker client secret. +- `url` (String) Looker integration url. ### Read-Only -- `id` (String) ID of this resource in Cyral environment +- `id` (String) ID of this resource in Cyral environment diff --git a/docs/resources/integration_mfa_duo.md b/docs/resources/integration_mfa_duo.md index 883bad8f..daa9eab9 100644 --- a/docs/resources/integration_mfa_duo.md +++ b/docs/resources/integration_mfa_duo.md @@ -3,7 +3,7 @@ page_title: "cyral_integration_mfa_duo Resource - terraform-provider-cyral" subcategory: "" description: |- - Manages integration with Duo MFA https://cyral.com/docs/mfa/duo. + Manages integration with Duo MFA https://cyral.com/docs/mfa/duo. --- # cyral_integration_mfa_duo (Resource) @@ -16,11 +16,11 @@ Manages [integration with Duo MFA](https://cyral.com/docs/mfa/duo). ### Required -- `api_hostname` (String) API hostname obtained from Duo management console. -- `integration_key` (String) Integration key name obtained from Duo management console. -- `name` (String) Integration display name that will be used in the control plane. -- `secret_key` (String, Sensitive) Secret key obtained from Duo management console. +- `api_hostname` (String) API hostname obtained from Duo management console. +- `integration_key` (String) Integration key name obtained from Duo management console. +- `name` (String) Integration display name that will be used in the control plane. +- `secret_key` (String, Sensitive) Secret key obtained from Duo management console. ### Read-Only -- `id` (String) ID of this resource in Cyral environment +- `id` (String) ID of this resource in Cyral environment diff --git a/docs/resources/integration_microsoft_teams.md b/docs/resources/integration_microsoft_teams.md index 540485a0..cee3046c 100644 --- a/docs/resources/integration_microsoft_teams.md +++ b/docs/resources/integration_microsoft_teams.md @@ -3,7 +3,7 @@ page_title: "cyral_integration_microsoft_teams Resource - terraform-provider-cyral" subcategory: "" description: |- - Manages integration with Microsoft Teams https://cyral.com/docs/integrations/messaging/microsoft-teams/. + Manages integration with Microsoft Teams https://cyral.com/docs/integrations/messaging/microsoft-teams/. --- # cyral_integration_microsoft_teams (Resource) @@ -25,9 +25,9 @@ resource "cyral_integration_microsoft_teams" "some_resource_name" { ### Required -- `name` (String) Integration name that will be used internally in the control plane. -- `url` (String, Sensitive) Microsoft Teams webhook URL. +- `name` (String) Integration name that will be used internally in the control plane. +- `url` (String, Sensitive) Microsoft Teams webhook URL. ### Read-Only -- `id` (String) ID of this resource in Cyral environment +- `id` (String) ID of this resource in Cyral environment diff --git a/docs/resources/integration_pager_duty.md b/docs/resources/integration_pager_duty.md index 6c604528..da818cc9 100644 --- a/docs/resources/integration_pager_duty.md +++ b/docs/resources/integration_pager_duty.md @@ -3,7 +3,7 @@ page_title: "cyral_integration_pager_duty Resource - terraform-provider-cyral" subcategory: "" description: |- - Manages integration with PagerDuty https://cyral.com/docs/integrations/incident-response/pagerduty/#in-cyral. + Manages integration with PagerDuty https://cyral.com/docs/integrations/incident-response/pagerduty/#in-cyral. --- # cyral_integration_pager_duty (Resource) @@ -25,9 +25,9 @@ resource "cyral_integration_pager_duty" "some_resource_name" { ### Required -- `api_token` (String, Sensitive) API token for the PagerDuty integration. -- `name` (String) Integration display name that will be used in the control plane. +- `api_token` (String, Sensitive) API token for the PagerDuty integration. +- `name` (String) Integration display name that will be used in the control plane. ### Read-Only -- `id` (String) ID of this resource in Cyral environment +- `id` (String) ID of this resource in Cyral environment diff --git a/docs/resources/integration_slack_alerts.md b/docs/resources/integration_slack_alerts.md index d141ea17..b8ca12a6 100644 --- a/docs/resources/integration_slack_alerts.md +++ b/docs/resources/integration_slack_alerts.md @@ -3,7 +3,7 @@ page_title: "cyral_integration_slack_alerts Resource - terraform-provider-cyral" subcategory: "" description: |- - Manages integration with Slack to push alerts https://cyral.com/docs/integrations/messaging/slack. + Manages integration with Slack to push alerts https://cyral.com/docs/integrations/messaging/slack. --- # cyral_integration_slack_alerts (Resource) @@ -25,9 +25,9 @@ resource "cyral_integration_slack_alerts" "some_resource_name" { ### Required -- `name` (String) Integration name that will be used internally in the control plane. -- `url` (String, Sensitive) Slack Alert Webhook url. +- `name` (String) Integration name that will be used internally in the control plane. +- `url` (String, Sensitive) Slack Alert Webhook url. ### Read-Only -- `id` (String) ID of this resource in Cyral environment +- `id` (String) ID of this resource in Cyral environment diff --git a/docs/resources/integration_splunk.md b/docs/resources/integration_splunk.md index 82c3a4cc..210824aa 100644 --- a/docs/resources/integration_splunk.md +++ b/docs/resources/integration_splunk.md @@ -3,7 +3,7 @@ page_title: "cyral_integration_splunk Resource - terraform-provider-cyral" subcategory: "" description: |- - ~> DEPRECATED Use resource cyral_integration_logging instead. + ~> DEPRECATED Use resource cyral_integration_logging instead. --- # cyral_integration_splunk (Resource) @@ -29,13 +29,13 @@ resource "cyral_integration_splunk" "some_resource_name" { ### Required -- `access_token` (String, Sensitive) Splunk access token. -- `host` (String) Splunk host. -- `index` (String) Splunk data index name. -- `name` (String) Integration name that will be used internally in the control plane. -- `port` (Number) Splunk host port. -- `use_tls` (Boolean) Should the communication with Splunk use TLS encryption? +- `access_token` (String, Sensitive) Splunk access token. +- `host` (String) Splunk host. +- `index` (String) Splunk data index name. +- `name` (String) Integration name that will be used internally in the control plane. +- `port` (Number) Splunk host port. +- `use_tls` (Boolean) Should the communication with Splunk use TLS encryption? ### Read-Only -- `id` (String) ID of this resource in Cyral environment +- `id` (String) ID of this resource in Cyral environment diff --git a/docs/resources/integration_sumo_logic.md b/docs/resources/integration_sumo_logic.md index 81a8106d..a36293a7 100644 --- a/docs/resources/integration_sumo_logic.md +++ b/docs/resources/integration_sumo_logic.md @@ -3,7 +3,7 @@ page_title: "cyral_integration_sumo_logic Resource - terraform-provider-cyral" subcategory: "" description: |- - ~> DEPRECATED Use resource cyral_integration_logging instead. + ~> DEPRECATED Use resource cyral_integration_logging instead. --- # cyral_integration_sumo_logic (Resource) @@ -25,9 +25,9 @@ resource "cyral_integration_sumo_logic" "some_resource_name" { ### Required -- `address` (String, Sensitive) Sumo Logic address. -- `name` (String) Integration name that will be used internally in the control plane. +- `address` (String, Sensitive) Sumo Logic address. +- `name` (String) Integration name that will be used internally in the control plane. ### Read-Only -- `id` (String) ID of this resource in Cyral environment +- `id` (String) ID of this resource in Cyral environment diff --git a/docs/resources/policy.md b/docs/resources/policy.md index af3e3f91..793301de 100644 --- a/docs/resources/policy.md +++ b/docs/resources/policy.md @@ -3,7 +3,7 @@ page_title: "cyral_policy Resource - terraform-provider-cyral" subcategory: "" description: |- - Manages policies https://cyral.com/docs/reference/policy. See also: Policy Rule ./policy_rule.md. For more information, see the Policy Guide https://cyral.com/docs/policy/overview. + Manages policies https://cyral.com/docs/reference/policy. See also: Policy Rule ./policy_rule.md. For more information, see the Policy Guide https://cyral.com/docs/policy/overview. --- # cyral_policy (Resource) @@ -29,21 +29,21 @@ resource "cyral_policy" "some_resource_name" { ### Required -- `name` (String) Policy name that will be used internally in Control Plane (ex: `your_policy_name`). +- `name` (String) Policy name that will be used internally in Control Plane (ex: `your_policy_name`). ### Optional -- `data` (List of String) List that specify which data fields a policy manages. Each field is represented by the LABEL you established for it in your data map. The actual location of that data (the names of fields, columns, or databases that hold it) is listed in the data map. -- `data_label_tags` (List of String) List of tags that represent sets of data labels (established in your data map) that are used to specify the collections of data labels that the policy manages. For more information, see [The tags block of a policy](https://cyral.com/docs/policy/policy-structure#the-tags-block-of-a-policy) -- `description` (String) String that describes the policy (ex: `your_policy_description`). -- `enabled` (Boolean) Boolean that causes a policy to be enabled or disabled. -- `metadata_tags` (List of String) Metadata tags that can be used to organize and/or classify your policies (ex: `[your_tag1, your_tag2]`). -- `tags` (List of String, Deprecated) Metadata tags that can be used to organize and/or classify your policies (ex: `[your_tag1, your_tag2]`). +- `data` (List of String) List that specify which data fields a policy manages. Each field is represented by the LABEL you established for it in your data map. The actual location of that data (the names of fields, columns, or databases that hold it) is listed in the data map. +- `data_label_tags` (List of String) List of tags that represent sets of data labels (established in your data map) that are used to specify the collections of data labels that the policy manages. For more information, see [The tags block of a policy](https://cyral.com/docs/policy/policy-structure#the-tags-block-of-a-policy) +- `description` (String) String that describes the policy (ex: `your_policy_description`). +- `enabled` (Boolean) Boolean that causes a policy to be enabled or disabled. +- `metadata_tags` (List of String) Metadata tags that can be used to organize and/or classify your policies (ex: `[your_tag1, your_tag2]`). +- `tags` (List of String, Deprecated) Metadata tags that can be used to organize and/or classify your policies (ex: `[your_tag1, your_tag2]`). ### Read-Only -- `created` (String) Timestamp for the policy creation. -- `id` (String) The ID of this resource. -- `last_updated` (String) Timestamp for the last update performed in this policy. -- `type` (String) Policy type. -- `version` (String) Incremental counter for every update on the policy. +- `created` (String) Timestamp for the policy creation. +- `id` (String) The ID of this resource. +- `last_updated` (String) Timestamp for the last update performed in this policy. +- `type` (String) Policy type. +- `version` (String) Incremental counter for every update on the policy. diff --git a/docs/resources/policy_rule.md b/docs/resources/policy_rule.md index 148b52f2..4c53c0fd 100644 --- a/docs/resources/policy_rule.md +++ b/docs/resources/policy_rule.md @@ -63,20 +63,20 @@ resource "cyral_policy_rule" "some_resource_name" { ### Required -- `policy_id` (String) The ID of the policy you are adding this rule to. +- `policy_id` (String) The ID of the policy you are adding this rule to. ### Optional -- `deletes` (Block List) A contexted rule for accesses of the type `delete`. (see [below for nested schema](#nestedblock--deletes)) -- `hosts` (List of String) Hosts specification that limits access to only those users connecting from a certain network location. -- `identities` (Block List, Max: 1) Identities specifies the people, applications, or groups this rule applies to. Every rule except your default rule has one. It can have 4 fields: `db_roles`, `groups`, `users` and `services`. (see [below for nested schema](#nestedblock--identities)) -- `reads` (Block List) A contexted rule for accesses of the type `read`. (see [below for nested schema](#nestedblock--reads)) -- `updates` (Block List) A contexted rule for accesses of the type `update`. (see [below for nested schema](#nestedblock--updates)) +- `deletes` (Block List) A contexted rule for accesses of the type `delete`. (see [below for nested schema](#nestedblock--deletes)) +- `hosts` (List of String) Hosts specification that limits access to only those users connecting from a certain network location. +- `identities` (Block List, Max: 1) Identities specifies the people, applications, or groups this rule applies to. Every rule except your default rule has one. It can have 4 fields: `db_roles`, `groups`, `users` and `services`. (see [below for nested schema](#nestedblock--identities)) +- `reads` (Block List) A contexted rule for accesses of the type `read`. (see [below for nested schema](#nestedblock--reads)) +- `updates` (Block List) A contexted rule for accesses of the type `update`. (see [below for nested schema](#nestedblock--updates)) ### Read-Only -- `id` (String) The ID of this resource. -- `policy_rule_id` (String) The ID of the policy rule. +- `id` (String) The ID of this resource. +- `policy_rule_id` (String) The ID of the policy rule. @@ -84,15 +84,15 @@ resource "cyral_policy_rule" "some_resource_name" { Required: -- `data` (List of String) The data locations protected by this rule. Use `*` if you want to define `any` data location. For more information, see the [policy rules](https://cyral.com/docs/policy/rules#contexted-rules) documentation. -- `rows` (Number) The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define `any` number of records, set to `-1`. +- `data` (List of String) The data locations protected by this rule. Use `*` if you want to define `any` data location. For more information, see the [policy rules](https://cyral.com/docs/policy/rules#contexted-rules) documentation. +- `rows` (Number) The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define `any` number of records, set to `-1`. Optional: -- `additional_checks` (String) Constraints on the data access specified in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/). See [Additional checks](https://cyral.com/docs/policy/rules/#additional-checks). -- `dataset_rewrites` (Block List) Defines how requests should be rewritten in the case of policy violations. See [Request rewriting](https://cyral.com/docs/policy/rules/#request-rewriting). (see [below for nested schema](#nestedblock--deletes--dataset_rewrites)) -- `rate_limit` (Number) Rate Limit specifies the limit of calls that a user can make within a given time period. -- `severity` (String) severity level that's recorded when someone violate this rule. This is an informational value. Settings: (`low` | `medium` | `high`). If not specified, the severity is considered to be low. +- `additional_checks` (String) Constraints on the data access specified in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/). See [Additional checks](https://cyral.com/docs/policy/rules/#additional-checks). +- `dataset_rewrites` (Block List) Defines how requests should be rewritten in the case of policy violations. See [Request rewriting](https://cyral.com/docs/policy/rules/#request-rewriting). (see [below for nested schema](#nestedblock--deletes--dataset_rewrites)) +- `rate_limit` (Number) Rate Limit specifies the limit of calls that a user can make within a given time period. +- `severity` (String) severity level that's recorded when someone violate this rule. This is an informational value. Settings: (`low` | `medium` | `high`). If not specified, the severity is considered to be low. @@ -100,10 +100,10 @@ Optional: Required: -- `dataset` (String) The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: `..` -- `parameters` (List of String) The set of parameters used in the substitution request, these are references to fields in the activity log as described in the [Additional Checks section](https://cyral.com/docs/policy/rules/#additional-checks). -- `repo` (String) The name of the repository that the rewrite applies to. -- `substitution` (String) The request used to substitute references to the dataset. +- `dataset` (String) The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: `..
` +- `parameters` (List of String) The set of parameters used in the substitution request, these are references to fields in the activity log as described in the [Additional Checks section](https://cyral.com/docs/policy/rules/#additional-checks). +- `repo` (String) The name of the repository that the rewrite applies to. +- `substitution` (String) The request used to substitute references to the dataset. @@ -111,10 +111,10 @@ Required: Optional: -- `db_roles` (List of String) Database roles that this rule will apply to. -- `groups` (List of String) Groups that this rule will apply to. -- `services` (List of String) Services that this rule will apply to. -- `users` (List of String) Users that this rule will apply to. +- `db_roles` (List of String) Database roles that this rule will apply to. +- `groups` (List of String) Groups that this rule will apply to. +- `services` (List of String) Services that this rule will apply to. +- `users` (List of String) Users that this rule will apply to. @@ -122,15 +122,15 @@ Optional: Required: -- `data` (List of String) The data locations protected by this rule. Use `*` if you want to define `any` data location. For more information, see the [policy rules](https://cyral.com/docs/policy/rules#contexted-rules) documentation. -- `rows` (Number) The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define `any` number of records, set to `-1`. +- `data` (List of String) The data locations protected by this rule. Use `*` if you want to define `any` data location. For more information, see the [policy rules](https://cyral.com/docs/policy/rules#contexted-rules) documentation. +- `rows` (Number) The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define `any` number of records, set to `-1`. Optional: -- `additional_checks` (String) Constraints on the data access specified in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/). See [Additional checks](https://cyral.com/docs/policy/rules/#additional-checks). -- `dataset_rewrites` (Block List) Defines how requests should be rewritten in the case of policy violations. See [Request rewriting](https://cyral.com/docs/policy/rules/#request-rewriting). (see [below for nested schema](#nestedblock--reads--dataset_rewrites)) -- `rate_limit` (Number) Rate Limit specifies the limit of calls that a user can make within a given time period. -- `severity` (String) severity level that's recorded when someone violate this rule. This is an informational value. Settings: (`low` | `medium` | `high`). If not specified, the severity is considered to be low. +- `additional_checks` (String) Constraints on the data access specified in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/). See [Additional checks](https://cyral.com/docs/policy/rules/#additional-checks). +- `dataset_rewrites` (Block List) Defines how requests should be rewritten in the case of policy violations. See [Request rewriting](https://cyral.com/docs/policy/rules/#request-rewriting). (see [below for nested schema](#nestedblock--reads--dataset_rewrites)) +- `rate_limit` (Number) Rate Limit specifies the limit of calls that a user can make within a given time period. +- `severity` (String) severity level that's recorded when someone violate this rule. This is an informational value. Settings: (`low` | `medium` | `high`). If not specified, the severity is considered to be low. @@ -138,10 +138,10 @@ Optional: Required: -- `dataset` (String) The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: `..
` -- `parameters` (List of String) The set of parameters used in the substitution request, these are references to fields in the activity log as described in the [Additional Checks section](https://cyral.com/docs/policy/rules/#additional-checks). -- `repo` (String) The name of the repository that the rewrite applies to. -- `substitution` (String) The request used to substitute references to the dataset. +- `dataset` (String) The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: `..
` +- `parameters` (List of String) The set of parameters used in the substitution request, these are references to fields in the activity log as described in the [Additional Checks section](https://cyral.com/docs/policy/rules/#additional-checks). +- `repo` (String) The name of the repository that the rewrite applies to. +- `substitution` (String) The request used to substitute references to the dataset. @@ -149,15 +149,15 @@ Required: Required: -- `data` (List of String) The data locations protected by this rule. Use `*` if you want to define `any` data location. For more information, see the [policy rules](https://cyral.com/docs/policy/rules#contexted-rules) documentation. -- `rows` (Number) The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define `any` number of records, set to `-1`. +- `data` (List of String) The data locations protected by this rule. Use `*` if you want to define `any` data location. For more information, see the [policy rules](https://cyral.com/docs/policy/rules#contexted-rules) documentation. +- `rows` (Number) The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define `any` number of records, set to `-1`. Optional: -- `additional_checks` (String) Constraints on the data access specified in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/). See [Additional checks](https://cyral.com/docs/policy/rules/#additional-checks). -- `dataset_rewrites` (Block List) Defines how requests should be rewritten in the case of policy violations. See [Request rewriting](https://cyral.com/docs/policy/rules/#request-rewriting). (see [below for nested schema](#nestedblock--updates--dataset_rewrites)) -- `rate_limit` (Number) Rate Limit specifies the limit of calls that a user can make within a given time period. -- `severity` (String) severity level that's recorded when someone violate this rule. This is an informational value. Settings: (`low` | `medium` | `high`). If not specified, the severity is considered to be low. +- `additional_checks` (String) Constraints on the data access specified in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/). See [Additional checks](https://cyral.com/docs/policy/rules/#additional-checks). +- `dataset_rewrites` (Block List) Defines how requests should be rewritten in the case of policy violations. See [Request rewriting](https://cyral.com/docs/policy/rules/#request-rewriting). (see [below for nested schema](#nestedblock--updates--dataset_rewrites)) +- `rate_limit` (Number) Rate Limit specifies the limit of calls that a user can make within a given time period. +- `severity` (String) severity level that's recorded when someone violate this rule. This is an informational value. Settings: (`low` | `medium` | `high`). If not specified, the severity is considered to be low. @@ -165,7 +165,7 @@ Optional: Required: -- `dataset` (String) The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: `..
` -- `parameters` (List of String) The set of parameters used in the substitution request, these are references to fields in the activity log as described in the [Additional Checks section](https://cyral.com/docs/policy/rules/#additional-checks). -- `repo` (String) The name of the repository that the rewrite applies to. -- `substitution` (String) The request used to substitute references to the dataset. +- `dataset` (String) The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: `..
` +- `parameters` (List of String) The set of parameters used in the substitution request, these are references to fields in the activity log as described in the [Additional Checks section](https://cyral.com/docs/policy/rules/#additional-checks). +- `repo` (String) The name of the repository that the rewrite applies to. +- `substitution` (String) The request used to substitute references to the dataset. diff --git a/docs/resources/rego_policy_instance.md b/docs/resources/rego_policy_instance.md index 6d14d2e7..9fbf657c 100644 --- a/docs/resources/rego_policy_instance.md +++ b/docs/resources/rego_policy_instance.md @@ -73,83 +73,83 @@ All templates use parameters defined as JSON, below is a list of all the corresp ### Data Firewall (data-firewall) -- `dataSet` (String) Data Set. -- `dataFilter` (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set. -- `tags` (Array) Tags. -- `labels` (Array) Data Labels. -- `excludedIdentities` (Object) Identities that will be excluded from this policy. See [identityList](#objects--identityList). +- `dataSet` (String) Data Set. +- `dataFilter` (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set. +- `tags` (Array) Tags. +- `labels` (Array) Data Labels. +- `excludedIdentities` (Object) Identities that will be excluded from this policy. See [identityList](#objects--identityList). ### Data Masking (data-masking) -- `maskType` (String) Mask Type (E.g.: `NULL_MASK`, `CONSTANT_MASK`, `MASK`). -- `maskArguments` (Array) Mask Argument associated to the given Mask Type (E.g.: Replacement Value). -- `tags` (Array) Tags. -- `labels` (Array) Data Labels. -- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities). -- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts). +- `maskType` (String) Mask Type (E.g.: `NULL_MASK`, `CONSTANT_MASK`, `MASK`). +- `maskArguments` (Array) Mask Argument associated to the given Mask Type (E.g.: Replacement Value). +- `tags` (Array) Tags. +- `labels` (Array) Data Labels. +- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities). +- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts). ### Data Protection (data-protection) -- `block` (Boolean) Policy action to block. -- `monitorReads` (Boolean) Monitor read operations. -- `monitorUpdates` (Boolean) Monitor update operations. -- `monitorDeletes` (Boolean) Monitor delete operations. -- `tags` (Array) Tags. -- `labels` (Array) Data Labels. -- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities). -- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts). -- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`. +- `block` (Boolean) Policy action to block. +- `monitorReads` (Boolean) Monitor read operations. +- `monitorUpdates` (Boolean) Monitor update operations. +- `monitorDeletes` (Boolean) Monitor delete operations. +- `tags` (Array) Tags. +- `labels` (Array) Data Labels. +- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities). +- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts). +- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`. ### Ephemeral Grant (EphemeralGrantPolicy) -- `repoAccount` (String) Repository Account Name. -- `repo` (String) Repository Name. -- `allowedSensitiveAttributes` (Array) Allowed Sensitive Attributes. +- `repoAccount` (String) Repository Account Name. +- `repo` (String) Repository Name. +- `allowedSensitiveAttributes` (Array) Allowed Sensitive Attributes. ### Rate Limit (rate-limit) -- `rateLimit` (Integer) Maximum number of rows that can be returned per hour. Note: the value must be an integer greater than zero. -- `block` (Boolean) Policy action to enforce. -- `tags` (Array) Tags. -- `labels` (Array) Data Labels. -- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities). -- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts). -- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`. +- `rateLimit` (Integer) Maximum number of rows that can be returned per hour. Note: the value must be an integer greater than zero. +- `block` (Boolean) Policy action to enforce. +- `tags` (Array) Tags. +- `labels` (Array) Data Labels. +- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities). +- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts). +- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`. ### Read Limit (read-limit) -- `rowLimit` (Integer) Maximum number of rows that can be read per query. Note: the value must be an integer greater than zero. -- `block` (Boolean) Policy action to enforce. -- `appliesToAllData` (Boolean) Whether the policy should apply to the entire repository data. -- `tags` (Array) Tags. -- `labels` (Array) Data Labels. -- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities). -- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts). -- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`. +- `rowLimit` (Integer) Maximum number of rows that can be read per query. Note: the value must be an integer greater than zero. +- `block` (Boolean) Policy action to enforce. +- `appliesToAllData` (Boolean) Whether the policy should apply to the entire repository data. +- `tags` (Array) Tags. +- `labels` (Array) Data Labels. +- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities). +- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts). +- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`. ### Repository Protection (repository-protection) -- `rowLimit` (Integer) Maximum number of rows that can be modified per query. Note: the value must be an integer greater than zero. -- `monitorUpdates` (Boolean) Monitor update operations. -- `monitorDeletes` (Boolean) Monitor delete operations. -- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities). -- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts). -- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`. +- `rowLimit` (Integer) Maximum number of rows that can be modified per query. Note: the value must be an integer greater than zero. +- `monitorUpdates` (Boolean) Monitor update operations. +- `monitorDeletes` (Boolean) Monitor delete operations. +- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities). +- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts). +- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`. ### Service Account Abuse (service-account-abuse) -- `block` (Boolean) Policy action to enforce. -- `serviceAccounts` (Array) Service accounts for which end user attribution is always required. -- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`. +- `block` (Boolean) Policy action to enforce. +- `serviceAccounts` (Array) Service accounts for which end user attribution is always required. +- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`. ### User Segmentation (user-segmentation) -- `dataSet` (String) Data Set. -- `dataFilter` (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set. -- `tags` (Array) Tags. -- `labels` (Array) Data Labels. -- `includedIdentities` (Object) Identities that cannot see restricted records. See [identityList](#objects--identityList). -- `includedDbAccounts` (Array) Database accounts cannot see restricted records. +- `dataSet` (String) Data Set. +- `dataFilter` (String) Data filter that will be applied when anyone tries to read the specified data labels from the data set. +- `tags` (Array) Tags. +- `labels` (Array) Data Labels. +- `includedIdentities` (Object) Identities that cannot see restricted records. See [identityList](#objects--identityList). +- `includedDbAccounts` (Array) Database accounts cannot see restricted records. @@ -157,18 +157,18 @@ All templates use parameters defined as JSON, below is a list of all the corresp -- `identities` (Object) Identities. See properties below: - - `included` (Object) Included Identities. See [identityList](#objects--identityList). - - `excluded` (Object) Excluded Identities. See [identityList](#objects--identityList). - -- `dbAccounts` (Object) Database Accounts. See properties below: - - `included` (Array) Included Database Accounts. - - `excluded` (Array) Excluded Database Accounts. - -- `identityList` (Object) Identity List. See properties below: - - `userNames` (Array) Identity Emails. - - `emails` (Array) Identity Usernames. - - `groups` (Array) Identity Groups. +- `identities` (Object) Identities. See properties below: + - `included` (Object) Included Identities. See [identityList](#objects--identityList). + - `excluded` (Object) Excluded Identities. See [identityList](#objects--identityList). + +- `dbAccounts` (Object) Database Accounts. See properties below: + - `included` (Array) Included Database Accounts. + - `excluded` (Array) Excluded Database Accounts. + +- `identityList` (Object) Identity List. See properties below: + - `userNames` (Array) Identity Emails. + - `emails` (Array) Identity Usernames. + - `groups` (Array) Identity Groups. @@ -176,37 +176,37 @@ All templates use parameters defined as JSON, below is a list of all the corresp ### Required -- `category` (String) Policy category. List of supported categories: - - `SECURITY` - - `GRANT` - - `USER_DEFINED` -- `name` (String) Policy name. -- `template_id` (String) Policy template identifier. Predefined templates are: - - `data-firewall` - - `data-masking` - - `data-protection` - - `EphemeralGrantPolicy` - - `rate-limit` - - `read-limit` - - `repository-protection` - - `service-account-abuse` - - `user-segmentation` +- `category` (String) Policy category. List of supported categories: + - `SECURITY` + - `GRANT` + - `USER_DEFINED` +- `name` (String) Policy name. +- `template_id` (String) Policy template identifier. Predefined templates are: + - `data-firewall` + - `data-masking` + - `data-protection` + - `EphemeralGrantPolicy` + - `rate-limit` + - `read-limit` + - `repository-protection` + - `service-account-abuse` + - `user-segmentation` ### Optional -- `description` (String) Policy description. -- `duration` (String) Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format, which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds. For example: `300s`, `60s`, `10.50s`, etc. -- `enabled` (Boolean) Enable/disable the policy. Defaults to `false` (Disabled). -- `parameters` (String) Policy parameters. The parameters vary based on the policy template schema. -- `scope` (Block Set, Max: 1) Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the corresponding `repo_ids` that this policy should be applied. (see [below for nested schema](#nestedblock--scope)) -- `tags` (List of String) Tags that can be used to categorize the policy. +- `description` (String) Policy description. +- `duration` (String) Policy duration. The policy expires after the duration specified. Should follow the protobuf duration string format, which corresponds to a sequence of decimal numbers suffixed by a 's' at the end, representing the duration in seconds. For example: `300s`, `60s`, `10.50s`, etc. +- `enabled` (Boolean) Enable/disable the policy. Defaults to `false` (Disabled). +- `parameters` (String) Policy parameters. The parameters vary based on the policy template schema. +- `scope` (Block Set, Max: 1) Determines the scope that the policy applies to. It can be used to create a repo-level policy by specifying the corresponding `repo_ids` that this policy should be applied. (see [below for nested schema](#nestedblock--scope)) +- `tags` (List of String) Tags that can be used to categorize the policy. ### Read-Only -- `created` (Set of Object) Information regarding the policy creation. (see [below for nested schema](#nestedatt--created)) -- `id` (String) The resource identifier. It is a composed ID that follows the format `{category}/{policy_id}`. -- `last_updated` (Set of Object) Information regarding the policy last update. (see [below for nested schema](#nestedatt--last_updated)) -- `policy_id` (String) ID of this rego policy instance in Cyral environment. +- `created` (Set of Object) Information regarding the policy creation. (see [below for nested schema](#nestedatt--created)) +- `id` (String) The resource identifier. It is a composed ID that follows the format `{category}/{policy_id}`. +- `last_updated` (Set of Object) Information regarding the policy last update. (see [below for nested schema](#nestedatt--last_updated)) +- `policy_id` (String) ID of this rego policy instance in Cyral environment. @@ -214,7 +214,7 @@ All templates use parameters defined as JSON, below is a list of all the corresp Required: -- `repo_ids` (List of String) A list of repository identifiers that belongs to the policy scope. The policy will be applied at repo-level for every repository ID included in this list. This is equivalent of creating a repo-level policy in the UI for a given repository. +- `repo_ids` (List of String) A list of repository identifiers that belongs to the policy scope. The policy will be applied at repo-level for every repository ID included in this list. This is equivalent of creating a repo-level policy in the UI for a given repository. @@ -222,9 +222,9 @@ Required: Read-Only: -- `actor` (String) -- `actor_type` (String) -- `timestamp` (String) +- `actor` (String) +- `actor_type` (String) +- `timestamp` (String) @@ -232,6 +232,6 @@ Read-Only: Read-Only: -- `actor` (String) -- `actor_type` (String) -- `timestamp` (String) +- `actor` (String) +- `actor_type` (String) +- `timestamp` (String) diff --git a/docs/resources/repository.md b/docs/resources/repository.md index a1cbf55f..e03a63dd 100644 --- a/docs/resources/repository.md +++ b/docs/resources/repository.md @@ -11,8 +11,8 @@ This module provides the repository configuration options as shown in Cyral UI. More complex examples using `cyral_repository` resource are available in the `Guides` section: -- [Create an AWS EC2 sidecar to protect PostgreSQL and MySQL databases](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/guides/setup_cp_and_deploy_sidecar) -- [Setup SSO access to MongoDB cluster using Okta IdP](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/guides/mongodb_cluster_okta_idp) +- [Create an AWS EC2 sidecar to protect PostgreSQL and MySQL databases](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/guides/setup_cp_and_deploy_sidecar) +- [Setup SSO access to MongoDB cluster using Okta IdP](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/guides/mongodb_cluster_okta_idp) ```terraform ### Minimal Repository @@ -89,33 +89,33 @@ resource "cyral_repository" "multi_node_mongo_repo" { ### Required -- `name` (String) Repository name that will be used internally in the control plane (ex: `your_repo_name`). -- `repo_node` (Block List, Min: 1) List of nodes for this repository. (see [below for nested schema](#nestedblock--repo_node)) -- `type` (String) Repository type. List of supported types: - - `denodo` - - `dremio` - - `dynamodb` - - `dynamodbstreams` - - `galera` - - `mariadb` - - `mongodb` - - `mysql` - - `oracle` - - `postgresql` - - `redshift` - - `s3` - - `snowflake` - - `sqlserver` +- `name` (String) Repository name that will be used internally in the control plane (ex: `your_repo_name`). +- `repo_node` (Block List, Min: 1) List of nodes for this repository. (see [below for nested schema](#nestedblock--repo_node)) +- `type` (String) Repository type. List of supported types: + - `denodo` + - `dremio` + - `dynamodb` + - `dynamodbstreams` + - `galera` + - `mariadb` + - `mongodb` + - `mysql` + - `oracle` + - `postgresql` + - `redshift` + - `s3` + - `snowflake` + - `sqlserver` ### Optional -- `connection_draining` (Block Set, Max: 1) Parameters related to connection draining. (see [below for nested schema](#nestedblock--connection_draining)) -- `labels` (List of String) Labels enable you to categorize your repository. -- `mongodb_settings` (Block Set, Max: 1) Parameters related to MongoDB repositories. (see [below for nested schema](#nestedblock--mongodb_settings)) +- `connection_draining` (Block Set, Max: 1) Parameters related to connection draining. (see [below for nested schema](#nestedblock--connection_draining)) +- `labels` (List of String) Labels enable you to categorize your repository. +- `mongodb_settings` (Block Set, Max: 1) Parameters related to MongoDB repositories. (see [below for nested schema](#nestedblock--mongodb_settings)) ### Read-Only -- `id` (String) ID of this resource in Cyral environment. +- `id` (String) ID of this resource in Cyral environment. @@ -123,15 +123,15 @@ resource "cyral_repository" "multi_node_mongo_repo" { Optional: -- `dynamic` (Boolean) _Only supported for MongoDB in cluster configurations._ - Indicates if the node is dynamically discovered, meaning that the sidecar will query the cluster to get the topology information and discover the addresses of the dynamic nodes. If set to `true`, `host` and `port` must be empty. A node with value of this field as false considered `static`. - The following conditions apply: - - The total number of declared `repo_node` blocks must match the actual number of nodes in the cluster. - - If there are static nodes in the configuration, they must be declared before all dynamic nodes. - - See the MongoDB-specific configuration in the [mongodb_settings](#nested-schema-for-mongodb_settings). -- `host` (String) Repo node host (ex: `somerepo.cyral.com`). Can be empty if node is dynamic. -- `name` (String) Name of the repo node. -- `port` (Number) Repository access port (ex: `3306`). Can be empty if node is dynamic. +- `dynamic` (Boolean) _Only supported for MongoDB in cluster configurations._ + Indicates if the node is dynamically discovered, meaning that the sidecar will query the cluster to get the topology information and discover the addresses of the dynamic nodes. If set to `true`, `host` and `port` must be empty. A node with value of this field as false considered `static`. + The following conditions apply: + - The total number of declared `repo_node` blocks must match the actual number of nodes in the cluster. + - If there are static nodes in the configuration, they must be declared before all dynamic nodes. + - See the MongoDB-specific configuration in the [mongodb_settings](#nested-schema-for-mongodb_settings). +- `host` (String) Repo node host (ex: `somerepo.cyral.com`). Can be empty if node is dynamic. +- `name` (String) Name of the repo node. +- `port` (Number) Repository access port (ex: `3306`). Can be empty if node is dynamic. @@ -139,8 +139,8 @@ Optional: Optional: -- `auto` (Boolean) Whether connections should be drained automatically after a listener dies. -- `wait_time` (Number) Seconds to wait to let connections drain before starting to kill all the connections, if auto is set to true. +- `auto` (Boolean) Whether connections should be drained automatically after a listener dies. +- `wait_time` (Number) Seconds to wait to let connections drain before starting to kill all the connections, if auto is set to true. @@ -148,30 +148,30 @@ Optional: Required: -- `server_type` (String) Type of the MongoDB server. Allowed values: +- `server_type` (String) Type of the MongoDB server. Allowed values: - - `replicaset` - - `standalone` - - `sharded` + - `replicaset` + - `standalone` + - `sharded` - The following conditions apply: + The following conditions apply: - - If `sharded` and `srv_record_name` _not_ provided, then all `repo_node` blocks must be static (see [`dynamic`](#dynamic)). - - If `sharded` and `srv_record_name` provided, then all `repo_node` blocks must be dynamic (see [`dynamic`](#dynamic)). - - If `standalone`, then only one `repo_node` block can be declared and it must be static (see [`dynamic`](#dynamic)). The `srv_record_name` is not supported in this configuration. - - If `replicaset` and `srv_record_name` _not_ provided, then `repo_node` blocks may mix dynamic and static nodes (see [`dynamic`](#dynamic)). - - If `replicaset` and `srv_record_name` provided, then `repo_node` blocks must be dynamic (see [`dynamic`](#dynamic)). + - If `sharded` and `srv_record_name` _not_ provided, then all `repo_node` blocks must be static (see [`dynamic`](#dynamic)). + - If `sharded` and `srv_record_name` provided, then all `repo_node` blocks must be dynamic (see [`dynamic`](#dynamic)). + - If `standalone`, then only one `repo_node` block can be declared and it must be static (see [`dynamic`](#dynamic)). The `srv_record_name` is not supported in this configuration. + - If `replicaset` and `srv_record_name` _not_ provided, then `repo_node` blocks may mix dynamic and static nodes (see [`dynamic`](#dynamic)). + - If `replicaset` and `srv_record_name` provided, then `repo_node` blocks must be dynamic (see [`dynamic`](#dynamic)). Optional: -- `flavor` (String) The flavor of the MongoDB deployment. Allowed values: +- `flavor` (String) The flavor of the MongoDB deployment. Allowed values: - - `mongodb` - - `documentdb` + - `mongodb` + - `documentdb` - The following conditions apply: + The following conditions apply: - - The `documentdb` flavor cannot be combined with the MongoDB Server type `sharded`. + - The `documentdb` flavor cannot be combined with the MongoDB Server type `sharded`. -- `replica_set_name` (String) Name of the replica set, if applicable. -- `srv_record_name` (String) Name of a DNS SRV record which contains cluster topology details. If specified, then all `repo_node` blocks must be declared dynamic (see [`dynamic`](#dynamic)). Only supported for `server_type="sharded"` or `server_type="replicaset". +- `replica_set_name` (String) Name of the replica set, if applicable. +- `srv_record_name` (String) Name of a DNS SRV record which contains cluster topology details. If specified, then all `repo_node` blocks must be declared dynamic (see [`dynamic`](#dynamic)). Only supported for `server_type="sharded"` or `server_type="replicaset". diff --git a/docs/resources/repository_access_gateway.md b/docs/resources/repository_access_gateway.md index ef3e2a5e..b076011f 100644 --- a/docs/resources/repository_access_gateway.md +++ b/docs/resources/repository_access_gateway.md @@ -58,10 +58,10 @@ resource "cyral_repository_access_gateway" "access_gateway" { ### Required -- `binding_id` (String) ID of the binding that will be set as the access gateway for the given repository. Note that modifications to this field will result in terraform replacing the given access gateway resource, since the access gateway must be deleted before binding. -- `repository_id` (String) ID of the repository the access gateway is associated with. This is also the import ID for this resource. -- `sidecar_id` (String) ID of the sidecar that will be set as the access gateway for the given repository. +- `binding_id` (String) ID of the binding that will be set as the access gateway for the given repository. Note that modifications to this field will result in terraform replacing the given access gateway resource, since the access gateway must be deleted before binding. +- `repository_id` (String) ID of the repository the access gateway is associated with. This is also the import ID for this resource. +- `sidecar_id` (String) ID of the sidecar that will be set as the access gateway for the given repository. ### Read-Only -- `id` (String) The ID of this resource. +- `id` (String) The ID of this resource. diff --git a/docs/resources/repository_access_rules.md b/docs/resources/repository_access_rules.md index 433dae6a..02b72e50 100644 --- a/docs/resources/repository_access_rules.md +++ b/docs/resources/repository_access_rules.md @@ -51,13 +51,13 @@ resource "cyral_repository_access_rules" "some_resource_name" { ### Required -- `repository_id` (String) ID of the repository. -- `rule` (Block List, Min: 1) An ordered list of access rules. (see [below for nested schema](#nestedblock--rule)) -- `user_account_id` (String) ID of the database account. This should be the attribute `user_account_id` of the resource `cyral_repository_user_account`. +- `repository_id` (String) ID of the repository. +- `rule` (Block List, Min: 1) An ordered list of access rules. (see [below for nested schema](#nestedblock--rule)) +- `user_account_id` (String) ID of the database account. This should be the attribute `user_account_id` of the resource `cyral_repository_user_account`. ### Read-Only -- `id` (String) ID of this resource in Cyral environment. +- `id` (String) ID of this resource in Cyral environment. @@ -65,13 +65,13 @@ resource "cyral_repository_access_rules" "some_resource_name" { Required: -- `identity` (Block Set, Min: 1, Max: 1) The identity of the person/group getting access. (see [below for nested schema](#nestedblock--rule--identity)) +- `identity` (Block Set, Min: 1, Max: 1) The identity of the person/group getting access. (see [below for nested schema](#nestedblock--rule--identity)) Optional: -- `config` (Block Set, Max: 1) Extra (optional) configuration parameters. (see [below for nested schema](#nestedblock--rule--config)) -- `valid_from` (String) The start time for the grant. Format is: `yyyy-mm-ddThh:mm:ssZ`. Eg. `2022-01-24T18:30:00Z`. -- `valid_until` (String) The end time for the grant. Format is: `yyyy-mm-ddThh:mm:ssZ`. Eg. `2022-01-24T18:30:00Z`. +- `config` (Block Set, Max: 1) Extra (optional) configuration parameters. (see [below for nested schema](#nestedblock--rule--config)) +- `valid_from` (String) The start time for the grant. Format is: `yyyy-mm-ddThh:mm:ssZ`. Eg. `2022-01-24T18:30:00Z`. +- `valid_until` (String) The end time for the grant. Format is: `yyyy-mm-ddThh:mm:ssZ`. Eg. `2022-01-24T18:30:00Z`. @@ -79,11 +79,11 @@ Optional: Required: -- `name` (String) The name of the person/group getting access. -- `type` (String) Identity type. List of supported values: - - `username` - - `email` - - `group` +- `name` (String) The name of the person/group getting access. +- `type` (String) Identity type. List of supported values: + - `username` + - `email` + - `group` @@ -91,4 +91,4 @@ Required: Required: -- `policy_ids` (List of String) Extra authorization policies, such as PagerDuty or DUO. Use the attribute `id` from resources `cyral_integration_pager_duty` and `cyral_integration_mfa_duo`. +- `policy_ids` (List of String) Extra authorization policies, such as PagerDuty or DUO. Use the attribute `id` from resources `cyral_integration_pager_duty` and `cyral_integration_mfa_duo`. diff --git a/docs/resources/repository_binding.md b/docs/resources/repository_binding.md index 32a50d79..0b9e82e7 100644 --- a/docs/resources/repository_binding.md +++ b/docs/resources/repository_binding.md @@ -75,18 +75,18 @@ resource "cyral_repository_binding" "binding_pg" { ### Required -- `listener_binding` (Block List, Min: 1) The configuration for listeners associated with the binding. At least one `listener_binding` is required. (see [below for nested schema](#nestedblock--listener_binding)) -- `repository_id` (String) ID of the repository that will be bound to the sidecar. -- `sidecar_id` (String) ID of the sidecar that will be bound to the given repository. +- `listener_binding` (Block List, Min: 1) The configuration for listeners associated with the binding. At least one `listener_binding` is required. (see [below for nested schema](#nestedblock--listener_binding)) +- `repository_id` (String) ID of the repository that will be bound to the sidecar. +- `sidecar_id` (String) ID of the sidecar that will be bound to the given repository. ### Optional -- `enabled` (Boolean) Enable or disable all listener bindings. +- `enabled` (Boolean) Enable or disable all listener bindings. ### Read-Only -- `binding_id` (String) ID of the binding. Computed and assigned to binding at the time of creation. -- `id` (String) The ID of this resource. +- `binding_id` (String) ID of the binding. Computed and assigned to binding at the time of creation. +- `id` (String) The ID of this resource. @@ -94,8 +94,8 @@ resource "cyral_repository_binding" "binding_pg" { Required: -- `listener_id` (String) The sidecar listener that this binding is associated with. +- `listener_id` (String) The sidecar listener that this binding is associated with. Optional: -- `node_index` (Number) The index of the repo node that this binding is associated with. +- `node_index` (Number) The index of the repo node that this binding is associated with. diff --git a/docs/resources/repository_conf_analysis.md b/docs/resources/repository_conf_analysis.md index b57d9c30..92bd5fda 100644 --- a/docs/resources/repository_conf_analysis.md +++ b/docs/resources/repository_conf_analysis.md @@ -3,7 +3,7 @@ page_title: "cyral_repository_conf_analysis Resource - terraform-provider-cyral" subcategory: "" description: |- - Manages Repository Analysis Configuration. This resource allows configuring both Log Settings https://cyral.com/docs/manage-repositories/repo-log-volume and Advanced settings https://cyral.com/docs/manage-repositories/repo-advanced-settings (Logs, Alerts, Analysis and Enforcement) configurations for Data Repositories. + Manages Repository Analysis Configuration. This resource allows configuring both Log Settings https://cyral.com/docs/manage-repositories/repo-log-volume and Advanced settings https://cyral.com/docs/manage-repositories/repo-advanced-settings (Logs, Alerts, Analysis and Enforcement) configurations for Data Repositories. --- # cyral_repository_conf_analysis (Resource) @@ -48,39 +48,39 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" { ### Required -- `repository_id` (String) The ID of an existing data repository resource that will be configured. +- `repository_id` (String) The ID of an existing data repository resource that will be configured. ### Optional -- `alert_on_violation` (Boolean) If set to `true` it will enable alert on policy violations. -- `block_on_violation` (Boolean) If set to `true` it will enable query blocking in case of a policy violation. -- `comment_annotation_groups` (Set of String) Valid values are: `identity`, `client`, `repo`, `sidecar`. The default behavior is to set only the `identity` when this option is enabled, but you can also opt to add the contents of `client`, `repo`, `sidecar` logging blocks as query comments. [Learn more](https://support.cyral.com/support/solutions/articles/44002218978). -- `disable_filter_analysis` (Boolean) If set to `true` it will _disable_ filter analysis. -- `disable_pre_configured_alerts` (Boolean) If set to `true` it will _disable_ preconfigured alerts. -- `enable_data_masking` (Boolean) If set to `true` it will allow policies to force the masking of specified data fields in the results of queries. [Learn more](https://cyral.com/docs/using-cyral/masking/). -- `enable_dataset_rewrites` (Boolean) If set to `true` it will enable rewriting queries. -- `log_groups` (Set of String) Responsible for configuring the Log Settings. Valid values are documented below. The `log_groups` list support the following values: - - `everything` - Enables all the Log Settings. - - `dql` - Enables the `DQLs` setting for `all requests`. - - `dml` - Enables the `DMLs` setting for `all requests`. - - `ddl` - Enables the `DDLs` setting for `all requests`. - - `sensitive & dql` - Enables the `DQLs` setting for `logged fields`. - - `sensitive & dml` - Enables the `DMLs` setting for `logged fields`. - - `sensitive & ddl` - Enables the `DDLs` setting for `logged fields`. - - `privileged` - Enables the `Privileged commands` setting. - - `port-scan` - Enables the `Port scans` setting. - - `auth-failure` - Enables the `Authentication failures` setting. - - `full-table-scan` - Enables the `Full scans` setting. - - `violations` - Enables the `Policy violations` setting. - - `connections` - Enables the `Connection activity` setting. - - `sensitive` - Log all queries manipulating sensitive fields (watches) - - `data-classification` - Log all queries whose response was automatically classified as sensitive (credit card numbers, emails and so on). - - `audit` - Log `sensitive`, `DQLs`, `DDLs`, `DMLs` and `privileged`. - - `error` - Log analysis errors. - - `new-connections` - Log new connections. - - `closed-connections` - Log closed connections. -- `redact` (String) Valid values are: `all`, `none` and `watched`. If set to `all` it will enable the redact of all literal values, `none` will disable it, and `watched` will only redact values from tracked fields set in the Datamap. +- `alert_on_violation` (Boolean) If set to `true` it will enable alert on policy violations. +- `block_on_violation` (Boolean) If set to `true` it will enable query blocking in case of a policy violation. +- `comment_annotation_groups` (Set of String) Valid values are: `identity`, `client`, `repo`, `sidecar`. The default behavior is to set only the `identity` when this option is enabled, but you can also opt to add the contents of `client`, `repo`, `sidecar` logging blocks as query comments. [Learn more](https://support.cyral.com/support/solutions/articles/44002218978). +- `disable_filter_analysis` (Boolean) If set to `true` it will _disable_ filter analysis. +- `disable_pre_configured_alerts` (Boolean) If set to `true` it will _disable_ preconfigured alerts. +- `enable_data_masking` (Boolean) If set to `true` it will allow policies to force the masking of specified data fields in the results of queries. [Learn more](https://cyral.com/docs/using-cyral/masking/). +- `enable_dataset_rewrites` (Boolean) If set to `true` it will enable rewriting queries. +- `log_groups` (Set of String) Responsible for configuring the Log Settings. Valid values are documented below. The `log_groups` list support the following values: + - `everything` - Enables all the Log Settings. + - `dql` - Enables the `DQLs` setting for `all requests`. + - `dml` - Enables the `DMLs` setting for `all requests`. + - `ddl` - Enables the `DDLs` setting for `all requests`. + - `sensitive & dql` - Enables the `DQLs` setting for `logged fields`. + - `sensitive & dml` - Enables the `DMLs` setting for `logged fields`. + - `sensitive & ddl` - Enables the `DDLs` setting for `logged fields`. + - `privileged` - Enables the `Privileged commands` setting. + - `port-scan` - Enables the `Port scans` setting. + - `auth-failure` - Enables the `Authentication failures` setting. + - `full-table-scan` - Enables the `Full scans` setting. + - `violations` - Enables the `Policy violations` setting. + - `connections` - Enables the `Connection activity` setting. + - `sensitive` - Log all queries manipulating sensitive fields (watches) + - `data-classification` - Log all queries whose response was automatically classified as sensitive (credit card numbers, emails and so on). + - `audit` - Log `sensitive`, `DQLs`, `DDLs`, `DMLs` and `privileged`. + - `error` - Log analysis errors. + - `new-connections` - Log new connections. + - `closed-connections` - Log closed connections. +- `redact` (String) Valid values are: `all`, `none` and `watched`. If set to `all` it will enable the redact of all literal values, `none` will disable it, and `watched` will only redact values from tracked fields set in the Datamap. ### Read-Only -- `id` (String) ID of this resource in Cyral environment +- `id` (String) ID of this resource in Cyral environment diff --git a/docs/resources/repository_conf_auth.md b/docs/resources/repository_conf_auth.md index f42bfcca..8a089fdf 100644 --- a/docs/resources/repository_conf_auth.md +++ b/docs/resources/repository_conf_auth.md @@ -22,18 +22,18 @@ resource "cyral_repository_conf_auth" "some_resource_name" { ### Required -- `repository_id` (String) The ID of the repository to be configured. +- `repository_id` (String) The ID of the repository to be configured. ### Optional -- `allow_native_auth` (Boolean) Should the communication allow native authentication? -- `auth_type` (String) Authentication type for this repository. **Note**: `AWS_IAM` is currently only supported by `mongodb` repo type. List of supported values: - - `ACCESS_TOKEN` - - `AWS_IAM` -- `client_tls` (String) Is the repo Client using TLS? Default is "disable". -- `identity_provider` (String) The ID (Alias) of the identity provider integration. -- `repo_tls` (String) Is TLS enabled for the repository? Default is "disable". +- `allow_native_auth` (Boolean) Should the communication allow native authentication? +- `auth_type` (String) Authentication type for this repository. **Note**: `AWS_IAM` is currently only supported by `mongodb` repo type. List of supported values: + - `ACCESS_TOKEN` + - `AWS_IAM` +- `client_tls` (String) Is the repo Client using TLS? Default is "disable". +- `identity_provider` (String) The ID (Alias) of the identity provider integration. +- `repo_tls` (String) Is TLS enabled for the repository? Default is "disable". ### Read-Only -- `id` (String) The ID of this resource is set to `repository_id`. +- `id` (String) The ID of this resource is set to `repository_id`. diff --git a/docs/resources/repository_datamap.md b/docs/resources/repository_datamap.md index ef3209e0..3f779462 100644 --- a/docs/resources/repository_datamap.md +++ b/docs/resources/repository_datamap.md @@ -3,7 +3,7 @@ page_title: "cyral_repository_datamap Resource - terraform-provider-cyral" subcategory: "" description: |- - Manages Data Map https://cyral.com/docs/policy/datamap. + Manages Data Map https://cyral.com/docs/policy/datamap. --- # cyral_repository_datamap (Resource) @@ -65,12 +65,12 @@ resource "cyral_repository_datamap" "example-pg_datamap" { ### Required -- `mapping` (Block Set, Min: 1) Mapping of a label to a list of data locations (attributes). (see [below for nested schema](#nestedblock--mapping)) -- `repository_id` (String) ID of the repository for which to configure a data map. +- `mapping` (Block Set, Min: 1) Mapping of a label to a list of data locations (attributes). (see [below for nested schema](#nestedblock--mapping)) +- `repository_id` (String) ID of the repository for which to configure a data map. ### Read-Only -- `id` (String) The ID of this resource. +- `id` (String) The ID of this resource. @@ -78,8 +78,8 @@ resource "cyral_repository_datamap" "example-pg_datamap" { Required: -- `attributes` (List of String) List containing the specific locations of the data within the repo, following the pattern `{SCHEMA}.{TABLE}.{ATTRIBUTE}` (ex: `[your_schema_name.your_table_name.your_attr_name]`). +- `attributes` (List of String) List containing the specific locations of the data within the repo, following the pattern `{SCHEMA}.{TABLE}.{ATTRIBUTE}` (ex: `[your_schema_name.your_table_name.your_attr_name]`). -> When referencing data in Dremio repository, please include the complete location in `attributes`, separating spaces by dots. For example, an attribute `my_attr` from table `my_tbl` within space `inner_space` within space `outer_space` would be referenced as `outer_space.inner_space.my_tbl.my_attr`. For more information, please see the [Policy Guide](https://cyral.com/docs/reference/policy/). -- `label` (String) Label given to the attributes in this mapping. +- `label` (String) Label given to the attributes in this mapping. diff --git a/docs/resources/repository_network_access_policy.md b/docs/resources/repository_network_access_policy.md index 02e7411e..ef14bfb0 100644 --- a/docs/resources/repository_network_access_policy.md +++ b/docs/resources/repository_network_access_policy.md @@ -3,18 +3,18 @@ page_title: "cyral_repository_network_access_policy Resource - terraform-provider-cyral" subcategory: "" description: |- - Manages the network access policy of a repository. Network access policies are also known as the Network Shield https://cyral.com/docs/manage-repositories/network-shield/. This feature is supported for the following repository types: - - sqlserver - - oracle - -> Note If you also use the resource cyral_repository_conf_auth for the same repository, create a depends_on relationship from this resource to the cyral_repository_conf_auth to avoid errors when running terraform destroy. + Manages the network access policy of a repository. Network access policies are also known as the Network Shield https://cyral.com/docs/manage-repositories/network-shield/. This feature is supported for the following repository types: + - sqlserver + - oracle + -> Note If you also use the resource cyral_repository_conf_auth for the same repository, create a depends_on relationship from this resource to the cyral_repository_conf_auth to avoid errors when running terraform destroy. --- # cyral_repository_network_access_policy (Resource) Manages the network access policy of a repository. Network access policies are also known as the [Network Shield](https://cyral.com/docs/manage-repositories/network-shield/). This feature is supported for the following repository types: -- `sqlserver` -- `oracle` +- `sqlserver` +- `oracle` -> **Note** If you also use the resource `cyral_repository_conf_auth` for the same repository, create a `depends_on` relationship from this resource to the `cyral_repository_conf_auth` to avoid errors when running `terraform destroy`. @@ -65,17 +65,17 @@ resource "cyral_repository_network_access_policy" "access_policy" { ### Required -- `repository_id` (String) ID of the repository for which to configure a network access policy. +- `repository_id` (String) ID of the repository for which to configure a network access policy. ### Optional -- `enabled` (Boolean) Is the network access policy enabled? Default is true. -- `network_access_rule` (Block Set) Network access policy that decides whether access should be granted based on a set of rules. (see [below for nested schema](#nestedblock--network_access_rule)) -- `network_access_rules_block_access` (Boolean) Determines what happens if an incoming connection matches one of the rules in `network_access_rule`. If set to true, the connection is blocked if it matches some rule (and allowed otherwise). Otherwise set to false, the connection is allowed only if it matches some rule. Default is false. +- `enabled` (Boolean) Is the network access policy enabled? Default is true. +- `network_access_rule` (Block Set) Network access policy that decides whether access should be granted based on a set of rules. (see [below for nested schema](#nestedblock--network_access_rule)) +- `network_access_rules_block_access` (Boolean) Determines what happens if an incoming connection matches one of the rules in `network_access_rule`. If set to true, the connection is blocked if it matches some rule (and allowed otherwise). Otherwise set to false, the connection is allowed only if it matches some rule. Default is false. ### Read-Only -- `id` (String) ID of this resource in the Cyral environment. +- `id` (String) ID of this resource in the Cyral environment. @@ -83,10 +83,10 @@ resource "cyral_repository_network_access_policy" "access_policy" { Required: -- `name` (String) Name of the rule. +- `name` (String) Name of the rule. Optional: -- `db_accounts` (List of String) Specify which accounts this rule applies to. The account name must match an existing account in your database. -- `description` (String) Description of the network access policy. -- `source_ips` (List of String) Specify IPs to restrict the range of allowed IP addresses for this rule. +- `db_accounts` (List of String) Specify which accounts this rule applies to. The account name must match an existing account in your database. +- `description` (String) Description of the network access policy. +- `source_ips` (List of String) Specify IPs to restrict the range of allowed IP addresses for this rule. diff --git a/docs/resources/repository_user_account.md b/docs/resources/repository_user_account.md index f7c01926..389c2783 100644 --- a/docs/resources/repository_user_account.md +++ b/docs/resources/repository_user_account.md @@ -102,26 +102,26 @@ resource "cyral_repository_user_account" "kubernetes" { ### Required -- `auth_scheme` (Block List, Min: 1, Max: 1) Credential option. List of supported types: - - `aws_iam` - - `aws_secrets_manager` - - `cyral_storage` - - `hashicorp_vault` - - `environment_variable` - - `kubernetes_secret` - - `gcp_secrets_manager` (see [below for nested schema](#nestedblock--auth_scheme)) -- `name` (String) The name of the User Account. -- `repository_id` (String) ID of the repository. +- `auth_scheme` (Block List, Min: 1, Max: 1) Credential option. List of supported types: + - `aws_iam` + - `aws_secrets_manager` + - `cyral_storage` + - `hashicorp_vault` + - `environment_variable` + - `kubernetes_secret` + - `gcp_secrets_manager` (see [below for nested schema](#nestedblock--auth_scheme)) +- `name` (String) The name of the User Account. +- `repository_id` (String) ID of the repository. ### Optional -- `approval_config` (Block Set, Max: 1) Configurations related to Approvals. (see [below for nested schema](#nestedblock--approval_config)) -- `auth_database_name` (String) The database name that this User Account is scoped to, for `cyral_repository` types that support multiple databases. +- `approval_config` (Block Set, Max: 1) Configurations related to Approvals. (see [below for nested schema](#nestedblock--approval_config)) +- `auth_database_name` (String) The database name that this User Account is scoped to, for `cyral_repository` types that support multiple databases. ### Read-Only -- `id` (String) Terraform ID of this resource. Follows syntax `{repository_id}/{user_account_id}` -- `user_account_id` (String) ID of the user account. +- `id` (String) Terraform ID of this resource. Follows syntax `{repository_id}/{user_account_id}` +- `user_account_id` (String) ID of the user account. @@ -129,13 +129,13 @@ resource "cyral_repository_user_account" "kubernetes" { Optional: -- `aws_iam` (Block Set, Max: 1) Credential option to set the repository user account from AWS IAM. (see [below for nested schema](#nestedblock--auth_scheme--aws_iam)) -- `aws_secrets_manager` (Block Set, Max: 1) Credential option to set the repository user account from AWS Secrets Manager. (see [below for nested schema](#nestedblock--auth_scheme--aws_secrets_manager)) -- `cyral_storage` (Block Set, Max: 1) Credential option to set the repository user account from Cyral Storage. (see [below for nested schema](#nestedblock--auth_scheme--cyral_storage)) -- `environment_variable` (Block Set, Max: 1) Credential option to set the repository user account from Environment Variable. (see [below for nested schema](#nestedblock--auth_scheme--environment_variable)) -- `gcp_secrets_manager` (Block Set, Max: 1) Credential option to set the repository user account from GCP Secrets Manager. (see [below for nested schema](#nestedblock--auth_scheme--gcp_secrets_manager)) -- `hashicorp_vault` (Block Set, Max: 1) Credential option to set the repository user account from Hashicorp Vault. (see [below for nested schema](#nestedblock--auth_scheme--hashicorp_vault)) -- `kubernetes_secret` (Block Set, Max: 1) Credential option to set the repository user account from a Kubernetes secret. (see [below for nested schema](#nestedblock--auth_scheme--kubernetes_secret)) +- `aws_iam` (Block Set, Max: 1) Credential option to set the repository user account from AWS IAM. (see [below for nested schema](#nestedblock--auth_scheme--aws_iam)) +- `aws_secrets_manager` (Block Set, Max: 1) Credential option to set the repository user account from AWS Secrets Manager. (see [below for nested schema](#nestedblock--auth_scheme--aws_secrets_manager)) +- `cyral_storage` (Block Set, Max: 1) Credential option to set the repository user account from Cyral Storage. (see [below for nested schema](#nestedblock--auth_scheme--cyral_storage)) +- `environment_variable` (Block Set, Max: 1) Credential option to set the repository user account from Environment Variable. (see [below for nested schema](#nestedblock--auth_scheme--environment_variable)) +- `gcp_secrets_manager` (Block Set, Max: 1) Credential option to set the repository user account from GCP Secrets Manager. (see [below for nested schema](#nestedblock--auth_scheme--gcp_secrets_manager)) +- `hashicorp_vault` (Block Set, Max: 1) Credential option to set the repository user account from Hashicorp Vault. (see [below for nested schema](#nestedblock--auth_scheme--hashicorp_vault)) +- `kubernetes_secret` (Block Set, Max: 1) Credential option to set the repository user account from a Kubernetes secret. (see [below for nested schema](#nestedblock--auth_scheme--kubernetes_secret)) @@ -143,7 +143,7 @@ Optional: Required: -- `role_arn` (String) The AWS IAM roleARN to gain access to the database. +- `role_arn` (String) The AWS IAM roleARN to gain access to the database. @@ -151,7 +151,7 @@ Required: Required: -- `secret_arn` (String) The AWS Secrets Manager secretARN to gain access to the database. +- `secret_arn` (String) The AWS Secrets Manager secretARN to gain access to the database. @@ -159,7 +159,7 @@ Required: Required: -- `password` (String, Sensitive) The Cyral Storage password to gain access to the database. +- `password` (String, Sensitive) The Cyral Storage password to gain access to the database. @@ -167,7 +167,7 @@ Required: Required: -- `variable_name` (String) Name of the environment variable that will store credentials. +- `variable_name` (String) Name of the environment variable that will store credentials. @@ -175,7 +175,7 @@ Required: Required: -- `secret_name` (String) The unique identifier of the secret in GCP Secrets Manager. +- `secret_name` (String) The unique identifier of the secret in GCP Secrets Manager. @@ -183,8 +183,8 @@ Required: Required: -- `is_dynamic_user_account` (Boolean) Some Vault engines allow the dynamic creation of user accounts, meaning the username used to log in to the database may change from time to time. -- `path` (String) The location in the Vault where the database username and password may be retrieved. +- `is_dynamic_user_account` (Boolean) Some Vault engines allow the dynamic creation of user accounts, meaning the username used to log in to the database may change from time to time. +- `path` (String) The location in the Vault where the database username and password may be retrieved. @@ -192,8 +192,8 @@ Required: Required: -- `secret_key` (String) The key of the credentials JSON blob within the secret. -- `secret_name` (String) The unique identifier of the secret in Kubernetes. +- `secret_key` (String) The key of the credentials JSON blob within the secret. +- `secret_name` (String) The unique identifier of the secret in Kubernetes. @@ -201,5 +201,5 @@ Required: Required: -- `automatic_grant` (Boolean) If `true`, approvals can be automatically granted. -- `max_auto_grant_duration` (String) The maximum duration in seconds for approvals can be automatically granted. E.g.: `"2000s"`, `"3000.5s" +- `automatic_grant` (Boolean) If `true`, approvals can be automatically granted. +- `max_auto_grant_duration` (String) The maximum duration in seconds for approvals can be automatically granted. E.g.: `"2000s"`, `"3000.5s" diff --git a/docs/resources/role.md b/docs/resources/role.md index 186ec9e9..7f71a04a 100644 --- a/docs/resources/role.md +++ b/docs/resources/role.md @@ -3,7 +3,7 @@ page_title: "cyral_role Resource - terraform-provider-cyral" subcategory: "" description: |- - Manages roles for Cyral control plane users https://cyral.com/docs/account-administration/acct-manage-cyral-roles/#create-and-manage-administrator-roles-for-cyral-control-plane-users. See also: Role SSO Groups ./role_sso_groups.md. + Manages roles for Cyral control plane users https://cyral.com/docs/account-administration/acct-manage-cyral-roles/#create-and-manage-administrator-roles-for-cyral-control-plane-users. See also: Role SSO Groups ./role_sso_groups.md. --- # cyral_role (Resource) @@ -41,15 +41,15 @@ resource "cyral_role" "some_resource_name" { ### Required -- `name` (String) The name of the role. +- `name` (String) The name of the role. ### Optional -- `permissions` (Block Set, Max: 1) A block responsible for configuring the role permissions. (see [below for nested schema](#nestedblock--permissions)) +- `permissions` (Block Set, Max: 1) A block responsible for configuring the role permissions. (see [below for nested schema](#nestedblock--permissions)) ### Read-Only -- `id` (String) ID of this resource in Cyral environment +- `id` (String) ID of this resource in Cyral environment @@ -57,16 +57,16 @@ resource "cyral_role" "some_resource_name" { Optional: -- `approval_management` (Boolean) Allows approving or denying approval requests on Cyral Control Plane. Defaults to `false`. -- `modify_integrations` (Boolean) Allows modifying integrations on Cyral Control Plane. Defaults to `false`. -- `modify_policies` (Boolean) Allows modifying policies on Cyral Control Plane. Defaults to `false`. -- `modify_roles` (Boolean) Allows modifying roles on Cyral Control Plane. Defaults to `false`. -- `modify_sidecars_and_repositories` (Boolean) Allows modifying sidecars and repositories on Cyral Control Plane. Defaults to `false`. -- `modify_users` (Boolean) Allows modifying users on Cyral Control Plane. Defaults to `false`. -- `repo_crawler` (Boolean) Allows running the Cyral repo crawler data classifier and user discovery. Defaults to `false`. -- `view_audit_logs` (Boolean) Allows viewing audit logs on Cyral Control Plane. Defaults to `false`. -- `view_datamaps` (Boolean) Allows viewing datamaps on Cyral Control Plane. Defaults to `false`. -- `view_integrations` (Boolean) Allows viewing integrations on Cyral Control Plane. Defaults to `false`. -- `view_policies` (Boolean) Allows viewing policies on Cyral Control Plane. Defaults to `false`. -- `view_roles` (Boolean) Allows viewing roles on Cyral Control Plane. Defaults to `false`. -- `view_users` (Boolean) Allows viewing users on Cyral Control Plane. Defaults to `false`. +- `approval_management` (Boolean) Allows approving or denying approval requests on Cyral Control Plane. Defaults to `false`. +- `modify_integrations` (Boolean) Allows modifying integrations on Cyral Control Plane. Defaults to `false`. +- `modify_policies` (Boolean) Allows modifying policies on Cyral Control Plane. Defaults to `false`. +- `modify_roles` (Boolean) Allows modifying roles on Cyral Control Plane. Defaults to `false`. +- `modify_sidecars_and_repositories` (Boolean) Allows modifying sidecars and repositories on Cyral Control Plane. Defaults to `false`. +- `modify_users` (Boolean) Allows modifying users on Cyral Control Plane. Defaults to `false`. +- `repo_crawler` (Boolean) Allows running the Cyral repo crawler data classifier and user discovery. Defaults to `false`. +- `view_audit_logs` (Boolean) Allows viewing audit logs on Cyral Control Plane. Defaults to `false`. +- `view_datamaps` (Boolean) Allows viewing datamaps on Cyral Control Plane. Defaults to `false`. +- `view_integrations` (Boolean) Allows viewing integrations on Cyral Control Plane. Defaults to `false`. +- `view_policies` (Boolean) Allows viewing policies on Cyral Control Plane. Defaults to `false`. +- `view_roles` (Boolean) Allows viewing roles on Cyral Control Plane. Defaults to `false`. +- `view_users` (Boolean) Allows viewing users on Cyral Control Plane. Defaults to `false`. diff --git a/docs/resources/role_sso_groups.md b/docs/resources/role_sso_groups.md index 13581e0b..646f6087 100644 --- a/docs/resources/role_sso_groups.md +++ b/docs/resources/role_sso_groups.md @@ -3,7 +3,7 @@ page_title: "cyral_role_sso_groups Resource - terraform-provider-cyral" subcategory: "" description: |- - Manages mapping SSO groups to specific roles https://cyral.com/docs/account-administration/acct-manage-cyral-roles/#map-an-sso-group-to-a-cyral-administrator-role on Cyral control plane. See also: Role ./role.md. + Manages mapping SSO groups to specific roles https://cyral.com/docs/account-administration/acct-manage-cyral-roles/#map-an-sso-group-to-a-cyral-administrator-role on Cyral control plane. See also: Role ./role.md. --- # cyral_role_sso_groups (Resource) @@ -66,12 +66,12 @@ resource "cyral_role_sso_groups" "some_role_sso_groups" { ### Required -- `role_id` (String) The ID of the role resource that will be configured. -- `sso_group` (Block Set, Min: 1) A block responsible for mapping an SSO group to a role. (see [below for nested schema](#nestedblock--sso_group)) +- `role_id` (String) The ID of the role resource that will be configured. +- `sso_group` (Block Set, Min: 1) A block responsible for mapping an SSO group to a role. (see [below for nested schema](#nestedblock--sso_group)) ### Read-Only -- `id` (String) The ID of this resource. +- `id` (String) The ID of this resource. @@ -79,10 +79,10 @@ resource "cyral_role_sso_groups" "some_role_sso_groups" { Required: -- `group_name` (String) The name of the SSO group to be mapped. -- `idp_id` (String) The ID of the identity provider integration to be mapped. +- `group_name` (String) The name of the SSO group to be mapped. +- `idp_id` (String) The ID of the identity provider integration to be mapped. Read-Only: -- `id` (String) The ID of an SSO group mapping. -- `idp_name` (String) The name of the identity provider integration of an SSO group mapping. +- `id` (String) The ID of an SSO group mapping. +- `idp_name` (String) The name of the identity provider integration of an SSO group mapping. diff --git a/docs/resources/service_account.md b/docs/resources/service_account.md index eb886a98..81f1d97a 100644 --- a/docs/resources/service_account.md +++ b/docs/resources/service_account.md @@ -51,11 +51,11 @@ resource "cyral_service_account" "this" { ### Required -- `display_name` (String) The service account display name. -- `permission_ids` (Set of String) A list of permission IDs that will be assigned to this service account. See also data source [`cyral_permission`](../data-sources/permission.md). +- `display_name` (String) The service account display name. +- `permission_ids` (Set of String) A list of permission IDs that will be assigned to this service account. See also data source [`cyral_permission`](../data-sources/permission.md). ### Read-Only -- `client_id` (String) The service account client ID. -- `client_secret` (String, Sensitive) The service account client secret. **Note**: This resource is not able to recognize changes to the client secret after its creation, so keep in mind that if the client secret is rotated, the value present in this attribute will be outdated. If you need to rotate the client secret it's recommended that you recreate this terraform resource. -- `id` (String) The resource identifier. It's equal to `client_id`. +- `client_id` (String) The service account client ID. +- `client_secret` (String, Sensitive) The service account client secret. **Note**: This resource is not able to recognize changes to the client secret after its creation, so keep in mind that if the client secret is rotated, the value present in this attribute will be outdated. If you need to rotate the client secret it's recommended that you recreate this terraform resource. +- `id` (String) The resource identifier. It's equal to `client_id`. diff --git a/docs/resources/sidecar.md b/docs/resources/sidecar.md index 9da0dff3..4b7fa1f9 100644 --- a/docs/resources/sidecar.md +++ b/docs/resources/sidecar.md @@ -3,7 +3,7 @@ page_title: "cyral_sidecar Resource - terraform-provider-cyral" subcategory: "" description: |- - Manages sidecars https://cyral.com/docs/sidecars/sidecar-manage. + Manages sidecars https://cyral.com/docs/sidecars/sidecar-manage. --- # cyral_sidecar (Resource) @@ -28,22 +28,22 @@ resource "cyral_sidecar" "some_resource_name" { ### Required -- `deployment_method` (String) Deployment method that will be used by this sidecar (valid values: `docker`, `cft-ec2`, `terraform`, `helm3`, `automated`, `custom`, `terraformGKE`, `linux`, and `singleContainer`). -- `name` (String) Sidecar name that will be used internally in Control Plane (ex: `your_sidecar_name`). +- `deployment_method` (String) Deployment method that will be used by this sidecar (valid values: `docker`, `cft-ec2`, `terraform`, `helm3`, `automated`, `custom`, `terraformGKE`, `linux`, and `singleContainer`). +- `name` (String) Sidecar name that will be used internally in Control Plane (ex: `your_sidecar_name`). ### Optional -- `activity_log_integration_id` (String) ID of the log integration mapped to this sidecar, used for Cyral activity logs. -- `bypass_mode` (String) This argument lets you specify how to handle the connection in the event of an error in the sidecar during a user’s session. Valid modes are: `always`, `failover` or `never`. Defaults to `failover`. If `always` is specified, the sidecar will run in [passthrough mode](https://cyral.com/docs/sidecars/sidecar-manage#passthrough-mode). If `failover` is specified, the sidecar will run in [resiliency mode](https://cyral.com/docs/sidecars/sidecar-manage#resilient-mode-of-sidecar-operation). If `never` is specified and there is an error in the sidecar, connections to bound repositories will fail. -- `certificate_bundle_secrets` (Block Set, Max: 1, Deprecated) Certificate Bundle Secret is a configuration that holds data about the location of a particular TLS certificate bundle in a secrets manager. (see [below for nested schema](#nestedblock--certificate_bundle_secrets)) -- `diagnostic_log_integration_id` (String) ID of the log integration mapped to this sidecar, used for sidecar diagnostic logs. -- `labels` (List of String) Labels that can be attached to the sidecar and shown in the `Tags` field in the UI. -- `log_integration_id` (String, Deprecated) ID of the log integration mapped to this sidecar, used for Cyral activity logs. -- `user_endpoint` (String) User-defined endpoint (also referred as `alias`) that can be used to override the sidecar DNS endpoint shown in the UI. +- `activity_log_integration_id` (String) ID of the log integration mapped to this sidecar, used for Cyral activity logs. +- `bypass_mode` (String) This argument lets you specify how to handle the connection in the event of an error in the sidecar during a user’s session. Valid modes are: `always`, `failover` or `never`. Defaults to `failover`. If `always` is specified, the sidecar will run in [passthrough mode](https://cyral.com/docs/sidecars/sidecar-manage#passthrough-mode). If `failover` is specified, the sidecar will run in [resiliency mode](https://cyral.com/docs/sidecars/sidecar-manage#resilient-mode-of-sidecar-operation). If `never` is specified and there is an error in the sidecar, connections to bound repositories will fail. +- `certificate_bundle_secrets` (Block Set, Max: 1, Deprecated) Certificate Bundle Secret is a configuration that holds data about the location of a particular TLS certificate bundle in a secrets manager. (see [below for nested schema](#nestedblock--certificate_bundle_secrets)) +- `diagnostic_log_integration_id` (String) ID of the log integration mapped to this sidecar, used for sidecar diagnostic logs. +- `labels` (List of String) Labels that can be attached to the sidecar and shown in the `Tags` field in the UI. +- `log_integration_id` (String, Deprecated) ID of the log integration mapped to this sidecar, used for Cyral activity logs. +- `user_endpoint` (String) User-defined endpoint (also referred as `alias`) that can be used to override the sidecar DNS endpoint shown in the UI. ### Read-Only -- `id` (String) ID of this resource in Cyral environment +- `id` (String) ID of this resource in Cyral environment @@ -51,7 +51,7 @@ resource "cyral_sidecar" "some_resource_name" { Required: -- `sidecar` (Block Set, Min: 1, Max: 1) Certificate Bundle Secret for sidecar. (see [below for nested schema](#nestedblock--certificate_bundle_secrets--sidecar)) +- `sidecar` (Block Set, Min: 1, Max: 1) Certificate Bundle Secret for sidecar. (see [below for nested schema](#nestedblock--certificate_bundle_secrets--sidecar)) @@ -59,9 +59,9 @@ Required: Required: -- `secret_id` (String) Secret ID is the identifier or location for the secret that holds the certificate bundle. -- `type` (String) Type identifies the secret manager used to store the secret. Valid values are: `aws` and `k8s`. +- `secret_id` (String) Secret ID is the identifier or location for the secret that holds the certificate bundle. +- `type` (String) Type identifies the secret manager used to store the secret. Valid values are: `aws` and `k8s`. Optional: -- `engine` (String) Engine is the name of the engine used with the given secrets manager type, when applicable. +- `engine` (String) Engine is the name of the engine used with the given secrets manager type, when applicable. diff --git a/docs/resources/sidecar_credentials.md b/docs/resources/sidecar_credentials.md index e945c0f7..cc9da5f3 100644 --- a/docs/resources/sidecar_credentials.md +++ b/docs/resources/sidecar_credentials.md @@ -31,9 +31,9 @@ Where `PATH` is the path to the partial configuration file. See also: -- [Remote Backends](https://www.terraform.io/docs/language/settings/backends/remote.html) -- [S3 remote backend](https://www.terraform.io/docs/language/settings/backends/s3.html) -- [Partial Configuration](https://www.terraform.io/docs/language/settings/backends/configuration.html#partial-configuration) +- [Remote Backends](https://www.terraform.io/docs/language/settings/backends/remote.html) +- [S3 remote backend](https://www.terraform.io/docs/language/settings/backends/s3.html) +- [Partial Configuration](https://www.terraform.io/docs/language/settings/backends/configuration.html#partial-configuration) ~> **Warning** Importing this resource into the Terraform state is not recommended, since the `client_secret` computed attribute will not be set. `client_secret` @@ -53,10 +53,10 @@ resource "cyral_sidecar_credentials" "some_resource_name" { ### Required -- `sidecar_id` (String) ID of the sidecar to create new credentials. +- `sidecar_id` (String) ID of the sidecar to create new credentials. ### Read-Only -- `client_id` (String) Sidecar client ID. -- `client_secret` (String, Sensitive) Sidecar client secret. -- `id` (String) Same as `client_id`. +- `client_id` (String) Sidecar client ID. +- `client_secret` (String, Sensitive) Sidecar client secret. +- `id` (String) Same as `client_id`. diff --git a/docs/resources/sidecar_listener.md b/docs/resources/sidecar_listener.md index eff52bd4..6fd0db9a 100644 --- a/docs/resources/sidecar_listener.md +++ b/docs/resources/sidecar_listener.md @@ -83,35 +83,35 @@ resource "cyral_sidecar_listener" "listener_dynamodb" { ### Required -- `network_address` (Block Set, Min: 1, Max: 1) The network address that the sidecar listens on. (see [below for nested schema](#nestedblock--network_address)) -- `repo_types` (List of String) List of repository types that the listener supports. Currently limited to one repo type from supported repo types: - - `denodo` - - `dremio` - - `dynamodb` - - `dynamodbstreams` - - `galera` - - `mariadb` - - `mongodb` - - `mysql` - - `oracle` - - `postgresql` - - `redshift` - - `s3` - - `snowflake` - - `sqlserver` -- `sidecar_id` (String) ID of the sidecar that the listener will be bound to. +- `network_address` (Block Set, Min: 1, Max: 1) The network address that the sidecar listens on. (see [below for nested schema](#nestedblock--network_address)) +- `repo_types` (List of String) List of repository types that the listener supports. Currently limited to one repo type from supported repo types: + - `denodo` + - `dremio` + - `dynamodb` + - `dynamodbstreams` + - `galera` + - `mariadb` + - `mongodb` + - `mysql` + - `oracle` + - `postgresql` + - `redshift` + - `s3` + - `snowflake` + - `sqlserver` +- `sidecar_id` (String) ID of the sidecar that the listener will be bound to. ### Optional -- `dynamodb_settings` (Block Set, Max: 1) DynamoDB settings. (see [below for nested schema](#nestedblock--dynamodb_settings)) -- `mysql_settings` (Block Set, Max: 1) MySQL settings represents the listener settings for a [`mysql`, `galera`, `mariadb`] data repository. (see [below for nested schema](#nestedblock--mysql_settings)) -- `s3_settings` (Block Set, Max: 1) S3 settings. (see [below for nested schema](#nestedblock--s3_settings)) -- `sqlserver_settings` (Block Set, Max: 1) SQL Server settings. (see [below for nested schema](#nestedblock--sqlserver_settings)) +- `dynamodb_settings` (Block Set, Max: 1) DynamoDB settings. (see [below for nested schema](#nestedblock--dynamodb_settings)) +- `mysql_settings` (Block Set, Max: 1) MySQL settings represents the listener settings for a [`mysql`, `galera`, `mariadb`] data repository. (see [below for nested schema](#nestedblock--mysql_settings)) +- `s3_settings` (Block Set, Max: 1) S3 settings. (see [below for nested schema](#nestedblock--s3_settings)) +- `sqlserver_settings` (Block Set, Max: 1) SQL Server settings. (see [below for nested schema](#nestedblock--sqlserver_settings)) ### Read-Only -- `id` (String) The ID of this resource. -- `listener_id` (String) ID of the listener that will be bound to the sidecar. +- `id` (String) The ID of this resource. +- `listener_id` (String) ID of the listener that will be bound to the sidecar. @@ -119,11 +119,11 @@ resource "cyral_sidecar_listener" "listener_dynamodb" { Required: -- `port` (Number) Port where the sidecar will listen for the given repository. +- `port` (Number) Port where the sidecar will listen for the given repository. Optional: -- `host` (String) Host where the sidecar will listen for the given repository, in the case where the sidecar is deployed on a host with multiple network interfaces. If omitted, the sidecar will assume the default "0.0.0.0" and listen on all network interfaces. +- `host` (String) Host where the sidecar will listen for the given repository, in the case where the sidecar is deployed on a host with multiple network interfaces. If omitted, the sidecar will assume the default "0.0.0.0" and listen on all network interfaces. @@ -131,7 +131,7 @@ Optional: Optional: -- `proxy_mode` (Boolean) DynamoDB proxy mode. Only relevant for listeners of type `dynamodb` or `dynamodbstreams` and must always be set to `true` for these listener types. Defaults to false. When `true`, instructs the sidecar to operate as an HTTP Proxy server. Client applications need to be explicitly configured to send the traffic through an HTTP proxy server, represented by the Cyral sidecar endpoint + the DynamoDB listening port. It is indicated when connecting from CLI applications, such as `aws cli`, or through the AWS SDK.Setting this value to `false` for the `dynamodb` and `dynamodbstreams` listeners types is currently not allowed and is reserved for future use. +- `proxy_mode` (Boolean) DynamoDB proxy mode. Only relevant for listeners of type `dynamodb` or `dynamodbstreams` and must always be set to `true` for these listener types. Defaults to false. When `true`, instructs the sidecar to operate as an HTTP Proxy server. Client applications need to be explicitly configured to send the traffic through an HTTP proxy server, represented by the Cyral sidecar endpoint + the DynamoDB listening port. It is indicated when connecting from CLI applications, such as `aws cli`, or through the AWS SDK.Setting this value to `false` for the `dynamodb` and `dynamodbstreams` listeners types is currently not allowed and is reserved for future use. @@ -139,8 +139,8 @@ Optional: Optional: -- `character_set` (String) MySQL character set. Optional (and only relevant) for listeners of types `mysql` and `mariadb`. The sidecar automatically derives this value out of the server version specified in the dbVersion field. This field should only be populated if the database was configured, at deployment time, to use a global character set different from the database default. The char set is extracted from the collation informed. The list of possible collations can be extracted from the column `collation` by running the command `SHOW COLLATION` in the target database. -- `db_version` (String) MySQL advertised DB version. Required (and only relevant) for listeners of types `mysql` and `mariadb`. This value represents the MySQL/MariaDB server version that the Cyral sidecar will use to present itself to client applications. Different applications, especially JDBC-based ones, may behave differently according to the version of the database they are connecting to. It is crucial that version value specified in this field to be either the same value as the underlying database version, or to be a compatible one. For a compatibility reference, refer to our [public docs](https://cyral.com/docs/sidecars/manage/bind-repo). Example values: `"5.7.3"`, `"8.0.4"` or `"10.2.1"`. +- `character_set` (String) MySQL character set. Optional (and only relevant) for listeners of types `mysql` and `mariadb`. The sidecar automatically derives this value out of the server version specified in the dbVersion field. This field should only be populated if the database was configured, at deployment time, to use a global character set different from the database default. The char set is extracted from the collation informed. The list of possible collations can be extracted from the column `collation` by running the command `SHOW COLLATION` in the target database. +- `db_version` (String) MySQL advertised DB version. Required (and only relevant) for listeners of types `mysql` and `mariadb`. This value represents the MySQL/MariaDB server version that the Cyral sidecar will use to present itself to client applications. Different applications, especially JDBC-based ones, may behave differently according to the version of the database they are connecting to. It is crucial that version value specified in this field to be either the same value as the underlying database version, or to be a compatible one. For a compatibility reference, refer to our [public docs](https://cyral.com/docs/sidecars/manage/bind-repo). Example values: `"5.7.3"`, `"8.0.4"` or `"10.2.1"`. @@ -148,7 +148,7 @@ Optional: Optional: -- `proxy_mode` (Boolean) S3 proxy mode. Only relevant for S3 listeners. Allowed values: [true, false]. Defaults to `false`. When `true`, instructs the sidecar to operate as an HTTP Proxy server. Client applications need to be explicitly configured to send the traffic through an HTTP proxy server, represented by the Cyral sidecar endpoint + the S3 listening port. It is indicated when connecting from CLI applications, such as `aws cli`, or through the AWS SDK. This listener mode is functional for client applications using either AWS native credentials, e.g. Access Key ID/Secret Access Key, or Cyral-Provided access tokens (Single Sign-On connections). When `false`, instructs the sidecar to mimic the actual behavior of AWS S3, meaning client applications will not be aware of a middleware HTTP proxy in the path to S3. This listener mode is only compatible with applications using Cyral-Provided access tokens and is must used when configuring the Cyral S3 Browser. This mode is currently not recommended for any other use besides the Cyral S3 Browser. +- `proxy_mode` (Boolean) S3 proxy mode. Only relevant for S3 listeners. Allowed values: [true, false]. Defaults to `false`. When `true`, instructs the sidecar to operate as an HTTP Proxy server. Client applications need to be explicitly configured to send the traffic through an HTTP proxy server, represented by the Cyral sidecar endpoint + the S3 listening port. It is indicated when connecting from CLI applications, such as `aws cli`, or through the AWS SDK. This listener mode is functional for client applications using either AWS native credentials, e.g. Access Key ID/Secret Access Key, or Cyral-Provided access tokens (Single Sign-On connections). When `false`, instructs the sidecar to mimic the actual behavior of AWS S3, meaning client applications will not be aware of a middleware HTTP proxy in the path to S3. This listener mode is only compatible with applications using Cyral-Provided access tokens and is must used when configuring the Cyral S3 Browser. This mode is currently not recommended for any other use besides the Cyral S3 Browser. @@ -156,4 +156,4 @@ Optional: Required: -- `version` (String) Advertised SQL Server version. Required (and only relevant) for Listeners of type 'sqlserver' The format of the version should be .. API will validate that the version is a valid version number. Major version is an integer in range 0-255. Minor version is an integer in range 0-255. Build number is an integer in range 0-65535. Example: 16.0.1000 To get the version of the SQL Server runtime, run the following query: SELECT SERVERPROPERTY('productversion') Note: If the query returns a four part version number, only the first three parts should be used. Example: 16.0.1000.6 -> 16.0.1000 +- `version` (String) Advertised SQL Server version. Required (and only relevant) for Listeners of type 'sqlserver' The format of the version should be .. API will validate that the version is a valid version number. Major version is an integer in range 0-255. Minor version is an integer in range 0-255. Build number is an integer in range 0-65535. Example: 16.0.1000 To get the version of the SQL Server runtime, run the following query: SELECT SERVERPROPERTY('productversion') Note: If the query returns a four part version number, only the first three parts should be used. Example: 16.0.1000.6 -> 16.0.1000