Merge pull request #32 from Infisical/mi-docs

(Docs): Documentation for machine identity auth
Infisical · Mar 19, 2024 · 32ef5d4 · 32ef5d4
2 parents c5464da + 2ccaeac
commit 32ef5d4
Show file tree

Hide file tree

Showing 11 changed files with 76 additions and 50 deletions.
diff --git a/README.md b/README.md
@@ -14,17 +14,20 @@ terraform {
 
 provider "infisical" {
   host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
-  service_token = "<>" # Get token https://infisical.com/docs/documentation/platform/token
+  client_id     = "<>"
+  client_secret = "<>"
 }
 
 data "infisical_secrets" "common-secrets" {
-  env_slug    = "dev"
-  folder_path = "/some-folder/another-folder"
+  env_slug     = "dev"
+  workspace_id = "PROJECT_ID"
+  folder_path  = "/some-folder/another-folder"
 }
 
 data "infisical_secrets" "backend-secrets" {
-  env_slug    = "prod"
-  folder_path = "/"
+  env_slug     = "prod"
+  workspace_id = "PROJECT_ID"
+  folder_path  = "/"
 }
 
 output "all-project-secrets" {
@@ -34,7 +37,6 @@ output "all-project-secrets" {
 output "single-secret" {
   value = data.infisical_secrets.backend-secrets.secrets["SECRET-NAME"]
 }
-
 ```
 
 # Development  

diff --git a/docs/data-sources/secrets.md b/docs/data-sources/secrets.md
@@ -18,23 +18,27 @@ terraform {
     infisical = {
       # version = <latest version>
       source = "infisical/infisical"
+
     }
   }
 }
 
 provider "infisical" {
   host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
-  service_token = "<>"
+  client_id     = "<>"
+  client_secret = "<>"
 }
 
 data "infisical_secrets" "common-secrets" {
-  env_slug    = "dev"
-  folder_path = "/some-folder/another-folder"
+  env_slug     = "dev"
+  workspace_id = "PROJECT_ID"
+  folder_path  = "/some-folder/another-folder"
 }
 
 data "infisical_secrets" "backend-secrets" {
-  env_slug    = "prod"
-  folder_path = "/"
+  env_slug     = "prod"
+  workspace_id = "PROJECT_ID"
+  folder_path  = "/"
 }
 
 output "all-project-secrets" {
@@ -54,6 +58,10 @@ output "single-secret" {
 - `env_slug` (String) The environment from where secrets should be fetched from
 - `folder_path` (String) The path to the folder from where secrets should be fetched from
 
+### Optional
+
+- `workspace_id` (String) The Infisical project ID (Required for Machine Identity auth, and service tokens with multiple scopes)
+
 ### Read-Only
 
 - `secrets` (Attributes Map) (see [below for nested schema](#nestedatt--secrets))

diff --git a/docs/index.md b/docs/index.md
@@ -18,13 +18,15 @@ terraform {
     infisical = {
       # version = <latest version>
       source = "infisical/infisical"
+
     }
   }
 }
 
 provider "infisical" {
   host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
-  service_token = "<>"
+  client_id     = "<>"
+  client_secret = "<>"
 }
 ```
 
@@ -33,5 +35,7 @@ provider "infisical" {
 
 ### Optional
 
+- `client_id` (String, Sensitive) Machine identity client ID. Used to fetch/modify secrets for a given project
+- `client_secret` (String, Sensitive) Machine identity client secret. Used to fetch/modify secrets for a given project
 - `host` (String) Used to point the client to fetch secrets from your self hosted instance of Infisical. If not host is provided, https://app.infisical.com is the default host.
-- `service_token` (String, Sensitive) Used to fetch/modify secrets for a given project
+- `service_token` (String, Sensitive) (DEPRECATED, USE MACHINE IDENTITY), Used to fetch/modify secrets for a given project
diff --git a/docs/resources/secret.md b/docs/resources/secret.md
@@ -24,28 +24,32 @@ terraform {
 
 provider "infisical" {
   host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
-  service_token = "<>"
+  client_id     = "<>"
+  client_secret = "<>"
 }
 
 resource "infisical_secret" "mongo_secret" {
-  name        = "MONGO_DB"
-  value       = "<some-key>"
-  env_slug    = "dev"
-  folder_path = "/"
+  name         = "MONGO_DB"
+  value        = "<some-key>"
+  env_slug     = "dev"
+  workspace_id = "PROJECT_ID"
+  folder_path  = "/"
 }
 
 resource "infisical_secret" "smtp_secret" {
-  name        = "SMTP"
-  value       = "<some key>"
-  env_slug    = "dev"
-  folder_path = "/mail-service"
+  name         = "SMTP"
+  value        = "<some key>"
+  env_slug     = "dev"
+  workspace_id = "PROJECT_ID"
+  folder_path  = "/mail-service"
 }
 
 resource "infisical_secret" "github_action_secret" {
-  name        = "GITHUB_ACTION"
-  value       = "<some value>"
-  env_slug    = "dev"
-  folder_path = "/"
+  name         = "GITHUB_ACTION"
+  value        = "<some value>"
+  env_slug     = "dev"
+  workspace_id = "PROJECT_ID"
+  folder_path  = "/"
 }
 ```
 
@@ -61,7 +65,7 @@ resource "infisical_secret" "github_action_secret" {
 
 ### Optional
 
-- `workspace_id` (String) The Infisical project ID
+- `workspace_id` (String) The Infisical project ID (Required for Machine Identity auth, and service tokens with multiple scopes)
 
 ### Read-Only
 

diff --git a/examples/data-sources/infisical_secrets/data-source.tf b/examples/data-sources/infisical_secrets/data-source.tf
@@ -9,17 +9,20 @@ terraform {
 
 provider "infisical" {
   host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
-  service_token = "<>"
+  client_id     = "<>"
+  client_secret = "<>"
 }
 
 data "infisical_secrets" "common-secrets" {
-  env_slug    = "dev"
-  folder_path = "/some-folder/another-folder"
+  env_slug     = "dev"
+  workspace_id = "PROJECT_ID"
+  folder_path  = "/some-folder/another-folder"
 }
 
 data "infisical_secrets" "backend-secrets" {
-  env_slug    = "prod"
-  folder_path = "/"
+  env_slug     = "prod"
+  workspace_id = "PROJECT_ID"
+  folder_path  = "/"
 }
 
 output "all-project-secrets" {

diff --git a/examples/provider/provider.tf b/examples/provider/provider.tf
@@ -9,5 +9,6 @@ terraform {
 
 provider "infisical" {
   host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
-  service_token = "<>"
+  client_id     = "<>"
+  client_secret = "<>"
 }
diff --git a/examples/resources/infisical_secret/resource.tf b/examples/resources/infisical_secret/resource.tf
@@ -9,26 +9,30 @@ terraform {
 
 provider "infisical" {
   host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
-  service_token = "<>"
+  client_id     = "<>"
+  client_secret = "<>"
 }
 
 resource "infisical_secret" "mongo_secret" {
-  name        = "MONGO_DB"
-  value       = "<some-key>"
-  env_slug    = "dev"
-  folder_path = "/"
+  name         = "MONGO_DB"
+  value        = "<some-key>"
+  env_slug     = "dev"
+  workspace_id = "PROJECT_ID"
+  folder_path  = "/"
 }
 
 resource "infisical_secret" "smtp_secret" {
-  name        = "SMTP"
-  value       = "<some key>"
-  env_slug    = "dev"
-  folder_path = "/mail-service"
+  name         = "SMTP"
+  value        = "<some key>"
+  env_slug     = "dev"
+  workspace_id = "PROJECT_ID"
+  folder_path  = "/mail-service"
 }
 
 resource "infisical_secret" "github_action_secret" {
-  name        = "GITHUB_ACTION"
-  value       = "<some value>"
-  env_slug    = "dev"
-  folder_path = "/"
+  name         = "GITHUB_ACTION"
+  value        = "<some value>"
+  env_slug     = "dev"
+  workspace_id = "PROJECT_ID"
+  folder_path  = "/"
 }
diff --git a/infisical/provider/provider.go b/infisical/provider/provider.go
@@ -62,7 +62,7 @@ func (p *infisicalProvider) Schema(ctx context.Context, _ provider.SchemaRequest
 			"service_token": schema.StringAttribute{
 				Optional:    true,
 				Sensitive:   true,
-				Description: "Used to fetch/modify secrets for a given project",
+				Description: " (DEPRECATED, USE MACHINE IDENTITY), Used to fetch/modify secrets for a given project",
 			},
 
 			"client_id": schema.StringAttribute{

diff --git a/infisical/provider/secret_resource.go b/infisical/provider/secret_resource.go
@@ -68,7 +68,7 @@ func (r *secretResource) Schema(_ context.Context, _ resource.SchemaRequest, res
 				Computed:    false,
 			},
 			"workspace_id": schema.StringAttribute{
-				Description: "The Infisical project ID (Required for Machine Identity auth)",
+				Description: "The Infisical project ID (Required for Machine Identity auth, and service tokens with multiple scopes)",
 				Optional:    true,
 				Computed:    true,
 			},

diff --git a/infisical/provider/secrets_data_source.go b/infisical/provider/secrets_data_source.go
@@ -61,7 +61,7 @@ func (d *SecretsDataSource) Schema(ctx context.Context, req datasource.SchemaReq
 			},
 
 			"workspace_id": schema.StringAttribute{
-				Description: "The Infisical project ID (Required for Machine Identity auth)",
+				Description: "The Infisical project ID (Required for Machine Identity auth, and service tokens with multiple scopes)",
 				Optional:    true,
 				Computed:    true,
 			},

diff --git a/provider-install-verification/main.tf b/provider-install-verification/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     infisical = {
-      source = "hashicorp.com/edu/infisical"
+      source = "infisical/infisical"
     }
   }
 }