Support hardware protected keys (#22)

smallstep · Jul 31, 2024 · 465740b · 465740b
1 parent ffa3e4e
commit 465740b
Show file tree

Hide file tree

Showing 37 changed files with 4,348 additions and 13,562 deletions.
diff --git a/docs/data-sources/provisioner.md b/docs/data-sources/provisioner.md
@@ -48,7 +48,7 @@ data "smallstep_provisioner" "by_id" {
 - `jwk` (Attributes) A [provisioner](https://smallstep.com/docs/step-ca/provisioners/#jwk) that uses public-key cryptography to sign and validate a JSON Web Token (JWT). This object is populated when type is `JWK`. (see [below for nested schema](#nestedatt--jwk))
 - `oidc` (Attributes) A [provisioner](https://smallstep.com/docs/step-ca/provisioners/#oauthoidc-single-sign-on) that is configured to trust and accept an OAuth provider's ID tokens for authentication. By default, the issued certificate will use the subject (sub) claim from the identity token as its subject. The value of the token's email claim is also included as an email SAN in the certificate. This object is populated when type is `OIDC`. (see [below for nested schema](#nestedatt--oidc))
 - `options` (Attributes) Options that apply when issuing certificates with this provisioner. (see [below for nested schema](#nestedatt--options))
-- `type` (String) The type of provisioner. Allowed values: `OIDC` `JWK` `ACME` `ACME_ATTESTATION` `X5C` `AWS` `GCP` `AZURE`
+- `type` (String) The type of provisioner. Allowed values: `OIDC` `JWK` `ACME` `ACME_ATTESTATION` `X5C` `AWS` `GCP` `AZURE` `SCEP`
 - `x5c` (Attributes) A [provisioner](https://smallstep.com/docs/step-ca/provisioners/#x5c---x509-certificate) that authenticates a certificate request with an existing x509 certificate. This object is populated when type is `X5C`. (see [below for nested schema](#nestedatt--x5c))
 
 <a id="nestedatt--acme"></a>

diff --git a/docs/resources/provisioner.md b/docs/resources/provisioner.md
@@ -120,7 +120,7 @@ resource "smallstep_provisioner" "my_azure" {
 
 - `authority_id` (String) The UUID of the authority this provisioner is attached to
 - `name` (String) The name of the provisioner.
-- `type` (String) The type of provisioner. Allowed values: `OIDC` `JWK` `ACME` `ACME_ATTESTATION` `X5C` `AWS` `GCP` `AZURE`
+- `type` (String) The type of provisioner. Allowed values: `OIDC` `JWK` `ACME` `ACME_ATTESTATION` `X5C` `AWS` `GCP` `AZURE` `SCEP`
 
 ### Optional
 

diff --git a/docs/resources/workload.md b/docs/resources/workload.md
@@ -112,25 +112,125 @@ resource "smallstep_workload" "redis" {
 ### Required
 
 - `admin_emails` (Set of String) Users that will have admin access to manage the workloads authority, which will be created if it does not already exist. Ignored if the workloads authority already exists. Never returned in responses.
+- `certificate_data` (Attributes) (see [below for nested schema](#nestedatt--certificate_data))
 - `certificate_info` (Attributes) Details on a managed certificate. (see [below for nested schema](#nestedatt--certificate_info))
 - `device_collection_slug` (String) Slug of the device collection the workload will be added to.
-- `display_name` (String) A friendly name for the workload. Also used as the Common Name if no static SANs are provide.
+- `display_name` (String) A friendly name for the workload. Also used as the Common Name, if no static SANs are provided.
 - `key_info` (Attributes) The attributes of the cryptographic key. (see [below for nested schema](#nestedatt--key_info))
 - `slug` (String) Used as the identifier for the workload.
-- `workload_type` (String)
+- `workload_type` (String) The type of workload being deployed.
+Possible values are `etcd` `generic` `git` `grafana` `haproxy` `httpd` `kafka` `mysql` `nginx` `nodejs` `postgres` `redis` `tomcat` and `zookeeper`. 
+Use `generic` for a basic certificate workload.
 
 ### Optional
 
-- `device_metadata_key_sans` (Set of String) SANs that will be populated from the instance data of the device in the device collection.
-For example, if the device instance data in the collection is `{"internal_host": "foo.internal", "external_host", "foo.example.com"}` at the time the workload certificate is issued and this field is set to `["internal_host", "external_host"]`, then the certificate would include the SANs `foo.internal` and `foo.example.com`.
 - `hooks` (Attributes) The collection of commands to run when a certificate for a managed endpoint is signed or renewed. (see [below for nested schema](#nestedatt--hooks))
 - `reload_info` (Attributes) The properties used to reload a service. (see [below for nested schema](#nestedatt--reload_info))
-- `static_sans` (List of String) SANs that will be added to every certificate issued for this workload. The first will be used as the default Common Name.
 
 ### Read-Only
 
 - `id` (String) Internal use only.
 
+<a id="nestedatt--certificate_data"></a>
+### Nested Schema for `certificate_data`
+
+Required:
+
+- `common_name` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--common_name))
+
+Optional:
+
+- `country` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--country))
+- `locality` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--locality))
+- `organization` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--organization))
+- `organizational_unit` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--organizational_unit))
+- `postal_code` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--postal_code))
+- `province` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--province))
+- `sans` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--sans))
+- `street_address` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--street_address))
+
+<a id="nestedatt--certificate_data--common_name"></a>
+### Nested Schema for `certificate_data.common_name`
+
+Optional:
+
+- `device_metadata` (String)
+- `static` (String)
+
+
+<a id="nestedatt--certificate_data--country"></a>
+### Nested Schema for `certificate_data.country`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--locality"></a>
+### Nested Schema for `certificate_data.locality`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--organization"></a>
+### Nested Schema for `certificate_data.organization`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--organizational_unit"></a>
+### Nested Schema for `certificate_data.organizational_unit`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--postal_code"></a>
+### Nested Schema for `certificate_data.postal_code`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--province"></a>
+### Nested Schema for `certificate_data.province`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--sans"></a>
+### Nested Schema for `certificate_data.sans`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--street_address"></a>
+### Nested Schema for `certificate_data.street_address`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+
 <a id="nestedatt--certificate_info"></a>
 ### Nested Schema for `certificate_info`
 
@@ -154,11 +254,12 @@ Optional:
 
 Required:
 
-- `format` (String) The format used to encode the private key. For X509 keys the default format is SEC 1 for ECDSA keys, PKCS#1 for RSA keys and PKCS#8 for ED25519 keys. For SSH keys the default format is always the OPENSSH format. Allowed values: `DEFAULT` `PKCS8` `OPENSSH` `DER`
+- `format` (String) The format used to encode the private key. For X509 keys the default format is PKCS#8. The classic format is PKCS#1 for RSA keys, SEC 1 for ECDSA keys, and PKCS#8 for ED25519 keys. For SSH keys the default format is always the OPENSSH format. When a hardware module is used to store the keys the default will be a JSON representation of the key, except on Linux where tss2 will be used. Allowed values: `DEFAULT` `PKCS8` `OPENSSH` `TSS2` `CLASSIC`
 - `type` (String) The key type used. The current DEFAULT type is ECDSA_P256. Allowed values: `DEFAULT` `ECDSA_P256` `ECDSA_P384` `ECDSA_P521` `RSA_2048` `RSA_3072` `RSA_4096` `ED25519`
 
 Optional:
 
+- `protection` (String) Whether to use a hardware module to store the private key for a workload certificate. If set to `NONE` no hardware module will be used. If set to `DEFAULT` a hardware module will only be used with format `TSS2`. `HARDWARE_WITH_FALLBACK` can only be used with the key format `DEFAULT`. Allowed values: `DEFAULT` `NONE` `HARDWARE` `HARDWARE_WITH_FALLBACK` `HARDWARE_ATTESTED`
 - `pub_file` (String) A CSR or SSH public key to use instead of generating one.