Use authority ID on collections instead of admin emails

docs/data-sources/authority.md

@@ -25,16 +25,16 @@ output "bootstrap_preexisting" {
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
-### Required
+### Optional
 
+- `domain` (String) The domain where the authority can be reached.
 - `id` (String) A UUID identifying this authority.
 
 ### Read-Only
 
 - `active_revocation` (Boolean) Whether CRL and OCSP are enabled (advanced authorities only).
 - `admin_emails` (Set of String) Users that have admin access to manage the authority.
 - `created_at` (String) Timestamp when the authority was created.
-- `domain` (String) The domain where the authority can be reached.
 - `fingerprint` (String) The SHA-256 digest of the authority's root certificate in hex format.
 - `name` (String) The name of the authority.
 - `root` (String) The root certificate in pem format.

docs/data-sources/device_collection_account.md

@@ -0,0 +1,166 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "smallstep_device_collection_account Data Source - terraform-provider-smallstep"
+subcategory: ""
+description: |-
+  The certificate details binding an account to a device collection.
+---
+
+# smallstep_device_collection_account (Data Source)
+
+The certificate details binding an account to a device collection.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `device_collection_slug` (String)
+- `slug` (String) Used as the identifier for the device collection account.
+
+### Optional
+
+- `account_id` (String) Identifier of the account.
+- `authority_id` (String) A UUID identifying the authority to issue certificates for the account on devices in the collection.
+- `certificate_data` (Attributes) (see [below for nested schema](#nestedatt--certificate_data))
+- `certificate_info` (Attributes) Details on a managed certificate. (see [below for nested schema](#nestedatt--certificate_info))
+- `display_name` (String) A friendly name for the device collection account. Also used as the Common Name, if no static SANs are provided.
+- `key_info` (Attributes) The attributes of the cryptographic key. (see [below for nested schema](#nestedatt--key_info))
+- `reload_info` (Attributes) The properties used to reload a service. (see [below for nested schema](#nestedatt--reload_info))
+
+<a id="nestedatt--certificate_data"></a>
+### Nested Schema for `certificate_data`
+
+Optional:
+
+- `common_name` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--common_name))
+- `country` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--country))
+- `locality` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--locality))
+- `organization` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--organization))
+- `organizational_unit` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--organizational_unit))
+- `postal_code` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--postal_code))
+- `province` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--province))
+- `sans` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--sans))
+- `street_address` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--street_address))
+
+<a id="nestedatt--certificate_data--common_name"></a>
+### Nested Schema for `certificate_data.common_name`
+
+Optional:
+
+- `device_metadata` (String)
+- `static` (String)
+
+
+<a id="nestedatt--certificate_data--country"></a>
+### Nested Schema for `certificate_data.country`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--locality"></a>
+### Nested Schema for `certificate_data.locality`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--organization"></a>
+### Nested Schema for `certificate_data.organization`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--organizational_unit"></a>
+### Nested Schema for `certificate_data.organizational_unit`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--postal_code"></a>
+### Nested Schema for `certificate_data.postal_code`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--province"></a>
+### Nested Schema for `certificate_data.province`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--sans"></a>
+### Nested Schema for `certificate_data.sans`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--street_address"></a>
+### Nested Schema for `certificate_data.street_address`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+
+<a id="nestedatt--certificate_info"></a>
+### Nested Schema for `certificate_info`
+
+Optional:
+
+- `crt_file` (String) The filepath where the certificate is to be stored.
+- `duration` (String) The certificate lifetime. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
+- `gid` (Number) GID of the files where the certificate is stored.
+- `key_file` (String) The filepath where the key is to be stored.
+- `mode` (Number) Permission bits of the files where the certificate is stored.
+- `root_file` (String) The filepath where the root certificate is to be stored.
+- `type` (String) The type of certificate. Allowed values: `X509` `SSH_USER` `SSH_HOST`
+- `uid` (Number) UID of the files where the certificate is stored.
+
+
+<a id="nestedatt--key_info"></a>
+### Nested Schema for `key_info`
+
+Optional:
+
+- `format` (String) The format used to encode the private key. For X509 keys the default format is PKCS#8. The classic format is PKCS#1 for RSA keys, SEC 1 for ECDSA keys, and PKCS#8 for ED25519 keys. For SSH keys the default format is always the OPENSSH format. When a hardware module is used to store the keys the default will be a JSON representation of the key, except on Linux where tss2 will be used. Allowed values: `DEFAULT` `PKCS8` `OPENSSH` `TSS2` `CLASSIC`
+- `protection` (String) Whether to use a hardware module to store the private key for a workload certificate. If set to `NONE` no hardware module will be used. If set to `DEFAULT` a hardware module will only be used with format `TSS2`. `HARDWARE_WITH_FALLBACK` can only be used with the key format `DEFAULT`. Allowed values: `DEFAULT` `NONE` `HARDWARE` `HARDWARE_WITH_FALLBACK` `HARDWARE_ATTESTED`
+- `pub_file` (String) A CSR or SSH public key to use instead of generating one.
+- `type` (String) The key type used. The current DEFAULT type is ECDSA_P256. Allowed values: `DEFAULT` `ECDSA_P256` `ECDSA_P384` `ECDSA_P521` `RSA_2048` `RSA_3072` `RSA_4096` `ED25519`
+
+
+<a id="nestedatt--reload_info"></a>
+### Nested Schema for `reload_info`
+
+Optional:
+
+- `method` (String) Ways an endpoint can reload a certificate. `AUTOMATIC` means the process is able to detect and reload new certificates automatically. `CUSTOM` means a custom command must be run to trigger the workload to reload the certificates. `SIGNAL` will configure the agent to send a signal to the process in `pidFile`. `DBUS` will use the systemd system bus to issue a `try-reload-or-restart` job for unit specified by `unitName`. `PLATFORM` uses a method specific to the operating system. Allowed values: `AUTOMATIC` `CUSTOM` `SIGNAL` `DBUS` `PLATFORM`
+- `pid_file` (String) File that holds the pid of the process to signal. Required when method is SIGNAL.
+- `signal` (Number) The signal to send to a process when a certificate should be reloaded. Required when method is SIGNAL.
+- `unit_name` (String) The systemd unit name to reload when a certificate should be reloaded. Required when method is DBUS.
+
+

docs/resources/device_collection.md

@@ -93,7 +93,7 @@ resource "smallstep_device_collection" "azure" {
 
 ### Required
 
-- `admin_emails` (Set of String) Users that will have admin access to manage the agents authority, which will be created if it does not already exist. Ignored if the agent authority already exists. Never returned in API responses.
+- `authority_id` (String) A UUID identifying the authority to issue certificates for the agent running on devices in the collection.
 - `device_type` (String) Must match the deviceTypeConfiguration. Cannot be changed. Allowed values: `aws-vm` `azure-vm` `gcp-vm` `tpm`
 - `display_name` (String)
 - `slug` (String)
@@ -105,10 +105,6 @@ resource "smallstep_device_collection" "azure" {
 - `gcp_vm` (Attributes) Configuration for the GCP provisioner for device collections of GCP instances. At least one service account or project ID must be set. (see [below for nested schema](#nestedatt--gcp_vm))
 - `tpm` (Attributes) Configuration for a device collection of machines with TPMs. (see [below for nested schema](#nestedatt--tpm))
 
-### Read-Only
-
-- `id` (String) Internal use only
-
 <a id="nestedatt--aws_vm"></a>
 ### Nested Schema for `aws_vm`
 

docs/resources/device_collection_account.md

@@ -0,0 +1,178 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "smallstep_device_collection_account Resource - terraform-provider-smallstep"
+subcategory: ""
+description: |-
+  The certificate details binding an account to a device collection.
+---
+
+# smallstep_device_collection_account (Resource)
+
+The certificate details binding an account to a device collection.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `account_id` (String) Identifier of the account.
+- `authority_id` (String) A UUID identifying the authority to issue certificates for the account on devices in the collection.
+- `certificate_data` (Attributes) (see [below for nested schema](#nestedatt--certificate_data))
+- `certificate_info` (Attributes) Details on a managed certificate. (see [below for nested schema](#nestedatt--certificate_info))
+- `device_collection_slug` (String)
+- `display_name` (String) A friendly name for the device collection account. Also used as the Common Name, if no static SANs are provided.
+- `key_info` (Attributes) The attributes of the cryptographic key. (see [below for nested schema](#nestedatt--key_info))
+- `slug` (String) Used as the identifier for the device collection account.
+
+### Optional
+
+- `reload_info` (Attributes) The properties used to reload a service. (see [below for nested schema](#nestedatt--reload_info))
+
+<a id="nestedatt--certificate_data"></a>
+### Nested Schema for `certificate_data`
+
+Required:
+
+- `common_name` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--common_name))
+
+Optional:
+
+- `country` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--country))
+- `locality` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--locality))
+- `organization` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--organization))
+- `organizational_unit` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--organizational_unit))
+- `postal_code` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--postal_code))
+- `province` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--province))
+- `sans` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--sans))
+- `street_address` (Attributes) (see [below for nested schema](#nestedatt--certificate_data--street_address))
+
+<a id="nestedatt--certificate_data--common_name"></a>
+### Nested Schema for `certificate_data.common_name`
+
+Optional:
+
+- `device_metadata` (String)
+- `static` (String)
+
+
+<a id="nestedatt--certificate_data--country"></a>
+### Nested Schema for `certificate_data.country`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--locality"></a>
+### Nested Schema for `certificate_data.locality`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--organization"></a>
+### Nested Schema for `certificate_data.organization`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--organizational_unit"></a>
+### Nested Schema for `certificate_data.organizational_unit`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--postal_code"></a>
+### Nested Schema for `certificate_data.postal_code`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--province"></a>
+### Nested Schema for `certificate_data.province`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--sans"></a>
+### Nested Schema for `certificate_data.sans`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+<a id="nestedatt--certificate_data--street_address"></a>
+### Nested Schema for `certificate_data.street_address`
+
+Optional:
+
+- `device_metadata` (List of String)
+- `static` (List of String)
+
+
+
+<a id="nestedatt--certificate_info"></a>
+### Nested Schema for `certificate_info`
+
+Required:
+
+- `type` (String) The type of certificate. Allowed values: `X509` `SSH_USER` `SSH_HOST`
+
+Optional:
+
+- `crt_file` (String) The filepath where the certificate is to be stored.
+- `duration` (String) The certificate lifetime. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
+- `gid` (Number) GID of the files where the certificate is stored.
+- `key_file` (String) The filepath where the key is to be stored.
+- `mode` (Number) Permission bits of the files where the certificate is stored.
+- `root_file` (String) The filepath where the root certificate is to be stored.
+- `uid` (Number) UID of the files where the certificate is stored.
+
+
+<a id="nestedatt--key_info"></a>
+### Nested Schema for `key_info`
+
+Required:
+
+- `format` (String) The format used to encode the private key. For X509 keys the default format is PKCS#8. The classic format is PKCS#1 for RSA keys, SEC 1 for ECDSA keys, and PKCS#8 for ED25519 keys. For SSH keys the default format is always the OPENSSH format. When a hardware module is used to store the keys the default will be a JSON representation of the key, except on Linux where tss2 will be used. Allowed values: `DEFAULT` `PKCS8` `OPENSSH` `TSS2` `CLASSIC`
+- `type` (String) The key type used. The current DEFAULT type is ECDSA_P256. Allowed values: `DEFAULT` `ECDSA_P256` `ECDSA_P384` `ECDSA_P521` `RSA_2048` `RSA_3072` `RSA_4096` `ED25519`
+
+Optional:
+
+- `protection` (String) Whether to use a hardware module to store the private key for a workload certificate. If set to `NONE` no hardware module will be used. If set to `DEFAULT` a hardware module will only be used with format `TSS2`. `HARDWARE_WITH_FALLBACK` can only be used with the key format `DEFAULT`. Allowed values: `DEFAULT` `NONE` `HARDWARE` `HARDWARE_WITH_FALLBACK` `HARDWARE_ATTESTED`
+- `pub_file` (String) A CSR or SSH public key to use instead of generating one.
+
+
+<a id="nestedatt--reload_info"></a>
+### Nested Schema for `reload_info`
+
+Required:
+
+- `method` (String) Ways an endpoint can reload a certificate. `AUTOMATIC` means the process is able to detect and reload new certificates automatically. `CUSTOM` means a custom command must be run to trigger the workload to reload the certificates. `SIGNAL` will configure the agent to send a signal to the process in `pidFile`. `DBUS` will use the systemd system bus to issue a `try-reload-or-restart` job for unit specified by `unitName`. `PLATFORM` uses a method specific to the operating system. Allowed values: `AUTOMATIC` `CUSTOM` `SIGNAL` `DBUS` `PLATFORM`
+
+Optional:
+
+- `pid_file` (String) File that holds the pid of the process to signal. Required when method is SIGNAL.
+- `signal` (Number) The signal to send to a process when a certificate should be reloaded. Required when method is SIGNAL.
+- `unit_name` (String) The systemd unit name to reload when a certificate should be reloaded. Required when method is DBUS.
+
+