Update documentation for pingone provider v1

pingidentity · Jul 18, 2024 · 6b86a67 · 6b86a67
1 parent 72ff87b
commit 6b86a67
Show file tree

Hide file tree

Showing 22 changed files with 99 additions and 104 deletions.
diff --git a/README.md b/README.md
@@ -5,5 +5,6 @@ Supplemental documentation and examples in addition to the provider-specific doc
 ## Published Providers
 
 * [PingDirectory](https://registry.terraform.io/providers/pingidentity/pingdirectory/latest)
+* [PingFederate](https://registry.terraform.io/providers/pingidentity/pingfederate/latest)
 * [PingOne](https://registry.terraform.io/providers/pingidentity/pingone/latest)
 * [PingOne DaVinci](https://registry.terraform.io/providers/pingidentity/davinci/latest)
diff --git a/docs/best-practices/davinci/index.md b/docs/best-practices/davinci/index.md
@@ -32,14 +32,15 @@ resource "pingone_environment" "my_environment" {
   type        = "SANDBOX"
   license_id  = var.license_id
 
-  service {
-    type = "SSO"
-  }
-
-  service {
-    type = "DaVinci"
-    tags = ["DAVINCI_MINIMAL"]
-  }
+  services = [
+    {
+      type = "SSO"
+    },
+    {
+      type = "DaVinci"
+      tags = ["DAVINCI_MINIMAL"]
+    }
+  ]
 }
 ```
 

diff --git a/docs/best-practices/index.md b/docs/best-practices/index.md
@@ -319,7 +319,7 @@ terraform {
   required_providers {
     pingone = {
       source  = "pingidentity/pingone"
-      version = "~> 0.27"
+      version = "~> 1.0"
     }
     time = {
       source  = "hashicorp/time"

diff --git a/docs/best-practices/pingone/index.md b/docs/best-practices/pingone/index.md
@@ -106,13 +106,13 @@ resource "pingone_password_policy" "my_password_policy" {
 
   name        = "My awesome password policy"
   
-  exclude_commonly_used_passwords = true
-  exclude_profile_data            = true
-  not_similar_to_current          = true
+  excludes_commonly_used_passwords = true
+  excludes_profile_data            = true
+  not_similar_to_current           = true
 
-  password_history {
-    prior_password_count = 6
-    retention_days       = 365
+  history = {
+    count          = 6
+    retention_days = 365
   }
 
   # ... other configuration parameters
@@ -149,10 +149,10 @@ resource "pingone_application" "my_application" {
   name = "My Awesome App"
   enabled        = true
 
-  oidc_options {
+  oidc_options = {
     type                        = "WORKER"
     grant_types                 = ["CLIENT_CREDENTIALS"]
-    token_endpoint_authn_method = "CLIENT_SECRET_BASIC"
+    token_endpoint_auth_method  = "CLIENT_SECRET_BASIC"
   }
 
   # ... other configuration parameters
@@ -178,15 +178,18 @@ The PingOne Terraform provider has a provider-level parameter named `global_opti
 
 There are two parameters that allow force-deletion of configuration, which could result in loss of data if not correctly used.
 
-### `environment.production_type_force_delete`<a href="https://registry.terraform.io/providers/pingidentity/pingone/latest/docs#production_type_force_delete" target="_blank">:octicons-link-external-16:</a>
+### `global_options.environment.production_type_force_delete`<a href="https://registry.terraform.io/providers/pingidentity/pingone/0.29.2/docs#production_type_force_delete" target="_blank">:octicons-link-external-16:</a>
 
-The purpose of the parameter is to override the API level restriction of not being able to destroy environments of type "PRODUCTION".  The default value of this parameter is `false`, meaning that environments will not be force-deleted if a `pingone_environment`<a href="https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/environment" target="_blank">:octicons-link-external-16:</a> resource that has a `type` value of `PRODUCTION` has a destroy plan when run in the `terraform apply` phase.  Use of this parameter is designed to help facilitate development, testing or demonstration purposes and should be set to `false` (or left undefined) for environments that carry production data.
+!!! warning "Legacy Functionality"
+    The `global_options.environment.production_type_force_delete` global option was removed in the PingOne Terraform provider version `v1.0`.  This section applies to prior provider versions (`<= v0.29`).
+
+The purpose of the parameter is to override the API level restriction of not being able to destroy environments of type "PRODUCTION".  The default value of this parameter is `false`, meaning that environments will not be force-deleted if a `pingone_environment`<a href="https://registry.terraform.io/providers/pingidentity/pingone/0.29.2/docs/resources/environment" target="_blank">:octicons-link-external-16:</a> resource that has a `type` value of `PRODUCTION` has a destroy plan when run in the `terraform apply` phase.  Use of this parameter is designed to help facilitate development, testing or demonstration purposes and should be set to `false` (or left undefined) for environments that carry production data.
 
 The implementation of this option is that the environment type will be changed from `PRODUCTION` to `SANDBOX` before a delete API request is issued.  Consider instead changing the type to `SANDBOX` manually before running a plan that destroys an environment, instead of using this parameter.
 
 Misuse of the parameter may lead to unintended data loss and must be used with caution.
 
-### `population.contains_users_force_delete`<a href="https://registry.terraform.io/providers/pingidentity/pingone/latest/docs#contains_users_force_delete" target="_blank">:octicons-link-external-16:</a>
+### `global_options.population.contains_users_force_delete`<a href="https://registry.terraform.io/providers/pingidentity/pingone/latest/docs#contains_users_force_delete" target="_blank">:octicons-link-external-16:</a>
 
 The purpose of the parameter is to override the API level restriction of not being able to destroy populations that contain user data.  The default value of this parameter is `false`, meaning that populations that contain user data will not be force-deleted if a `pingone_population`<a href="https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/population" target="_blank">:octicons-link-external-16:</a> resource has a destroy plan when run in the `terraform apply` phase.  Use of this parameter is designed to help facilitate development, testing or demonstration purposes where non-production user data is created and can be safely discarded.  The parameter should be set to `false` (or left undefined) for environments that carry production data.
 
@@ -205,7 +208,7 @@ For example:
 resource "pingone_schema_attribute" "my_attribute" {
   environment_id = pingone_environment.my_environment.id
 
-  name         = "myAttribute"
+  name = "myAttribute"
   
   # ... other configuration parameters
 

diff --git a/docs/examples/pingone/role-assignment.md b/docs/examples/pingone/role-assignment.md
@@ -35,9 +35,9 @@ Next, we fetch the required roles using the `pingidentity/utils/pingone`<a href=
 ``` terraform
 module "admin_utils" {
   source  = "pingidentity/utils/pingone"
-  version = "0.0.8"
+  version = "0.1.0"
   
-  region         = "EU" // Will be either NA, EU, CA or AP depending on your tenant region.
+  region_code    = "EU" // Will be either NA, EU, CA, AU or AP depending on your tenant region.
   environment_id = var.pingone_admin_environment_id
 }
 ```
@@ -49,9 +49,11 @@ resource "pingone_environment" "my_environment" {
   type        = "SANDBOX"
   license_id  = var.license_id
 
-  service {
-    type = "SSO"
-  }
+  services = [
+    {
+      type = "SSO"
+    }
+  ]
 }
 ```
 

diff --git a/docs/faq/pingone.md b/docs/faq/pingone.md
@@ -15,19 +15,7 @@ Check the admin user's role permissions.  The admin user will need any of the fo
 * **Identity Data Read Only**
 * **Configuration Read Only**
 
-Some roles can be scoped to individual environments, including the **Environment Admin** role:
-
-* If the admin user has the **Environment Admin** role scoped to the organization, the admin user will automatically inherit this permission for new environments.
-* If the admin user has the **Environment Admin** role scoped to individual environments, the admin user will need the environment permission assigned after the environment has been created.
-
-!!! warning "Role grant restrictions"
-    Admins cannot grant roles that they haven't already been granted themselves.  This can mean that admins cannot grant the appropriate role themselves, but would need to be granted through Terraform, or by another admin that has the equivalent role, or that has the **Environment Admin** role scoped to the entire organization.
-
-!!! note "Assigning Environment Permissions with Terraform"
-    Admin permissions can be assigned using Terraform after environment creation.  See [PingOne Role Permission Assignment](../../examples/pingone/role-assignment/) for an example of assigning roles using the PingOne Terraform provider.
-
-!!! note "Read more about PingOne Roles"
-    More information about role permissions can be found at the [PingOne Cloud Platform online documentation](https://docs.pingidentity.com/r/en-us/pingone/p1_c_roles)
+Please see the [Admin Role Management Considerations](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/guides/admin-role-management) guide on the provider's registry documentation for details on role assignment and considerations for admin role management when using Terraform.
 
 ## I've created a new environment (or population) with Terraform, but my admins can't view users, or manage group/population based configuration
 
@@ -36,18 +24,12 @@ Check the admin user's role permissions.  The admin user will need any of the fo
 * **Identity Data Admin**
 * **Identity Data Read Only**
 
-These roles are scoped to individual environments.  The admin user will need the environment level permission assigned after the new environment has been created.
-
-!!! warning "Role grant restrictions"
-    Admins cannot grant roles that they haven't already been granted themselves.  This can mean that admins cannot grant the appropriate role themselves, but would need to be granted through Terraform, or by another admin that has the equivalent role.
+Please see the [Admin Role Management Considerations](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/guides/admin-role-management) guide on the provider's registry documentation for details on role assignment and considerations for admin role management when using Terraform.
 
-!!! note "Assigning Environment Permissions with Terraform"
-    Admin permissions can be assigned using Terraform after environment creation.  See [PingOne Role Permission Assignment](../../examples/pingone/role-assignment/) for an example of assigning roles using the PingOne Terraform provider.
+## I get an error "Actor does not have permissions to access worker application client secrets"
 
-These roles may be scoped by environment, but can also be scoped to individual populations of users.  With **Identity Data Admin** as an example:
+Admin actors (users, worker applications, connections) may not be able to view or rotate a worker application's secret when they previously have been able to as an unexpected change of behaviour.
 
-* If the admin user has the **Identity Data Admin** role scoped to the environment, the admin user will automatically inherit this permission for new populations in the environment.
-* If the admin user has the **Identity Data Admin** role scoped to individual populations, the admin user will need the population level permission assigned after the population has been created.
+The change in ability to manage a worker application's client secret typically occurs when the worker application is granted additional role permissions that the user, admin worker application or connection doesn't have. In effect, it means the worker application whose secret cannot be managed has a higher level of privilege to manage configuration and data within the tenant. The ability to view and change the secret is therefore restricted to mitigate privilege escalation issues where admin actors could potentially use the higher privileged worker application to make changes they are not authorised to make in the platform.
 
-!!! note "Read more about PingOne Roles"
-    More information about role permissions can be found at the [PingOne Cloud Platform online documentation](https://docs.pingidentity.com/r/en-us/pingone/p1_c_roles)
+For more information, and guidance on how to resolve this error, see the [Admin Role Management Considerations - When Admins Cannot View or Manage a Worker Application Secret](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/guides/admin-role-management#when-admins-cannot-view-or-manage-a-worker-application-secret) guide on the provider's registry documentation.
diff --git a/docs/getting-started/pingone.md b/docs/getting-started/pingone.md
@@ -9,7 +9,7 @@
 
 ## Requirements
 
-* Terraform CLI 1.3+
+* Terraform CLI 1.4+
 * A licensed or trial PingOne cloud subscription - [Try Ping here](https://www.pingidentity.com/en/try-ping.html)
 * Administrator access to the [PingOne Administration Console](https://docs.pingidentity.com/r/en-us/pingone/p1_access_admin_console)
 

diff --git a/examples/pingone-custom-domain-with-cloudflare-dns/supporting-configuration.tf b/examples/pingone-custom-domain-with-cloudflare-dns/supporting-configuration.tf
@@ -8,16 +8,16 @@ resource "pingone_environment" "my_environment" {
   type        = "SANDBOX"
   license_id  = var.pingone_environment_license_id
 
-  service {
+  services = [{
     type = "SSO"
-  }
+  }]
 }
 
 module "pingone_utils" {
   source  = "pingidentity/utils/pingone"
-  version = "0.0.8"
+  version = "0.1.0"
 
-  region         = pingone_environment.my_environment.region
+  region_code    = pingone_environment.my_environment.region
   environment_id = pingone_environment.my_environment.id
 
   custom_domain = pingone_custom_domain.my_custom_domain.domain_name

diff --git a/examples/pingone-custom-domain-with-cloudflare-dns/versions.tf b/examples/pingone-custom-domain-with-cloudflare-dns/versions.tf
@@ -8,7 +8,7 @@ terraform {
     }
     pingone = {
       source  = "pingidentity/pingone"
-      version = ">= 0.23.0, < 1.0.0"
+      version = ">= 1.0.0, < 2.0.0"
     }
     time = {
       source  = "hashicorp/time"

diff --git a/examples/pingone-neo-getting-started/main.tf b/examples/pingone-neo-getting-started/main.tf
@@ -132,17 +132,17 @@ resource "pingone_application" "my_native_app" {
   name           = "PingOne Credentials Sample Wallet App"
   enabled        = true
 
-  oidc_options {
-    type                        = "NATIVE_APP"
-    grant_types                 = ["AUTHORIZATION_CODE"]
-    response_types              = ["CODE"]
-    pkce_enforcement            = "S256_REQUIRED"
-    token_endpoint_authn_method = "NONE"
+  oidc_options = {
+    type                       = "NATIVE_APP"
+    grant_types                = ["AUTHORIZATION_CODE"]
+    response_types             = ["CODE"]
+    pkce_enforcement           = "S256_REQUIRED"
+    token_endpoint_auth_method = "NONE"
     redirect_uris = [
       "https://shocard.pingone.com/callback",
     ]
 
-    mobile_app {
+    mobile_app = {
       bundle_id    = "com.pingidentity.PingOneWalletSample"
       package_name = "com.pingidentity.shocard"
     }
@@ -185,8 +185,8 @@ resource "pingone_credential_type" "getting_started_credential" {
     bg_opacity_percent = 30
 
     # ensure images have content-type prefix defined and are base64 encoded
-    background_image = pingone_image.credentials_card_getting_started_background_image.uploaded_image[0].href
-    logo_image       = pingone_image.credentials_card_getting_started_logo_image.uploaded_image[0].href
+    background_image = pingone_image.credentials_card_getting_started_background_image.uploaded_image.href
+    logo_image       = pingone_image.credentials_card_getting_started_logo_image.uploaded_image.href
 
     card_color = "#69747d"
     text_color = "#ffffff"
@@ -279,8 +279,8 @@ resource "pingone_credential_type" "verifiedemployee" {
     description        = "Demo Proof of Employment"
     bg_opacity_percent = 100
 
-    background_image = pingone_image.credentials_card_verified_employee_background_image.uploaded_image[0].href
-    logo_image       = pingone_image.credentials_card_verified_employee_logo_image.uploaded_image[0].href
+    background_image = pingone_image.credentials_card_verified_employee_background_image.uploaded_image.href
+    logo_image       = pingone_image.credentials_card_verified_employee_logo_image.uploaded_image.href
 
     card_color = "#ffffff"
     text_color = "#000000"

diff --git a/examples/pingone-neo-getting-started/supporting-configuration.tf b/examples/pingone-neo-getting-started/supporting-configuration.tf
@@ -47,18 +47,19 @@ resource "pingone_environment" "my_environment" {
   type        = "SANDBOX"
   license_id  = var.pingone_environment_license_id
 
-  service {
+  services = [{
     type = "SSO"
-  }
-  service {
-    type = "MFA"
-  }
-  service {
-    type = "Verify"
-  }
-  service {
-    type = "Credentials"
-  }
+    },
+    {
+      type = "MFA"
+    },
+    {
+      type = "Verify"
+    },
+    {
+      type = "Credentials"
+    }
+  ]
 }
 
 resource "time_static" "current" {}
diff --git a/examples/pingone-neo-getting-started/versions.tf b/examples/pingone-neo-getting-started/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     pingone = {
       source  = "pingidentity/pingone"
-      version = ">= 0.23.0, < 1.0.0"
+      version = ">= 1.0.0, < 2.0.0"
     }
     time = {
       source  = "hashicorp/time"

diff --git a/examples/pingone-postman-oauth2-integration/README.md b/examples/pingone-postman-oauth2-integration/README.md
@@ -20,7 +20,7 @@ The following environment variables should be set prior to running the example.
 | `PINGONE_CLIENT_ID`                             | [PingOne - client_id](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs#client_id)           | Required          |
 | `PINGONE_CLIENT_SECRET`                         | [PingOne - client_secret](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs#client_secret)   | Required          |
 | `PINGONE_ENVIRONMENT_ID`                        | [PingOne - environment_id](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs#environment_id) | Required          |
-| `PINGONE_REGION`                                | [PingOne - region](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs#region)                 | Required          |
+| `PINGONE_REGION_CODE`                           | [PingOne - region_code](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs#region_code)       | Required          |
 
 
 ## Setting Variables

diff --git a/examples/pingone-postman-oauth2-integration/main.tf b/examples/pingone-postman-oauth2-integration/main.tf
@@ -7,12 +7,12 @@ resource "pingone_application" "postman" {
 
   hidden_from_app_portal = false
 
-  icon {
-    href = pingone_image.postman_logo.uploaded_image[0].href
+  icon = {
+    href = pingone_image.postman_logo.uploaded_image.href
     id   = pingone_image.postman_logo.id
   }
 
-  oidc_options {
+  oidc_options = {
     type = "WORKER"
 
     grant_types = [
@@ -23,13 +23,13 @@ resource "pingone_application" "postman" {
       "CODE",
     ]
 
-    pkce_enforcement            = "S256_REQUIRED"
-    token_endpoint_authn_method = "NONE"
+    pkce_enforcement           = "S256_REQUIRED"
+    token_endpoint_auth_method = "NONE"
 
     redirect_uris = [
       "https://oauth.pstmn.io/v1/callback",
     ]
-    allow_wildcards_in_redirect_uris = false
+    allow_wildcard_in_redirect_uris = false
 
     refresh_token_duration                      = 2592000
     refresh_token_rolling_duration              = 15552000

diff --git a/examples/pingone-postman-oauth2-integration/outputs.tf b/examples/pingone-postman-oauth2-integration/outputs.tf
@@ -5,7 +5,7 @@ output "pingone_environment_name" {
 
 output "postman_application_client_id" {
   description = "The client ID used for the Postman OAuth 2.0 authorization type integration.  As the application is configured to use PKCE, the client secret is not required."
-  value       = pingone_application.postman.oidc_options[0].client_id
+  value       = pingone_application.postman.oidc_options.client_id
 }
 
 output "postman_application_authorization_endpoint" {

diff --git a/examples/pingone-postman-oauth2-integration/supporting-configuration.tf b/examples/pingone-postman-oauth2-integration/supporting-configuration.tf
@@ -14,16 +14,16 @@ resource "pingone_environment" "my_environment" {
   type        = "SANDBOX"
   license_id  = var.pingone_environment_license_id
 
-  service {
+  services = [{
     type = "SSO"
-  }
+  }]
 }
 
 module "pingone_utils" {
   source  = "pingidentity/utils/pingone"
-  version = "0.0.8"
+  version = "0.1.0"
 
-  region         = pingone_environment.my_environment.region
+  region_code    = pingone_environment.my_environment.region
   environment_id = pingone_environment.my_environment.id
 }
 

diff --git a/examples/pingone-postman-oauth2-integration/versions.tf b/examples/pingone-postman-oauth2-integration/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     pingone = {
       source  = "pingidentity/pingone"
-      version = ">= 0.23.0, < 1.0.0"
+      version = ">= 1.0.0, < 2.0.0"
     }
     time = {
       source  = "hashicorp/time"