From 273e3accaca9bde1de876f246379bd1c36fdae93 Mon Sep 17 00:00:00 2001 From: stellarsquall Date: Thu, 30 Jan 2025 21:19:26 +0000 Subject: [PATCH] backport of commit 2c36a099583a90bb09c9362cf9b6e428d506df3e --- .../docs/concepts/host-discovery/aws.mdx | 29 ++++++++++--------- .../docs/concepts/host-discovery/azure.mdx | 9 +++--- .../docs/concepts/host-discovery/gcp.mdx | 25 +++++++++------- 3 files changed, 34 insertions(+), 29 deletions(-) diff --git a/website/content/docs/concepts/host-discovery/aws.mdx b/website/content/docs/concepts/host-discovery/aws.mdx index 2f7e426ab2..62eb7f8f86 100644 --- a/website/content/docs/concepts/host-discovery/aws.mdx +++ b/website/content/docs/concepts/host-discovery/aws.mdx @@ -105,10 +105,10 @@ The required fields for creating a dynamic host catalog depend on whether you co -plugin-name aws \ -attr disable_credential_rotation=true \ -attr region=us-east-1 \ - -role_arn \ - -role_external_id \ - -role_session_name \ - -role_tags + -attr role_arn=AWS_ROLE_ARN_VALUE \ + -attr role_external_id=AWS_ROLE_EXTERNAL_ID_VALUE \ + -attr role_session_name=AWS_ROLE_SESSION_NAME_VALUE \ + -attr role_tags=AWS_ROLE_TAGS_VALUE ``` The `scope-id` and `plugin-name` fields are required when you create a dynamic host catalog. @@ -148,16 +148,17 @@ Apply the following Terraform policy: scope_id = boundary_scope.project.id plugin_name = "aws" + # recommended to pass in aws secrets using a file() or using environment variables attributes_json = jsonencode({ "region" = "eu-west-2", "disable_credential_rotation" = true }) secrets_json = jsonencode({ - "access_key_id" = var.aws_access, - "secret_access_key" = var.aws_secret}) + "access_key_id" = "AWS_ACCESS_KEY_ID_VALUE", + "secret_access_key" = "AWS_SECRET_ACCESS_KEY_VALUE"}) } ``` -The `scope-id` and `plugin-name` fields are required when you create a dynamic host catalog. +The `scope_id` and `plugin_name` fields are required when you create a dynamic host catalog. Replace the values in the configuration with the following required AWS secrets and any attributes you want to associate with the host catalog: @@ -184,14 +185,14 @@ Apply the following Terraform policy: "region" = "eu-west-2", "disable_credential_rotation" = true }) secrets_json = jsonencode({ - "role_arn" = var.aws_access, - "role_external_id" = var.aws_secret, - "role_session_name" = var.aws_secret, - "role_tags" = var.aws_secret}) + "role_arn" = "AWS_ROLE_ARN_VALUE", + "role_external_id" = "AWS_ROLE_EXTERNAL_ID_VALUE", + "role_session_name" = "AWS_ROLE_SESSION_NAME_VALUE", + "role_tags" = "AWS_ROLE_TAGS_VALUE"}) } ``` -The `scope-id` and `plugin-name` fields are required when you create a dynamic host catalog. +The `scope_id` and `plugin_name` fields are required when you create a dynamic host catalog. Replace the values in the configuration with the following required AWS secrets and any attributes you want to associate with the host catalog: @@ -267,13 +268,13 @@ Apply the following Terraform policy: resource "boundary_host_set_plugin" "aws_host_set" { name = "AWS Host Set" description = "AWS Host Set" - host_catalog_id = boundary_scope.aws_host_catalog.id + host_catalog_id = boundary_host_catalog_plugin.aws_host_catalog.id attributes_json = jsonencode({ "filters" = ["tag-key=foo,bar", "tag-key=baz"] }) } ``` -The `host-catalog-id` value is a required field that specifies in which host catalog to create this host set. +The `host_catalog_id` value is a required field that specifies in which host catalog to create this host set. The `filters` field contains string filters in the format key=val1,val2. The key corresponds to a filter option, and the value(s) are a comma-separated list. diff --git a/website/content/docs/concepts/host-discovery/azure.mdx b/website/content/docs/concepts/host-discovery/azure.mdx index 1e3e0ddaa4..5010b4a104 100644 --- a/website/content/docs/concepts/host-discovery/azure.mdx +++ b/website/content/docs/concepts/host-discovery/azure.mdx @@ -80,6 +80,7 @@ resource "boundary_host_catalog_plugin" "azure_host_catalog" { scope_id = boundary_scope.project.id plugin_name = "azure" + # recommended to pass in aws secrets using a file() or using environment variables attributes_json = jsonencode({ "tenant_id" = "ARM_TENANT_ID", "subscription_id" = "ARM_SUBSCRIPTION_ID" @@ -90,10 +91,10 @@ resource "boundary_host_catalog_plugin" "azure_host_catalog" { } ``` -The `scope-id` and `plugin-name` fields are required when you create a +The `scope_id` and `plugin_name` fields are required when you create a dynamic host catalog. -The fields following the `attr` and `secret` flags are specific to Azure and are required by +The fields following the `attributes_json` and `secrets_json` flags are specific to Azure and are required by Boundary for authentication. - `disable_credential_rotation`: When set to `true`, Boundary does not rotate the credentials automatically. @@ -173,10 +174,10 @@ Apply the following Terraform policy: } ``` -The `host-catalog-id` value is a required field that specifies in which host catalog to +The `host_catalog_id` value is a required field that specifies in which host catalog to create this host set. -The fields following the `attr` flag are specific to Azure. +The fields following the `attributes_json` flag are specific to Azure. The `filter` field represents the ARM filter used to select resources that should be a part of this host set. There are some limitations with the filtering syntax. diff --git a/website/content/docs/concepts/host-discovery/gcp.mdx b/website/content/docs/concepts/host-discovery/gcp.mdx index 29b349e4a3..8a94aeb616 100644 --- a/website/content/docs/concepts/host-discovery/gcp.mdx +++ b/website/content/docs/concepts/host-discovery/gcp.mdx @@ -279,14 +279,15 @@ Apply the following Terraform policy: scope_id = boundary_scope.project.id plugin_name = "gcp" + # recommended to pass in aws secrets using a file() or using environment variables attributes_json = jsonencode({ "zone" = "us-central1-a ", - "project_id" = var.gcp_project_id, - "client_email" = var.gcp_client_email, + "project_id" = "GCP_PROJECT_ID_VALUE", + "client_email" = "GCP_CLIENT_EMAIL_VALUE", "disable_credential_rotation" = true }) secrets_json = jsonencode({ - "private_key_id" = var.private_key_id, - "private_key" = var.private_key}) + "private_key_id" = "GCP_PRIVATE_KEY_ID_VALUE", + "private_key" = "GCP_PRIVATE_KEY_VALUE"}) } ``` @@ -325,15 +326,16 @@ Apply the following Terraform policy: scope_id = boundary_scope.project.id plugin_name = "gcp" + # recommended to pass in aws secrets using a file() or using environment variables attributes_json = jsonencode({ "zone" = "us-central1-a ", - "project_id" = var.gcp_project_id, - "client_email" = var.gcp_base_service_account_email, - "target_service_account_id" = var.gcp_target_service_account_email, + "project_id" = "GCP_PROJECT_ID_VALUE", + "client_email" = "GCP_BASE_SERVICE_ACCOUNT_EMAIL_VALUE", + "target_service_account_id" = "GCP_TARGET_SERVICE_ACCOUNT_EMAIL_VALUE", "disable_credential_rotation" = true }) secrets_json = jsonencode({ - "private_key_id" = var.base_service_account_private_key_id, - "private_key" = var.base_service_account_private_key}) + "private_key_id" = "BASE_SERVICE_ACCOUNT_PRIVATE_KEY_ID_VALUE", + "private_key" = "BASE_SERVICE_ACCOUNT_PRIVATE_KEY_VALUE"}) } ``` @@ -374,9 +376,10 @@ Apply the following Terraform policy: scope_id = boundary_scope.project.id plugin_name = "gcp" + # recommended to pass in aws secrets using a file() or using environment variables attributes_json = jsonencode({ "zone" = "us-central1-a ", - "project_id" = var.gcp_project_id, + "project_id" = "GCP_PROJECT_ID_VALUE", "disable_credential_rotation" = true }) } ``` @@ -462,7 +465,7 @@ Apply the following Terraform policy: resource "boundary_host_set_plugin" "gcp_host_set" { name = "GCP Host Set" description = "GCP Host Set" - host_catalog_id = boundary_scope.gcp_host_catalog.id + host_catalog_id = boundary_host_catalog_plugin.gcp_host_catalog.id attributes_json = jsonencode({ "filters" = ["labels.env:prod", "labels.app:web"] }) }