update docs

wasaga · wasaga · commit f567c6811577 · 2025-02-24T15:54:52.000-05:00
diff --git a/content/docs/deploy/enterprise/configure-terraform.md b/content/docs/deploy/enterprise/configure-terraform.md
@@ -15,7 +15,12 @@ keywords:
 
 # Configure with Terraform
 
-Pomerium Enterprise can be configured and managed using Terraform through our official provider. This enables you to manage your Pomerium Enterprise resources as infrastructure as code, making it easier to version, review, and automate your configuration changes.
+Pomerium Enterprise can be configured and managed using Terraform through the [official Pomerium provider](https://registry.terraform.io/providers/pomerium/pomerium/latest/docs). This enables you to manage your Pomerium Enterprise resources as infrastructure as code, making it easier to version, review, and automate your configuration changes.
+
+## Prerequisites
+
+- Pomerium Enterprise must be running first
+- Console API must be accessible
 
 ## Provider Configuration
 
@@ -39,9 +44,9 @@ provider "pomerium" {
 
 ## Authentication Methods
 
-The provider supports two authentication methods:
+The provider supports one of the two authentication methods:
 
-### 1. Service Account Token (Recommended)
+### 1. Service Account Token
 
 This method uses a [Pomerium Enterprise Service Account](/docs/capabilities/service-accounts) and provides fine-grained access control at the namespace level:
 
@@ -52,9 +57,18 @@ provider "pomerium" {
 }
 ```
 
+The Pomerium API route should authorize the relative pomerium service account access:
+
+```yaml
+- allow:
+    or:
+      - user:
+          is: 'bootstrap-014e587b-3f4b-4fcf-90a9-f6ecdf8154af.pomerium'
+```
+
 ### 2. Bootstrap Service Account
 
-This method requires enabling bootstrap service accounts in your Enterprise Console:
+This method requires enabling bootstrap service accounts in your Enterprise Console. It may be used if you wish to configure Pomerium Enterprise part of the installation process, without accessing its UI to create a new service account.
 
 ```hcl
 provider "pomerium" {
@@ -63,6 +77,15 @@ provider "pomerium" {
 }
 ```
 
+The Pomerium API route should have the following policy, with the special bootstrap service account user ID.
+
+```yaml
+- allow:
+    or:
+      - user:
+          is: 'bootstrap-014e587b-3f4b-4fcf-90a9-f6ecdf8154af.pomerium'
+```
+
 :::warning
 
 The Bootstrap Service Account method requires setting `BOOTSTRAP_SERVICE_ACCOUNT=true` in your Enterprise Console configuration.
@@ -103,6 +126,6 @@ The Bootstrap Service Account method requires setting `BOOTSTRAP_SERVICE_ACCOUNT
 ## Next Steps
 
 - [Provider Documentation](https://registry.terraform.io/providers/pomerium/pomerium/latest/docs)
-- [Example Configurations](https://github.com/pomerium/enterprise-terraform-provider/tree/main/examples)
+- [Example Configurations](https://github.com/pomerium/enterprise-terraform-provider/tree/main/example)
 - [Enterprise API Reference](/docs/internals/management-api-enterprise)
 - [Service Accounts](/docs/capabilities/service-accounts)
