fix idp_access_token_allowed_audiences type (#41)

wasaga · web-flow · commit 95c1df611e0a · 2025-02-24T16:48:04.000-05:00
1. fix schema for `idp_access_token_allowed_audiences` to match
underlying types.
2. regenerate the docs
diff --git a/docs/data-sources/route.md b/docs/data-sources/route.md
@@ -28,6 +28,7 @@ Route data source
 
 - `allow_spdy` (Boolean) Allow SPDY.
 - `allow_websockets` (Boolean) Allow websockets.
+- `bearer_token_format` (String) Bearer token format.
 - `description` (String) Description of the route.
 - `enable_google_cloud_serverless_authentication` (Boolean) Enable Google Cloud serverless authentication.
 - `from` (String) From URL.
@@ -36,6 +37,7 @@ Route data source
 - `host_rewrite` (String) Host rewrite.
 - `host_rewrite_header` (String) Host rewrite header.
 - `idle_timeout` (String) Idle timeout.
+- `idp_access_token_allowed_audiences` (Set of String) IDP access token allowed audiences.
 - `idp_client_id` (String) IDP client ID.
 - `idp_client_secret` (String) IDP client secret.
 - `kubernetes_service_account_token` (String) Kubernetes service account token.
diff --git a/docs/data-sources/routes.md b/docs/data-sources/routes.md
@@ -40,6 +40,7 @@ Read-Only:
 
 - `allow_spdy` (Boolean) Allow SPDY.
 - `allow_websockets` (Boolean) Allow websockets.
+- `bearer_token_format` (String) Bearer token format.
 - `description` (String) Description of the route.
 - `enable_google_cloud_serverless_authentication` (Boolean) Enable Google Cloud serverless authentication.
 - `from` (String) From URL.
@@ -49,6 +50,7 @@ Read-Only:
 - `host_rewrite_header` (String) Host rewrite header.
 - `id` (String) Unique identifier for the route.
 - `idle_timeout` (String) Idle timeout.
+- `idp_access_token_allowed_audiences` (Set of String) IDP access token allowed audiences.
 - `idp_client_id` (String) IDP client ID.
 - `idp_client_secret` (String) IDP client secret.
 - `kubernetes_service_account_token` (String) Kubernetes service account token.
diff --git a/docs/resources/route.md b/docs/resources/route.md
@@ -26,13 +26,15 @@ Route for Pomerium.
 
 - `allow_spdy` (Boolean) If applied, this setting enables Pomerium to proxy SPDY protocol upgrades.
 - `allow_websockets` (Boolean) If applied, this setting enables Pomerium to proxy websocket connections.
+- `bearer_token_format` (String) Bearer token format.
 - `description` (String) Description of the route.
 - `enable_google_cloud_serverless_authentication` (Boolean) Enable Google Cloud serverless authentication.
 - `host_path_regex_rewrite_pattern` (String) Rewrites the Host header according to a regular expression matching the path.
 - `host_path_regex_rewrite_substitution` (String) Rewrites the Host header according to a regular expression matching the substitution.
 - `host_rewrite` (String) Rewrites the Host header to a new literal value.
 - `host_rewrite_header` (String) Rewrites the Host header to match an incoming header value.
 - `idle_timeout` (String) Sets the time to terminate the upstream connection if there are no active streams. Defaults to 5 minutes.
+- `idp_access_token_allowed_audiences` (Set of String) IDP access token allowed audiences.
 - `idp_client_id` (String) IDP client ID.
 - `idp_client_secret` (String) IDP client secret.
 - `jwt_groups_filter` (Attributes) JWT Groups Filter (see [below for nested schema](#nestedatt--jwt_groups_filter))
diff --git a/docs/resources/settings.md b/docs/resources/settings.md
@@ -30,6 +30,7 @@ The settings are global object.
 - `autocert_dir` (String) Autocert directory is the path which Autocert will store x509 certificate data.
 - `autocert_must_staple` (Boolean) Controls whether the must-staple flag is enabled when requesting certificates.
 - `autocert_use_staging` (Boolean) Autocert Use Staging setting allows you to use Let's Encrypt's staging environment, which has more lenient usage limits than the production environment.
+- `bearer_token_format` (String) Bearer token format.
 - `cache_service_url` (String) Cache service URL
 - `certificate_authority` (String) Certificate authority
 - `certificate_authority_file` (String) Certificate authority file
@@ -66,6 +67,7 @@ The settings are global object.
 - `identity_provider_ping` (Attributes) Ping directory sync options (see [below for nested schema](#nestedatt--identity_provider_ping))
 - `identity_provider_refresh_interval` (String) Identity provider refresh interval
 - `identity_provider_refresh_timeout` (String) Identity provider refresh timeout
+- `idp_access_token_allowed_audiences` (Set of String) IDP access token allowed audiences.
 - `idp_client_id` (String) IDP client ID
 - `idp_client_secret` (String, Sensitive) IDP client secret
 - `idp_provider` (String) IDP provider
diff --git a/example/main.tf b/example/main.tf
@@ -56,6 +56,8 @@ resource "pomerium_settings" "settings" {
   jwt_groups_filter = {
     groups = ["id1", "id2"]
   }
+
+  idp_access_token_allowed_audiences = ["aud1", "aud2"]
 }
 
 resource "pomerium_service_account" "test_sa" {
@@ -141,6 +143,8 @@ resource "pomerium_route" "prefix_route" {
   allow_websockets      = true
   preserve_host_header  = true
   pass_identity_headers = true
+
+  idp_access_token_allowed_audiences = ["aud3", "aud4"]
 }
 
 # Example route with path matching
diff --git a/internal/provider/route.go b/internal/provider/route.go
@@ -261,7 +261,7 @@ func (r *RouteResource) Schema(_ context.Context, _ resource.SchemaRequest, resp
 					stringvalidator.OneOf("default", "idp_access_token", "idp_identity_token"),
 				},
 			},
-			"idp_access_token_allowed_audiences": schema.ListAttribute{
+			"idp_access_token_allowed_audiences": schema.SetAttribute{
 				Description: "IDP access token allowed audiences.",
 				Optional:    true,
 				ElementType: types.StringType,
diff --git a/internal/provider/route_data_source.go b/internal/provider/route_data_source.go
@@ -224,7 +224,7 @@ func getRouteDataSourceAttributes(idRequired bool) map[string]schema.Attribute {
 			Description: "Bearer token format.",
 			Computed:    true,
 		},
-		"idp_access_token_allowed_audiences": schema.ListAttribute{
+		"idp_access_token_allowed_audiences": schema.SetAttribute{
 			Description: "IDP access token allowed audiences.",
 			Computed:    true,
 			ElementType: types.StringType,
diff --git a/internal/provider/settings_schema.go b/internal/provider/settings_schema.go
@@ -457,7 +457,7 @@ var SettingsResourceSchema = schema.Schema{
 				stringvalidator.OneOf("default", "idp_access_token", "idp_identity_token"),
 			},
 		},
-		"idp_access_token_allowed_audiences": schema.ListAttribute{
+		"idp_access_token_allowed_audiences": schema.SetAttribute{
 			Description: "IDP access token allowed audiences.",
 			Optional:    true,
 			ElementType: types.StringType,

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,8 @@ resource "pomerium_settings" "settings" {`
`56`	`56`	`jwt_groups_filter = {`
`57`	`57`	`groups = ["id1", "id2"]`
`58`	`58`	`}`
	`59`	`+`
	`60`	`+ idp_access_token_allowed_audiences = ["aud1", "aud2"]`
`59`	`61`	`}`
`60`	`62`
`61`	`63`	`resource "pomerium_service_account" "test_sa" {`
`@@ -141,6 +143,8 @@ resource "pomerium_route" "prefix_route" {`
`141`	`143`	`allow_websockets = true`
`142`	`144`	`preserve_host_header = true`
`143`	`145`	`pass_identity_headers = true`
	`146`	`+`
	`147`	`+ idp_access_token_allowed_audiences = ["aud3", "aud4"]`
`144`	`148`	`}`
`145`	`149`
`146`	`150`	`# Example route with path matching`