ci: add pre-commit action, regenerate docs (#38)

adds pre-commit action to ensure the repo is tidy.

Author: wasaga

.github/workflows/pre-commit.yaml

@@ -0,0 +1,28 @@
+name: pre-commit
+
+on:
+  pull_request:
+
+jobs:
+  pre-commit:
+    runs-on: [ubuntu-latest]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - name: Setup Go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34
+        with:
+          go-version: 1.23.x
+          cache: false
+
+      - name: Setup Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38
+        with:
+          python-version: "3.12"
+
+      - name: Setup Pre-Commit
+        run: python -m pip install pre-commit
+
+      - name: Run Pre-Commit
+        run: pre-commit run --show-diff-on-failure --color=always

.pre-commit-config.yaml

@@ -0,0 +1,20 @@
+repos:
+  - repo: local
+    hooks:
+      - id: docs
+        name: docs
+        language: system
+        entry: make docs
+        types: ["go"]
+      - id: go-mod-tidy
+        name: go-mod-tidy
+        language: system
+        entry: bash -c 'go mod tidy'
+        files: go\.mod|go\.sum$
+      - id: lint
+        name: lint
+        language: system
+        entry: make
+        args: ["lint"]
+        types: ["go"]
+        pass_filenames: false

docs/data-sources/policies.md

@@ -15,6 +15,15 @@ List all policies
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
+### Optional
+
+- `limit` (Number) List limit.
+- `namespace_id` (String) Namespace to list policies in.
+- `offset` (Number) List offset.
+- `order_by` (String) List order by.
+- `query` (String) Query for policies.
+- `total_count` (Number) Total number of policies.
+
 ### Read-Only
 
 - `policies` (Attributes List) (see [below for nested schema](#nestedatt--policies))
@@ -24,7 +33,12 @@ List all policies
 
 Read-Only:
 
+- `description` (String) Description of the policy.
+- `enforced` (Boolean) Whether the policy is enforced within the namespace hierarchy.
+- `explanation` (String) Explanation of the policy.
 - `id` (String) Unique identifier for the policy.
 - `name` (String) Name of the policy.
 - `namespace_id` (String) ID of the namespace the policy belongs to.
 - `ppl` (String) Policy Policy Language (PPL) string.
+- `rego` (List of String) Rego policies.
+- `remediation` (String) Remediation of the policy.

docs/data-sources/policy.md

@@ -21,6 +21,11 @@ Policy for Pomerium.
 
 ### Read-Only
 
+- `description` (String) Description of the policy.
+- `enforced` (Boolean) Whether the policy is enforced within the namespace hierarchy.
+- `explanation` (String) Explanation of the policy.
 - `name` (String) Name of the policy.
 - `namespace_id` (String) ID of the namespace the policy belongs to.
 - `ppl` (String) Policy Policy Language (PPL) string.
+- `rego` (List of String) Rego policies.
+- `remediation` (String) Remediation of the policy.

docs/data-sources/route.md

@@ -19,10 +19,72 @@ Route data source
 
 - `id` (String) Unique identifier for the route.
 
+### Optional
+
+- `jwt_groups_filter` (Attributes) JWT Groups Filter (see [below for nested schema](#nestedatt--jwt_groups_filter))
+- `jwt_issuer_format` (String) Format for JWT issuer strings. Use 'IssuerHostOnly' for hostname without scheme or trailing slash, or 'IssuerURI' for complete URI including scheme and trailing slash.
+
 ### Read-Only
 
+- `allow_spdy` (Boolean) Allow SPDY.
+- `allow_websockets` (Boolean) Allow websockets.
+- `description` (String) Description of the route.
+- `enable_google_cloud_serverless_authentication` (Boolean) Enable Google Cloud serverless authentication.
 - `from` (String) From URL.
+- `host_path_regex_rewrite_pattern` (String) Host path regex rewrite pattern.
+- `host_path_regex_rewrite_substitution` (String) Host path regex rewrite substitution.
+- `host_rewrite` (String) Host rewrite.
+- `host_rewrite_header` (String) Host rewrite header.
+- `idle_timeout` (String) Idle timeout.
+- `idp_client_id` (String) IDP client ID.
+- `idp_client_secret` (String) IDP client secret.
+- `kubernetes_service_account_token` (String) Kubernetes service account token.
+- `kubernetes_service_account_token_file` (String) Path to the Kubernetes service account token file.
+- `logo_url` (String) URL to the logo image.
 - `name` (String) Name of the route.
 - `namespace_id` (String) ID of the namespace the route belongs to.
-- `policies` (List of String) List of policy IDs associated with the route.
-- `to` (List of String) To URLs.
+- `pass_identity_headers` (Boolean) Pass identity headers.
+- `path` (String) Path.
+- `policies` (Set of String) List of policy IDs associated with the route.
+- `prefix` (String) Prefix.
+- `prefix_rewrite` (String) Prefix rewrite.
+- `preserve_host_header` (Boolean) Preserve host header.
+- `regex` (String) Regex.
+- `regex_priority_order` (Number) Regex priority order.
+- `regex_rewrite_pattern` (String) Regex rewrite pattern.
+- `regex_rewrite_substitution` (String) Regex rewrite substitution.
+- `remove_request_headers` (Set of String) Remove request headers.
+- `rewrite_response_headers` (Attributes Set) Response header rewrite rules. (see [below for nested schema](#nestedatt--rewrite_response_headers))
+- `set_request_headers` (Map of String) Set request headers.
+- `set_response_headers` (Map of String) Set response headers.
+- `show_error_details` (Boolean) Show error details.
+- `stat_name` (String) Name of the stat.
+- `timeout` (String) Timeout.
+- `tls_client_key_pair_id` (String) Client key pair ID for TLS client authentication.
+- `tls_custom_ca_key_pair_id` (String) Custom CA key pair ID for TLS verification.
+- `tls_downstream_server_name` (String) TLS downstream server name.
+- `tls_skip_verify` (Boolean) TLS skip verify.
+- `tls_upstream_allow_renegotiation` (Boolean) TLS upstream allow renegotiation.
+- `tls_upstream_server_name` (String) TLS upstream server name.
+- `to` (Set of String) To URLs.
+
+<a id="nestedatt--jwt_groups_filter"></a>
+### Nested Schema for `jwt_groups_filter`
+
+Optional:
+
+- `groups` (Set of String) Group IDs to include
+- `infer_from_ppl` (Boolean)
+
+
+<a id="nestedatt--rewrite_response_headers"></a>
+### Nested Schema for `rewrite_response_headers`
+
+Required:
+
+- `header` (String) Header name to rewrite
+- `value` (String) New value for the header
+
+Optional:
+
+- `prefix` (String) Prefix matcher for the header

docs/data-sources/routes.md

@@ -15,18 +15,89 @@ List all routes
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
+### Optional
+
+- `limit` (Number) List limit.
+- `namespace_id` (String) Namespace to list routes in.
+- `offset` (Number) List offset.
+- `order_by` (String) List order by.
+- `query` (String) Query for routes.
+- `total_count` (Number) Total number of routes.
+
 ### Read-Only
 
 - `routes` (Attributes List) (see [below for nested schema](#nestedatt--routes))
 
 <a id="nestedatt--routes"></a>
 ### Nested Schema for `routes`
 
+Optional:
+
+- `jwt_groups_filter` (Attributes) JWT Groups Filter (see [below for nested schema](#nestedatt--routes--jwt_groups_filter))
+- `jwt_issuer_format` (String) Format for JWT issuer strings. Use 'IssuerHostOnly' for hostname without scheme or trailing slash, or 'IssuerURI' for complete URI including scheme and trailing slash.
+
 Read-Only:
 
+- `allow_spdy` (Boolean) Allow SPDY.
+- `allow_websockets` (Boolean) Allow websockets.
+- `description` (String) Description of the route.
+- `enable_google_cloud_serverless_authentication` (Boolean) Enable Google Cloud serverless authentication.
 - `from` (String) From URL.
+- `host_path_regex_rewrite_pattern` (String) Host path regex rewrite pattern.
+- `host_path_regex_rewrite_substitution` (String) Host path regex rewrite substitution.
+- `host_rewrite` (String) Host rewrite.
+- `host_rewrite_header` (String) Host rewrite header.
 - `id` (String) Unique identifier for the route.
+- `idle_timeout` (String) Idle timeout.
+- `idp_client_id` (String) IDP client ID.
+- `idp_client_secret` (String) IDP client secret.
+- `kubernetes_service_account_token` (String) Kubernetes service account token.
+- `kubernetes_service_account_token_file` (String) Path to the Kubernetes service account token file.
+- `logo_url` (String) URL to the logo image.
 - `name` (String) Name of the route.
 - `namespace_id` (String) ID of the namespace the route belongs to.
-- `policies` (List of String) List of policy IDs associated with the route.
-- `to` (List of String) To URLs.
+- `pass_identity_headers` (Boolean) Pass identity headers.
+- `path` (String) Path.
+- `policies` (Set of String) List of policy IDs associated with the route.
+- `prefix` (String) Prefix.
+- `prefix_rewrite` (String) Prefix rewrite.
+- `preserve_host_header` (Boolean) Preserve host header.
+- `regex` (String) Regex.
+- `regex_priority_order` (Number) Regex priority order.
+- `regex_rewrite_pattern` (String) Regex rewrite pattern.
+- `regex_rewrite_substitution` (String) Regex rewrite substitution.
+- `remove_request_headers` (Set of String) Remove request headers.
+- `rewrite_response_headers` (Attributes Set) Response header rewrite rules. (see [below for nested schema](#nestedatt--routes--rewrite_response_headers))
+- `set_request_headers` (Map of String) Set request headers.
+- `set_response_headers` (Map of String) Set response headers.
+- `show_error_details` (Boolean) Show error details.
+- `stat_name` (String) Name of the stat.
+- `timeout` (String) Timeout.
+- `tls_client_key_pair_id` (String) Client key pair ID for TLS client authentication.
+- `tls_custom_ca_key_pair_id` (String) Custom CA key pair ID for TLS verification.
+- `tls_downstream_server_name` (String) TLS downstream server name.
+- `tls_skip_verify` (Boolean) TLS skip verify.
+- `tls_upstream_allow_renegotiation` (Boolean) TLS upstream allow renegotiation.
+- `tls_upstream_server_name` (String) TLS upstream server name.
+- `to` (Set of String) To URLs.
+
+<a id="nestedatt--routes--jwt_groups_filter"></a>
+### Nested Schema for `routes.jwt_groups_filter`
+
+Optional:
+
+- `groups` (Set of String) Group IDs to include
+- `infer_from_ppl` (Boolean)
+
+
+<a id="nestedatt--routes--rewrite_response_headers"></a>
+### Nested Schema for `routes.rewrite_response_headers`
+
+Required:
+
+- `header` (String) Header name to rewrite
+- `value` (String) New value for the header
+
+Optional:
+
+- `prefix` (String) Prefix matcher for the header

docs/data-sources/service_accounts.md

@@ -15,6 +15,10 @@ List all service accounts
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
+### Optional
+
+- `namespace_id` (String) Namespace of the service accounts.
+
 ### Read-Only
 
 - `service_accounts` (Attributes List) (see [below for nested schema](#nestedatt--service_accounts))

docs/index.md

@@ -3,12 +3,117 @@
 page_title: "pomerium Provider"
 subcategory: ""
 description: |-
+  Pomerium Provider
+  The Pomerium provider enables management of Pomerium Enterprise resources through Terraform. It provides resources and data sources for managing policies, routes, namespaces, and other Pomerium Enterprise features.
+  Example Usage
   
+  terraform {
+    required_providers {
+      pomerium = {
+        source  = "pomerium/pomerium"
+        version = "~> 0.0.7"
+      }
+    }
+  }
+  
+  provider "pomerium" {
+    api_url      = "https://console-api.your-domain.com"
+    # Choose one authentication method:
+    service_account_token = var.pomerium_service_account_token
+    # shared_secret_b64   = var.shared_secret_b64
+  }
+  
+  Authentication Methods
+  The provider supports two authentication methods:
+  Service Account Token (Recommended)
+  Uses a Pomerium Enterprise Service Account token for authentication. This method provides fine-grained access control at the namespace level.
+  
+  provider "pomerium" {
+    api_url               = "https://console-api.your-domain.com"
+    service_account_token = var.pomerium_service_account_token
+  }
+  
+  Bootstrap Service Account
+  Uses the Enterprise Console's shared secret for authentication. Requires BOOTSTRAP_SERVICE_ACCOUNT=true in the Enterprise Console configuration.
+  
+  provider "pomerium" {
+    api_url          = "https://console-api.your-domain.com"
+    shared_secret_b64 = var.shared_secret_b64
+  }
+  
+  Schema
+  Required
+  api_url (String) - The URL of your Pomerium Enterprise Console API endpoint.
+  Optional
+  service_account_token (String, Sensitive) - A Pomerium Enterprise Service Account token. Mutually exclusive with shared_secret_b64.shared_secret_b64 (String, Sensitive) - The base64-encoded shared secret from your Pomerium Enterprise Console. Mutually exclusive with service_account_token.tls_insecure_skip_verify (Boolean) - Skip TLS certificate verification. Should only be used in testing environments.
+  ~> Note: You must specify either service_account_token or shared_secret_b64, but not both.
 ---
 
 # pomerium Provider
 
+# Pomerium Provider
+
+The Pomerium provider enables management of Pomerium Enterprise resources through Terraform. It provides resources and data sources for managing policies, routes, namespaces, and other Pomerium Enterprise features.
+
+## Example Usage
+
+```terraform
+terraform {
+  required_providers {
+    pomerium = {
+      source  = "pomerium/pomerium"
+      version = "~> 0.0.7"
+    }
+  }
+}
+
+provider "pomerium" {
+  api_url      = "https://console-api.your-domain.com"
+  # Choose one authentication method:
+  service_account_token = var.pomerium_service_account_token
+  # shared_secret_b64   = var.shared_secret_b64
+}
+```
+
+## Authentication Methods
+
+The provider supports two authentication methods:
+
+### Service Account Token (Recommended)
+
+Uses a Pomerium Enterprise Service Account token for authentication. This method provides fine-grained access control at the namespace level.
+
+```terraform
+provider "pomerium" {
+  api_url               = "https://console-api.your-domain.com"
+  service_account_token = var.pomerium_service_account_token
+}
+```
+
+### Bootstrap Service Account
+
+Uses the Enterprise Console's shared secret for authentication. Requires `BOOTSTRAP_SERVICE_ACCOUNT=true` in the Enterprise Console configuration.
+
+```terraform
+provider "pomerium" {
+  api_url          = "https://console-api.your-domain.com"
+  shared_secret_b64 = var.shared_secret_b64
+}
+```
+
+## Schema
+
+### Required
+
+- `api_url` (String) - The URL of your Pomerium Enterprise Console API endpoint.
+
+### Optional
+
+- `service_account_token` (String, Sensitive) - A Pomerium Enterprise Service Account token. Mutually exclusive with `shared_secret_b64`.
+- `shared_secret_b64` (String, Sensitive) - The base64-encoded shared secret from your Pomerium Enterprise Console. Mutually exclusive with `service_account_token`.
+- `tls_insecure_skip_verify` (Boolean) - Skip TLS certificate verification. Should only be used in testing environments.
 
+~> **Note:** You must specify either `service_account_token` or `shared_secret_b64`, but not both.