diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
new file mode 100644
index 0000000..d6e8bb2
--- /dev/null
+++ b/.github/workflows/pre-commit.yaml
@@ -0,0 +1,28 @@
+name: pre-commit
+
+on:
+ pull_request:
+
+jobs:
+ pre-commit:
+ runs-on: [ubuntu-latest]
+ steps:
+ - name: Checkout
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+ - name: Setup Go
+ uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34
+ with:
+ go-version: 1.23.x
+ cache: false
+
+ - name: Setup Python
+ uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38
+ with:
+ python-version: "3.12"
+
+ - name: Setup Pre-Commit
+ run: python -m pip install pre-commit
+
+ - name: Run Pre-Commit
+ run: pre-commit run --show-diff-on-failure --color=always
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..122d9f7
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,20 @@
+repos:
+ - repo: local
+ hooks:
+ - id: docs
+ name: docs
+ language: system
+ entry: make docs
+ types: ["go"]
+ - id: go-mod-tidy
+ name: go-mod-tidy
+ language: system
+ entry: bash -c 'go mod tidy'
+ files: go\.mod|go\.sum$
+ - id: lint
+ name: lint
+ language: system
+ entry: make
+ args: ["lint"]
+ types: ["go"]
+ pass_filenames: false
diff --git a/docs/data-sources/policies.md b/docs/data-sources/policies.md
index bdedc89..4d64402 100644
--- a/docs/data-sources/policies.md
+++ b/docs/data-sources/policies.md
@@ -15,6 +15,15 @@ List all policies
## Schema
+### Optional
+
+- `limit` (Number) List limit.
+- `namespace_id` (String) Namespace to list policies in.
+- `offset` (Number) List offset.
+- `order_by` (String) List order by.
+- `query` (String) Query for policies.
+- `total_count` (Number) Total number of policies.
+
### Read-Only
- `policies` (Attributes List) (see [below for nested schema](#nestedatt--policies))
@@ -24,7 +33,12 @@ List all policies
Read-Only:
+- `description` (String) Description of the policy.
+- `enforced` (Boolean) Whether the policy is enforced within the namespace hierarchy.
+- `explanation` (String) Explanation of the policy.
- `id` (String) Unique identifier for the policy.
- `name` (String) Name of the policy.
- `namespace_id` (String) ID of the namespace the policy belongs to.
- `ppl` (String) Policy Policy Language (PPL) string.
+- `rego` (List of String) Rego policies.
+- `remediation` (String) Remediation of the policy.
diff --git a/docs/data-sources/policy.md b/docs/data-sources/policy.md
index 6a90296..890e331 100644
--- a/docs/data-sources/policy.md
+++ b/docs/data-sources/policy.md
@@ -21,6 +21,11 @@ Policy for Pomerium.
### Read-Only
+- `description` (String) Description of the policy.
+- `enforced` (Boolean) Whether the policy is enforced within the namespace hierarchy.
+- `explanation` (String) Explanation of the policy.
- `name` (String) Name of the policy.
- `namespace_id` (String) ID of the namespace the policy belongs to.
- `ppl` (String) Policy Policy Language (PPL) string.
+- `rego` (List of String) Rego policies.
+- `remediation` (String) Remediation of the policy.
diff --git a/docs/data-sources/route.md b/docs/data-sources/route.md
index 9c8d274..bef4770 100644
--- a/docs/data-sources/route.md
+++ b/docs/data-sources/route.md
@@ -19,10 +19,72 @@ Route data source
- `id` (String) Unique identifier for the route.
+### Optional
+
+- `jwt_groups_filter` (Attributes) JWT Groups Filter (see [below for nested schema](#nestedatt--jwt_groups_filter))
+- `jwt_issuer_format` (String) Format for JWT issuer strings. Use 'IssuerHostOnly' for hostname without scheme or trailing slash, or 'IssuerURI' for complete URI including scheme and trailing slash.
+
### Read-Only
+- `allow_spdy` (Boolean) Allow SPDY.
+- `allow_websockets` (Boolean) Allow websockets.
+- `description` (String) Description of the route.
+- `enable_google_cloud_serverless_authentication` (Boolean) Enable Google Cloud serverless authentication.
- `from` (String) From URL.
+- `host_path_regex_rewrite_pattern` (String) Host path regex rewrite pattern.
+- `host_path_regex_rewrite_substitution` (String) Host path regex rewrite substitution.
+- `host_rewrite` (String) Host rewrite.
+- `host_rewrite_header` (String) Host rewrite header.
+- `idle_timeout` (String) Idle timeout.
+- `idp_client_id` (String) IDP client ID.
+- `idp_client_secret` (String) IDP client secret.
+- `kubernetes_service_account_token` (String) Kubernetes service account token.
+- `kubernetes_service_account_token_file` (String) Path to the Kubernetes service account token file.
+- `logo_url` (String) URL to the logo image.
- `name` (String) Name of the route.
- `namespace_id` (String) ID of the namespace the route belongs to.
-- `policies` (List of String) List of policy IDs associated with the route.
-- `to` (List of String) To URLs.
+- `pass_identity_headers` (Boolean) Pass identity headers.
+- `path` (String) Path.
+- `policies` (Set of String) List of policy IDs associated with the route.
+- `prefix` (String) Prefix.
+- `prefix_rewrite` (String) Prefix rewrite.
+- `preserve_host_header` (Boolean) Preserve host header.
+- `regex` (String) Regex.
+- `regex_priority_order` (Number) Regex priority order.
+- `regex_rewrite_pattern` (String) Regex rewrite pattern.
+- `regex_rewrite_substitution` (String) Regex rewrite substitution.
+- `remove_request_headers` (Set of String) Remove request headers.
+- `rewrite_response_headers` (Attributes Set) Response header rewrite rules. (see [below for nested schema](#nestedatt--rewrite_response_headers))
+- `set_request_headers` (Map of String) Set request headers.
+- `set_response_headers` (Map of String) Set response headers.
+- `show_error_details` (Boolean) Show error details.
+- `stat_name` (String) Name of the stat.
+- `timeout` (String) Timeout.
+- `tls_client_key_pair_id` (String) Client key pair ID for TLS client authentication.
+- `tls_custom_ca_key_pair_id` (String) Custom CA key pair ID for TLS verification.
+- `tls_downstream_server_name` (String) TLS downstream server name.
+- `tls_skip_verify` (Boolean) TLS skip verify.
+- `tls_upstream_allow_renegotiation` (Boolean) TLS upstream allow renegotiation.
+- `tls_upstream_server_name` (String) TLS upstream server name.
+- `to` (Set of String) To URLs.
+
+
+### Nested Schema for `jwt_groups_filter`
+
+Optional:
+
+- `groups` (Set of String) Group IDs to include
+- `infer_from_ppl` (Boolean)
+
+
+
+### Nested Schema for `rewrite_response_headers`
+
+Required:
+
+- `header` (String) Header name to rewrite
+- `value` (String) New value for the header
+
+Optional:
+
+- `prefix` (String) Prefix matcher for the header
diff --git a/docs/data-sources/routes.md b/docs/data-sources/routes.md
index ccb36f3..e532810 100644
--- a/docs/data-sources/routes.md
+++ b/docs/data-sources/routes.md
@@ -15,6 +15,15 @@ List all routes
## Schema
+### Optional
+
+- `limit` (Number) List limit.
+- `namespace_id` (String) Namespace to list routes in.
+- `offset` (Number) List offset.
+- `order_by` (String) List order by.
+- `query` (String) Query for routes.
+- `total_count` (Number) Total number of routes.
+
### Read-Only
- `routes` (Attributes List) (see [below for nested schema](#nestedatt--routes))
@@ -22,11 +31,73 @@ List all routes
### Nested Schema for `routes`
+Optional:
+
+- `jwt_groups_filter` (Attributes) JWT Groups Filter (see [below for nested schema](#nestedatt--routes--jwt_groups_filter))
+- `jwt_issuer_format` (String) Format for JWT issuer strings. Use 'IssuerHostOnly' for hostname without scheme or trailing slash, or 'IssuerURI' for complete URI including scheme and trailing slash.
+
Read-Only:
+- `allow_spdy` (Boolean) Allow SPDY.
+- `allow_websockets` (Boolean) Allow websockets.
+- `description` (String) Description of the route.
+- `enable_google_cloud_serverless_authentication` (Boolean) Enable Google Cloud serverless authentication.
- `from` (String) From URL.
+- `host_path_regex_rewrite_pattern` (String) Host path regex rewrite pattern.
+- `host_path_regex_rewrite_substitution` (String) Host path regex rewrite substitution.
+- `host_rewrite` (String) Host rewrite.
+- `host_rewrite_header` (String) Host rewrite header.
- `id` (String) Unique identifier for the route.
+- `idle_timeout` (String) Idle timeout.
+- `idp_client_id` (String) IDP client ID.
+- `idp_client_secret` (String) IDP client secret.
+- `kubernetes_service_account_token` (String) Kubernetes service account token.
+- `kubernetes_service_account_token_file` (String) Path to the Kubernetes service account token file.
+- `logo_url` (String) URL to the logo image.
- `name` (String) Name of the route.
- `namespace_id` (String) ID of the namespace the route belongs to.
-- `policies` (List of String) List of policy IDs associated with the route.
-- `to` (List of String) To URLs.
+- `pass_identity_headers` (Boolean) Pass identity headers.
+- `path` (String) Path.
+- `policies` (Set of String) List of policy IDs associated with the route.
+- `prefix` (String) Prefix.
+- `prefix_rewrite` (String) Prefix rewrite.
+- `preserve_host_header` (Boolean) Preserve host header.
+- `regex` (String) Regex.
+- `regex_priority_order` (Number) Regex priority order.
+- `regex_rewrite_pattern` (String) Regex rewrite pattern.
+- `regex_rewrite_substitution` (String) Regex rewrite substitution.
+- `remove_request_headers` (Set of String) Remove request headers.
+- `rewrite_response_headers` (Attributes Set) Response header rewrite rules. (see [below for nested schema](#nestedatt--routes--rewrite_response_headers))
+- `set_request_headers` (Map of String) Set request headers.
+- `set_response_headers` (Map of String) Set response headers.
+- `show_error_details` (Boolean) Show error details.
+- `stat_name` (String) Name of the stat.
+- `timeout` (String) Timeout.
+- `tls_client_key_pair_id` (String) Client key pair ID for TLS client authentication.
+- `tls_custom_ca_key_pair_id` (String) Custom CA key pair ID for TLS verification.
+- `tls_downstream_server_name` (String) TLS downstream server name.
+- `tls_skip_verify` (Boolean) TLS skip verify.
+- `tls_upstream_allow_renegotiation` (Boolean) TLS upstream allow renegotiation.
+- `tls_upstream_server_name` (String) TLS upstream server name.
+- `to` (Set of String) To URLs.
+
+
+### Nested Schema for `routes.jwt_groups_filter`
+
+Optional:
+
+- `groups` (Set of String) Group IDs to include
+- `infer_from_ppl` (Boolean)
+
+
+
+### Nested Schema for `routes.rewrite_response_headers`
+
+Required:
+
+- `header` (String) Header name to rewrite
+- `value` (String) New value for the header
+
+Optional:
+
+- `prefix` (String) Prefix matcher for the header
diff --git a/docs/data-sources/service_accounts.md b/docs/data-sources/service_accounts.md
index b39d408..611cbff 100644
--- a/docs/data-sources/service_accounts.md
+++ b/docs/data-sources/service_accounts.md
@@ -15,6 +15,10 @@ List all service accounts
## Schema
+### Optional
+
+- `namespace_id` (String) Namespace of the service accounts.
+
### Read-Only
- `service_accounts` (Attributes List) (see [below for nested schema](#nestedatt--service_accounts))
diff --git a/docs/index.md b/docs/index.md
index 44baa1e..012fabe 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -3,12 +3,117 @@
page_title: "pomerium Provider"
subcategory: ""
description: |-
+ Pomerium Provider
+ The Pomerium provider enables management of Pomerium Enterprise resources through Terraform. It provides resources and data sources for managing policies, routes, namespaces, and other Pomerium Enterprise features.
+ Example Usage
+ terraform {
+ required_providers {
+ pomerium = {
+ source = "pomerium/pomerium"
+ version = "~> 0.0.7"
+ }
+ }
+ }
+
+ provider "pomerium" {
+ api_url = "https://console-api.your-domain.com"
+ # Choose one authentication method:
+ service_account_token = var.pomerium_service_account_token
+ # shared_secret_b64 = var.shared_secret_b64
+ }
+
+ Authentication Methods
+ The provider supports two authentication methods:
+ Service Account Token (Recommended)
+ Uses a Pomerium Enterprise Service Account token for authentication. This method provides fine-grained access control at the namespace level.
+
+ provider "pomerium" {
+ api_url = "https://console-api.your-domain.com"
+ service_account_token = var.pomerium_service_account_token
+ }
+
+ Bootstrap Service Account
+ Uses the Enterprise Console's shared secret for authentication. Requires BOOTSTRAP_SERVICE_ACCOUNT=true in the Enterprise Console configuration.
+
+ provider "pomerium" {
+ api_url = "https://console-api.your-domain.com"
+ shared_secret_b64 = var.shared_secret_b64
+ }
+
+ Schema
+ Required
+ api_url (String) - The URL of your Pomerium Enterprise Console API endpoint.
+ Optional
+ service_account_token (String, Sensitive) - A Pomerium Enterprise Service Account token. Mutually exclusive with shared_secret_b64.shared_secret_b64 (String, Sensitive) - The base64-encoded shared secret from your Pomerium Enterprise Console. Mutually exclusive with service_account_token.tls_insecure_skip_verify (Boolean) - Skip TLS certificate verification. Should only be used in testing environments.
+ ~> Note: You must specify either service_account_token or shared_secret_b64, but not both.
---
# pomerium Provider
+# Pomerium Provider
+
+The Pomerium provider enables management of Pomerium Enterprise resources through Terraform. It provides resources and data sources for managing policies, routes, namespaces, and other Pomerium Enterprise features.
+
+## Example Usage
+
+```terraform
+terraform {
+ required_providers {
+ pomerium = {
+ source = "pomerium/pomerium"
+ version = "~> 0.0.7"
+ }
+ }
+}
+
+provider "pomerium" {
+ api_url = "https://console-api.your-domain.com"
+ # Choose one authentication method:
+ service_account_token = var.pomerium_service_account_token
+ # shared_secret_b64 = var.shared_secret_b64
+}
+```
+
+## Authentication Methods
+
+The provider supports two authentication methods:
+
+### Service Account Token (Recommended)
+
+Uses a Pomerium Enterprise Service Account token for authentication. This method provides fine-grained access control at the namespace level.
+
+```terraform
+provider "pomerium" {
+ api_url = "https://console-api.your-domain.com"
+ service_account_token = var.pomerium_service_account_token
+}
+```
+
+### Bootstrap Service Account
+
+Uses the Enterprise Console's shared secret for authentication. Requires `BOOTSTRAP_SERVICE_ACCOUNT=true` in the Enterprise Console configuration.
+
+```terraform
+provider "pomerium" {
+ api_url = "https://console-api.your-domain.com"
+ shared_secret_b64 = var.shared_secret_b64
+}
+```
+
+## Schema
+
+### Required
+
+- `api_url` (String) - The URL of your Pomerium Enterprise Console API endpoint.
+
+### Optional
+
+- `service_account_token` (String, Sensitive) - A Pomerium Enterprise Service Account token. Mutually exclusive with `shared_secret_b64`.
+- `shared_secret_b64` (String, Sensitive) - The base64-encoded shared secret from your Pomerium Enterprise Console. Mutually exclusive with `service_account_token`.
+- `tls_insecure_skip_verify` (Boolean) - Skip TLS certificate verification. Should only be used in testing environments.
+~> **Note:** You must specify either `service_account_token` or `shared_secret_b64`, but not both.
diff --git a/docs/resources/route.md b/docs/resources/route.md
index eb8f395..7250222 100644
--- a/docs/resources/route.md
+++ b/docs/resources/route.md
@@ -17,44 +17,74 @@ Route for Pomerium.
### Required
-- `from` (String) From URL.
+- `from` (String) The external URL for a proxied request. Must contain a scheme and Hostname, must not contain a path.
- `name` (String) Name of the route.
- `namespace_id` (String) ID of the namespace the route belongs to.
-- `to` (List of String) To URLs.
+- `to` (Set of String) The destination(s) of a proxied request. Must contain a scheme and Hostname, with an optional weight.
### Optional
-- `allow_spdy` (Boolean) Allow SPDY.
-- `allow_websockets` (Boolean) Allow websockets.
-- `host_path_regex_rewrite_pattern` (String) Host path regex rewrite pattern.
-- `host_path_regex_rewrite_substitution` (String) Host path regex rewrite substitution.
-- `host_rewrite` (String) Host rewrite.
-- `host_rewrite_header` (String) Host rewrite header.
-- `idle_timeout` (String) Idle timeout.
+- `allow_spdy` (Boolean) If applied, this setting enables Pomerium to proxy SPDY protocol upgrades.
+- `allow_websockets` (Boolean) If applied, this setting enables Pomerium to proxy websocket connections.
+- `description` (String) Description of the route.
+- `enable_google_cloud_serverless_authentication` (Boolean) Enable Google Cloud serverless authentication.
+- `host_path_regex_rewrite_pattern` (String) Rewrites the Host header according to a regular expression matching the path.
+- `host_path_regex_rewrite_substitution` (String) Rewrites the Host header according to a regular expression matching the substitution.
+- `host_rewrite` (String) Rewrites the Host header to a new literal value.
+- `host_rewrite_header` (String) Rewrites the Host header to match an incoming header value.
+- `idle_timeout` (String) Sets the time to terminate the upstream connection if there are no active streams. Defaults to 5 minutes.
- `idp_client_id` (String) IDP client ID.
- `idp_client_secret` (String) IDP client secret.
+- `jwt_groups_filter` (Attributes) JWT Groups Filter (see [below for nested schema](#nestedatt--jwt_groups_filter))
+- `jwt_issuer_format` (String) Format for JWT issuer strings. Use 'IssuerHostOnly' for hostname without scheme or trailing slash, or 'IssuerURI' for complete URI including scheme and trailing slash.
- `kubernetes_service_account_token` (String) Kubernetes service account token.
-- `pass_identity_headers` (Boolean) Pass identity headers.
-- `path` (String) Path.
-- `policies` (List of String) List of policy IDs associated with the route.
-- `prefix` (String) Prefix.
-- `prefix_rewrite` (String) Prefix rewrite.
-- `preserve_host_header` (Boolean) Preserve host header.
-- `regex` (String) Regex.
+- `kubernetes_service_account_token_file` (String) Path to the Kubernetes service account token file.
+- `logo_url` (String) URL to the logo image.
+- `pass_identity_headers` (Boolean) If applied, passes X-Pomerium-Jwt-Assertion header and JWT Claims Headers to the upstream application.
+- `path` (String) Matches incoming requests with a path that is an exact match for the specified path.
+- `policies` (Set of String) List of policy IDs associated with the route.
+- `prefix` (String) Matches incoming requests with a path that begins with the specified prefix.
+- `prefix_rewrite` (String) While forwarding a request, Prefix Rewrite swaps the matched prefix (or path) with the specified value.
+- `preserve_host_header` (Boolean) Passes the host header from the incoming request to the proxied host, instead of the destination hostname.
+- `regex` (String) Matches incoming requests with a path that matches the specified regular expression.
- `regex_priority_order` (Number) Regex priority order.
-- `regex_rewrite_pattern` (String) Regex rewrite pattern.
-- `regex_rewrite_substitution` (String) Regex rewrite substitution.
-- `remove_request_headers` (List of String) Remove request headers.
-- `set_request_headers` (Map of String) Set request headers.
-- `set_response_headers` (Map of String) Set response headers.
-- `show_error_details` (Boolean) Show error details.
+- `regex_rewrite_pattern` (String) Rewrites the URL path according to the regex rewrite pattern.
+- `regex_rewrite_substitution` (String) Rewrites the URL path according to the regex rewrite substitution.
+- `remove_request_headers` (Set of String) Removes given request headers so they do not reach the upstream server.
+- `rewrite_response_headers` (Attributes Set) Modifies response headers before they are returned to the client. 'Header' matches the HTTP header name; 'prefix' will be replaced with 'value'. (see [below for nested schema](#nestedatt--rewrite_response_headers))
+- `set_request_headers` (Map of String) Sets static and dynamic values for given request headers. Available substitutions: ${pomerium.id_token}, ${pomerium.access_token}, ${pomerium.client_cert_fingerprint}.
+- `set_response_headers` (Map of String) Sets static HTTP Response Header values for a route. These headers take precedence over globally set response headers.
+- `show_error_details` (Boolean) If applied, shows error details, including policy explanation and remediation for 403 Forbidden responses.
- `stat_name` (String) Name of the stat.
-- `timeout` (String) Timeout.
+- `timeout` (String) Sets the per-route timeout value. Cannot exceed global timeout values. Defaults to 30 seconds.
+- `tls_client_key_pair_id` (String) Client key pair ID for TLS client authentication.
+- `tls_custom_ca_key_pair_id` (String) Custom CA key pair ID for TLS verification.
- `tls_downstream_server_name` (String) TLS downstream server name.
-- `tls_skip_verify` (Boolean) TLS skip verify.
+- `tls_skip_verify` (Boolean) If applied, Pomerium accepts any certificate presented by the upstream server and any Hostname in that certificate. Use for testing only.
- `tls_upstream_allow_renegotiation` (Boolean) TLS upstream allow renegotiation.
-- `tls_upstream_server_name` (String) TLS upstream server name.
+- `tls_upstream_server_name` (String) This server name overrides the Hostname in the 'To:' field, and will be used to verify the certificate name.
### Read-Only
- `id` (String) Unique identifier for the route.
+
+
+### Nested Schema for `jwt_groups_filter`
+
+Optional:
+
+- `groups` (Set of String) Group IDs to include
+- `infer_from_ppl` (Boolean)
+
+
+
+### Nested Schema for `rewrite_response_headers`
+
+Required:
+
+- `header` (String) Header name to rewrite
+- `value` (String) New value for the header
+
+Optional:
+
+- `prefix` (String) Prefix matcher for the header
diff --git a/docs/resources/service_account.md b/docs/resources/service_account.md
index aece3de..59bd8b3 100644
--- a/docs/resources/service_account.md
+++ b/docs/resources/service_account.md
@@ -15,17 +15,15 @@ Service Account for Pomerium.
## Schema
-### Required
-
-- `name` (String) Name of the service account.
-- `namespace_id` (String) ID of the namespace the service account belongs to.
-
### Optional
- `description` (String) Description of the service account.
+- `name` (String) Name of the service account.
+- `namespace_id` (String) ID of the namespace the service account belongs to.
### Read-Only
- `expires_at` (String) Timestamp when the service account expires.
- `id` (String) Unique identifier for the service account.
+- `jwt` (String, Sensitive) The Service Account JWT used for authentication. This is only populated when creating a new service account.
- `user_id` (String) User ID associated with the service account.
diff --git a/docs/resources/settings.md b/docs/resources/settings.md
index aceecf0..313c05f 100644
--- a/docs/resources/settings.md
+++ b/docs/resources/settings.md
@@ -20,16 +20,16 @@ The settings are global object.
### Optional
-- `access_log_fields` (List of String) Access log fields
-- `address` (String) Address
+- `access_log_fields` (Set of String) Displays HTTP request logs from the Pomerium Proxy service.
+- `address` (String) Specifies the IP Address and Port to serve HTTP requests from.
- `authenticate_callback_path` (String) Authenticate callback path
-- `authenticate_service_url` (String) Authenticate service URL
-- `authorize_log_fields` (List of String) Authorize log fields
+- `authenticate_service_url` (String) The externally accessible URL for the authenticate service.
+- `authorize_log_fields` (Set of String) Displays HTTP request logs from the Pomerium Authorize service.
- `authorize_service_url` (String) Authorize service URL
-- `autocert` (Boolean) Autocert
-- `autocert_dir` (String) Autocert directory
-- `autocert_must_staple` (Boolean) Autocert must staple
-- `autocert_use_staging` (Boolean) Autocert use staging
+- `autocert` (Boolean) Turning on autocert allows Pomerium to automatically retrieve, manage, and renew public facing TLS certificates from Lets Encrypt.
+- `autocert_dir` (String) Autocert directory is the path which Autocert will store x509 certificate data.
+- `autocert_must_staple` (Boolean) Controls whether the must-staple flag is enabled when requesting certificates.
+- `autocert_use_staging` (Boolean) Autocert Use Staging setting allows you to use Let's Encrypt's staging environment, which has more lenient usage limits than the production environment.
- `cache_service_url` (String) Cache service URL
- `certificate_authority` (String) Certificate authority
- `certificate_authority_file` (String) Certificate authority file
@@ -44,14 +44,14 @@ The settings are global object.
- `cookie_same_site` (String) Cookie same site
- `cookie_secret` (String, Sensitive) Cookie secret
- `cookie_secure` (Boolean) Cookie secure
-- `darkmode_primary_color` (String) Darkmode primary color
-- `darkmode_secondary_color` (String) Darkmode secondary color
+- `darkmode_primary_color` (String) A hex code that determines the primary color for the Enterprise Console and Route Error Details pages when in Dark Mode.
+- `darkmode_secondary_color` (String) A hex code that determines the secondary color for the Enterprise Console and Route Error Details pages when in Dark Mode.
- `databroker_service_url` (String) Databroker service URL
- `default_upstream_timeout` (String) Default upstream timeout
- `dns_lookup_family` (String) DNS lookup family
-- `error_message_first_paragraph` (String) Error message first paragraph
-- `favicon_url` (String) Favicon URL
-- `google_cloud_serverless_authentication_service_account` (String) Google Cloud Serverless Authentication Service Account
+- `error_message_first_paragraph` (String) A paragraph that will appear on all Route Error Pages in the top section.
+- `favicon_url` (String) A Url pointing to your favicon. Defaults to Pomerium's Favicon.
+- `google_cloud_serverless_authentication_service_account` (String) Google Cloud Serverless Authentication service account credentials.
- `grpc_address` (String) gRPC address
- `grpc_insecure` (Boolean) gRPC insecure
- `http_redirect_addr` (String) HTTP redirect address
@@ -76,26 +76,21 @@ The settings are global object.
- `insecure_server` (Boolean) Insecure server
- `installation_id` (String) Installation ID
- `jwt_claims_headers` (Map of String) JWT claims headers mapping
+- `jwt_groups_filter` (Attributes) JWT Groups Filter (see [below for nested schema](#nestedatt--jwt_groups_filter))
- `log_level` (String) Log level
-- `logo_url` (String) Logo URL
+- `logo_url` (String) A URL pointing to your logo. Defaults to Pomerium's Logo.
- `metrics_address` (String) Metrics address
-- `pass_identity_headers` (Boolean) Pass identity headers
-- `primary_color` (String) Primary color
+- `pass_identity_headers` (Boolean) If applied, passes X-Pomerium-Jwt-Assertion header and JWT Claims Headers to all upstream applications.
+- `primary_color` (String) A hex code that determines the primary color for the Enterprise Console and Route Error Details pages.
- `proxy_log_level` (String) Proxy log level
- `request_params` (Map of String) Request parameters
-- `scopes` (List of String) Scopes
-- `secondary_color` (String) Secondary color
+- `scopes` (Set of String) Scopes
+- `secondary_color` (String) A hex code that determines the secondary color for the Enterprise Console and Route Error Details pages.
- `set_response_headers` (Map of String) Response headers to set
- `skip_xff_append` (Boolean) Skip XFF append
-- `timeout_idle` (String) Timeout idle
-- `timeout_read` (String) Timeout read
-- `timeout_write` (String) Timeout write
-- `tracing_datadog_address` (String) Tracing Datadog address
-- `tracing_jaeger_agent_endpoint` (String) Tracing Jaeger agent endpoint
-- `tracing_jaeger_collector_endpoint` (String) Tracing Jaeger collector endpoint
-- `tracing_provider` (String) Tracing provider
-- `tracing_sample_rate` (Number) Tracing sample rate
-- `tracing_zipkin_endpoint` (String) Tracing Zipkin endpoint
+- `timeout_idle` (String) Sets the time at which a downstream or upstream connection will be terminated if no active streams.
+- `timeout_read` (String) Sets the amount of time for the client to receive the entire request stream.
+- `timeout_write` (String) Sets max stream duration of an HTTP request/response exchange. Must be greater than read timeout.
### Nested Schema for `identity_provider_auth0`
@@ -185,3 +180,12 @@ Required:
- `client_id` (String)
- `client_secret` (String, Sensitive)
- `environment_id` (String)
+
+
+
+### Nested Schema for `jwt_groups_filter`
+
+Optional:
+
+- `groups` (Set of String) Group IDs to include
+- `infer_from_ppl` (Boolean)