auth: improve overall auth system (#54)

- remove password param
- add docs on authentication

fixes #52

Signed-off-by: Nick Santos <[email protected]>

Author: nicks

README.md

@@ -12,7 +12,7 @@ This project is used to manage Docker resources (such as repositories, teams, or
 
 ## Usage
 
-Below is a basic example of how to use the Docker services Terraform provider to create a Docker repository. Using `DOCKER_USERNAME` and `DOCKER_PASSWORD` as an environment variable, you can use the following code:
+Below is a basic example of how to use the Docker services Terraform provider to create a Docker repository. 
 
 ```hcl
 terraform {
@@ -33,6 +33,48 @@ resource "docker_repository" "example" {
 }
 ```
 
+## Authentication
+
+We have multiple ways to set your Docker credentials.
+
+### Setting credentials
+
+Use `docker login` to [log in to a
+registry](https://docs.docker.com/reference/cli/docker/login/). The `docker` CLI
+will store your credentials securely in your credential store, such as the
+operating system native keychain. The Docker Terraform provider will
+use these credentials automatically.
+
+```
+cat ~/my_password.txt | docker login --username my-username --password-stdin
+```
+
+If you'd like to use a different account for running the provider,
+you can set credentials in the environment:
+
+```
+export DOCKER_USERNAME=my-username
+export DOCKER_PASSWORD=my-secret-token
+terraform plan ...
+```
+
+### Credential types
+
+You can create a personal access token (PAT) to use as an alternative to your
+password for Docker CLI authentication.
+
+A "Read, Write, & Delete" PAT can be used to create, edit, and 
+manage permissions for Docker Hub repositories.
+
+The advantage of PATs is that they have [many security
+benefits](https://docs.docker.com/security/for-developers/access-tokens/) over
+passwords.
+
+Unfortunately, PATs are limited to managing repositories. If you'd like to use
+this provider to manage organizations and teams, you will need to authenticate
+with a password.
+
+
 ## Contributing
 
 We welcome contributions to the Docker services Terraform provider, detailed documentation for contributing & building the provider can be found [here](https://github.com/docker/terraform-provider-docker/blob/main/CONTRIBUTING.md)

docs/index.md

@@ -18,5 +18,4 @@ description: |-
 ### Optional
 
 - `host` (String) Docker Hub API Host. Default is `hub.docker.com`.
-- `password` (String, Sensitive) Password for authentication
 - `username` (String) Username for authentication

…resources/org_team_member_association.md docs/resources/org_team_member.mddocs/resources/org_team_member_association.md renamed to docs/resources/org_team_member.md docs/resources/org_team_member_association.md renamed to docs/resources/org_team_member.md

@@ -1,16 +1,15 @@
 ---
 # generated by https://github.com/hashicorp/terraform-plugin-docs
-page_title: "docker_org_team_member_association Resource - docker"
+page_title: "docker_org_team_member Resource - docker"
 subcategory: ""
 description: |-
   Manages team members associated with an organization.
   ~> Note Only available when authenticated with a username and password as an owner of the org.
 ---
 
-# docker_org_team_member_association (Resource)
+# docker_org_team_member (Resource)
 
 Manages team members associated with an organization.
-
 ~> **Note** Only available when authenticated with a username and password as an owner of the org.
 
 
@@ -22,8 +21,8 @@ Manages team members associated with an organization.
 
 - `org_name` (String) Organization name
 - `team_name` (String) Team name
-- `user_names` (List of String) User names to be added to the team
+- `user_name` (String) User name to be added to the team
 
 ### Read-Only
 
-- `id` (String) The ID of the team member association
+- `id` (String) The ID of the team member

internal/provider/provider.go

@@ -44,7 +44,6 @@ type DockerProvider struct {
 // DockerProviderModel describes the provider data model.
 type DockerProviderModel struct {
 	Username types.String `tfsdk:"username"`
-	Password types.String `tfsdk:"password"`
 	Host     types.String `tfsdk:"host"`
 }
 
@@ -67,11 +66,6 @@ func (p *DockerProvider) Schema(ctx context.Context, req provider.SchemaRequest,
 				MarkdownDescription: "Username for authentication",
 				Optional:            true,
 			},
-			"password": schema.StringAttribute{
-				MarkdownDescription: "Password for authentication",
-				Optional:            true,
-				Sensitive:           true,
-			},
 		},
 	}
 }
@@ -98,17 +92,7 @@ func (p *DockerProvider) Configure(ctx context.Context, req provider.ConfigureRe
 		resp.Diagnostics.AddAttributeError(
 			path.Root("username"),
 			"Unknown Docker Hub API Username",
-			"The provider cannot create the Docker Hub API client as there is an unknown configuration value for the Docker Hub API username. "+
-				"Either target apply the source of the value first, set the value statically in the configuration, or use the DOCKER_USERNAME environment variable.",
-		)
-	}
-
-	if data.Password.IsUnknown() {
-		resp.Diagnostics.AddAttributeError(
-			path.Root("password"),
-			"Unknown Docker Hub API Password",
-			"The provider cannot create the Docker Hub API client as there is an unknown configuration value for the Docker Hub API password. "+
-				"Either target apply the source of the value first, set the value statically in the configuration, or use the DOCKER_PASSWORD environment variable.",
+			"The provider cannot create the Docker Hub API client as there is an unknown configuration value for the Docker Hub API username.",
 		)
 	}
 
@@ -132,9 +116,6 @@ func (p *DockerProvider) Configure(ctx context.Context, req provider.ConfigureRe
 	}
 
 	password := os.Getenv("DOCKER_PASSWORD")
-	if !data.Password.IsNull() {
-		password = data.Password.ValueString()
-	}
 
 	// If DOCKER_USERNAME and DOCKER_PASSWORD are not set, or if they are empty,
 	// retrieve them from the credential store
@@ -181,19 +162,15 @@ func (p *DockerProvider) Configure(ctx context.Context, req provider.ConfigureRe
 		resp.Diagnostics.AddAttributeError(
 			path.Root("username"),
 			"Missing Docker Hub API Username",
-			"The provider cannot create the Docker Hub API client as there is a missing or empty value for the Docker Hub API username. "+
-				"Set the username value in the configuration or use the DOCKER_USERNAME environment variable. "+
-				"If either is already set, ensure the value is not empty.",
+			"Missing valid login credentials. More details: https://github.com/docker/terraform-provider-docker#authentication.",
 		)
 	}
 
 	if password == "" {
 		resp.Diagnostics.AddAttributeError(
 			path.Root("password"),
 			"Missing Docker Hub API Password",
-			"The provider cannot create the Docker Hub API client as there is a missing or empty value for the Docker Hub API password. "+
-				"Set the password value in the configuration or use the DOCKER_PASSWORD environment variable. "+
-				"If either is already set, ensure the value is not empty.",
+			"Missing valid login credentials. More details: https://github.com/docker/terraform-provider-docker#authentication.",
 		)
 	}