update documentation

Author: maxlaverse

README.md

@@ -33,43 +33,20 @@ The provider likely works with older versions but those haven't been tested.
 The complete documentation for this provider can be found on the [Terraform Registry docs].
 
 ```tf
-# Setting up the Provider
-variable "bw_password" {
-  type        = string
-  description = "Bitwarden Master Key"
-  sensitive   = true
-}
-
-variable "bw_client_id" {
-  type        = string
-  description = "Bitwarden Client ID"
-  sensitive   = true
-}
-
-variable "bw_client_secret" {
-  type        = string
-  description = "Bitwarden Client Secret"
-  sensitive   = true
-}
-
 terraform {
   required_providers {
     bitwarden = {
       source  = "maxlaverse/bitwarden"
-      version = ">= 0.5.0"
+      version = ">= 0.6.2"
     }
   }
 }
 
+# Configure the Bitwarden Provider
 provider "bitwarden" {
-  master_password = var.bw_password
-  client_id       = var.bw_client_id
-  client_secret   = var.bw_client_secret
-  email           = "test@laverse.net"
-  server          = "https://vault.bitwarden.com"
+  email           = "terraform@example.com"
 }
 
-
 # Managing Folders
 resource "bitwarden_folder" "cloud_credentials" {
   name = "My Cloud Credentials"

docs/data-sources/attachment.md

@@ -54,5 +54,3 @@ data "bitwarden_attachment" "ssh_private_key" {
 ### Read-Only
 
 - `content` (String) Content of the attachment
-
-

docs/data-sources/item_login.md

@@ -96,5 +96,3 @@ Read-Only:
 
 - `match` (String)
 - `value` (String)
-
-

docs/data-sources/item_secure_note.md

@@ -82,5 +82,3 @@ Read-Only:
 - `linked` (String)
 - `name` (String)
 - `text` (String)
-
-

docs/index.md

@@ -10,64 +10,95 @@ description: |-
 Use the Bitwarden provider to interact with Bitwarden logins, secure notes and folders.
 You must configure the provider with the proper credentials before you can use it, and have the [Bitwarden CLI] installed.
 
-## API credentials
-In order to interact with your Vault using the Bitwarden Provider Terraform plugin, you need to generate an API key:
-1. Connect to your Vault on https://vault.bitwarden.com, or your self-hosted instance
-2. Click on "Settings" and then "My Account"
-3. Scroll down to the "API Key" section
-4. Click on "View API Key" (or maybe another label if it's the first time)
-5. Save the API credentials
-6. Before running `terraform apply`, export the API credentials as environment variable:
-
-```console
-export TF_VAR_bw_client_id=<client_id>
-export TF_VAR_bw_client_secret=<client_secret>
-export TF_VAR_bw_password=<master_password>
-```
-
 ## Example Usage
 
 ```terraform
-# Bitwarden Master Password
-variable "bw_password" {
-  type        = string
-  description = "Bitwarden Master Key"
-  sensitive   = true
-}
-
-variable "bw_client_id" {
-  type        = string
-  description = "Bitwarden Client ID"
-  sensitive   = true
-}
-
-variable "bw_client_secret" {
-  type        = string
-  description = "Bitwarden Client Secret"
-  sensitive   = true
-}
-```
-
-```terraform
-# Provider configuration
 terraform {
   required_providers {
     bitwarden = {
       source  = "maxlaverse/bitwarden"
-      version = ">= 0.5.0"
+      version = ">= 0.6.2"
     }
   }
 }
 
+# Configure the Bitwarden Provider
 provider "bitwarden" {
-  master_password = var.bw_password
-  client_id       = var.bw_client_id
-  client_secret   = var.bw_client_secret
-  email           = "test@laverse.net"
-  server          = "https://vault.bitwarden.com"
+  email           = "terraform@example.com"
+}
+
+# Create a Bitwarden Login Resource
+resource "bitwarden_item_login" "example" {
+  name            = "Example"
+  username        = "service-account"
+  password        = "<sensitive>"
 }
 ```
 
+## Authentication
+The Bitwarden provider can use different combinations of credentials to authenticate:
+* Email and Password (requires `email` and `master_password`)
+* API key (requires `email`, `master_password`, `client_id` and `client_secret`)
+* user-provided Session Key (requires `session_key`)
+
+### Generating a Client ID and Secret
+The recommended way to interact with your Vault using the Bitwarden Provider Terraform plugin is to generate an API key.
+This allows you to easily revoke access to your Vault without having to change your master password.
+
+In order to generate a pair of Client ID and Secret, you need to:
+1. Connect to your Vault on https://vault.bitwarden.com, or your self-hosted instance
+2. Click on _Settings_ and then _My Account_
+3. Scroll down to the _API Key_ section
+4. Click on _View API Key_ (or maybe another label if it's the first time)
+5. Save the API credentials somewhere safe
+
+### Generating a Session Key
+
+If you don't want to use an API key, you can use a Session Key instead.
+When doing so, it's your responsibility to:
+* ensure the validity of the Session Key
+* keep the Session Key safe
+* revoke it when you don't need it anymore
+
+You can generate a Session Key by running the following command in your Terraform Workspace:
+```
+BITWARDENCLI_APPDATA_DIR=.bitwarden bw login
+
+# or if you use a custom vault path
+BITWARDENCLI_APPDATA_DIR=<vault_path> bw login
+```
+
+## Configuration
+Configuration for the Bitwarden Provider can be derived from two sources:
+* Parameters in the provider configuration
+* Environment variables
+
+### Parameters
+Credentials can be provided by adding a `master_password` and optionally `client_id` and `client_secret` to the bitwarden provider block.
+```terraform
+provider "bitwarden" {
+  email           = "terraform@example.com"
+  master_password = "my-master-password"
+  client_id       = "my-client-id"
+  client_secret   = "my-client-secret"
+}
+```
+
+### Environment variables
+Credentials can be provided by using the `BW_PASSWORD` and optionally `BW_CLIENTID` and `BW_CLIENTSECRET` environment variables. 
+
+For example:
+```bitwarden
+provider "bitwarden" {}
+```
+
+```console
+export BW_EMAIL="terraform@example.com"
+export BW_PASSWORD="my-master-password"
+export BW_CLIENTID="my-client-id"
+export BW_CLIENTSECRET="my-client-secret"
+```
+
 <!-- schema generated by tfplugindocs -->
 ## Schema
 

examples/provider/provider.tf

@@ -1,17 +1,20 @@
-# Provider configuration
 terraform {
   required_providers {
     bitwarden = {
       source  = "maxlaverse/bitwarden"
-      version = ">= 0.5.0"
+      version = ">= 0.6.1"
     }
   }
 }
 
+# Configure the Bitwarden Provider
 provider "bitwarden" {
-  master_password = var.bw_password
-  client_id       = var.bw_client_id
-  client_secret   = var.bw_client_secret
-  email           = "test@laverse.net"
-  server          = "https://vault.bitwarden.com"
+  email           = "terraform@example.com"
+}
+
+# Create a Bitwarden Login Resource
+resource "bitwarden_item_login" "example" {
+  name            = "Example"
+  username        = "service-account"
+  password        = "<sensitive>"
 }

examples/quick/provider.tf

@@ -10,26 +10,73 @@ description: |-
 Use the Bitwarden provider to interact with Bitwarden logins, secure notes and folders.
 You must configure the provider with the proper credentials before you can use it, and have the [Bitwarden CLI] installed.
 
-## API credentials
-In order to interact with your Vault using the Bitwarden Provider Terraform plugin, you need to generate an API key:
+## Example Usage
+
+{{tffile "examples/quick/provider.tf"}}
+
+## Authentication
+The Bitwarden provider can use different combinations of credentials to authenticate:
+* Email and Password (requires `email` and `master_password`)
+* API key (requires `email`, `master_password`, `client_id` and `client_secret`)
+* user-provided Session Key (requires `session_key`)
+
+### Generating a Client ID and Secret
+The recommended way to interact with your Vault using the Bitwarden Provider Terraform plugin is to generate an API key.
+This allows you to easily revoke access to your Vault without having to change your master password.
+
+In order to generate a pair of Client ID and Secret, you need to:
 1. Connect to your Vault on https://vault.bitwarden.com, or your self-hosted instance
-2. Click on "Settings" and then "My Account"
-3. Scroll down to the "API Key" section
-4. Click on "View API Key" (or maybe another label if it's the first time)
-5. Save the API credentials
-6. Before running `terraform apply`, export the API credentials as environment variable:
+2. Click on _Settings_ and then _My Account_
+3. Scroll down to the _API Key_ section
+4. Click on _View API Key_ (or maybe another label if it's the first time)
+5. Save the API credentials somewhere safe
 
-```console
-export TF_VAR_bw_client_id=<client_id>
-export TF_VAR_bw_client_secret=<client_secret>
-export TF_VAR_bw_password=<master_password>
+### Generating a Session Key
+
+If you don't want to use an API key, you can use a Session Key instead.
+When doing so, it's your responsibility to:
+* ensure the validity of the Session Key
+* keep the Session Key safe
+* revoke it when you don't need it anymore
+
+You can generate a Session Key by running the following command in your Terraform Workspace:
 ```
+BITWARDENCLI_APPDATA_DIR=.bitwarden bw login
 
-## Example Usage
+# or if you use a custom vault path
+BITWARDENCLI_APPDATA_DIR=<vault_path> bw login
+```
 
-{{tffile "examples/quick/variables.tf"}}
+## Configuration
+Configuration for the Bitwarden Provider can be derived from two sources:
+* Parameters in the provider configuration
+* Environment variables
 
-{{tffile "examples/quick/provider.tf"}}
+### Parameters
+Credentials can be provided by adding a `master_password` and optionally `client_id` and `client_secret` to the bitwarden provider block.
+```terraform
+provider "bitwarden" {
+  email           = "terraform@example.com"
+  master_password = "my-master-password"
+  client_id       = "my-client-id"
+  client_secret   = "my-client-secret"
+}
+```
+
+### Environment variables
+Credentials can be provided by using the `BW_PASSWORD` and optionally `BW_CLIENTID` and `BW_CLIENTSECRET` environment variables. 
+
+For example:
+```bitwarden
+provider "bitwarden" {}
+```
+
+```console
+export BW_EMAIL="terraform@example.com"
+export BW_PASSWORD="my-master-password"
+export BW_CLIENTID="my-client-id"
+export BW_CLIENTSECRET="my-client-secret"
+```
 
 {{ .SchemaMarkdown | trimspace }}