feat(access): add short-name aliases for access resources

Add proxmox_acl, proxmox_realm_ldap, proxmox_realm_openid,
proxmox_realm_sync, and proxmox_user_token as short-name aliases
for the corresponding proxmox_virtual_environment_* resources.

Old names emit a deprecation warning pointing to the new name.
New names implement MoveState for Terraform moved block support.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Pavel Boldyrev <pavel@bpg.sh>

Author: bpg-dev

docs/resources/acl.md

@@ -0,0 +1,38 @@
+---
+layout: page
+title: proxmox_acl
+parent: Resources
+subcategory: Virtual Environment
+description: |-
+  Manages ACLs on the Proxmox cluster.
+  ACLs are used to control access to resources in the Proxmox cluster.
+  Each ACL consists of a path, a user, group or token, a role, and a flag to allow propagation of permissions.
+---
+
+# Resource: proxmox_acl
+
+Manages ACLs on the Proxmox cluster.
+
+ACLs are used to control access to resources in the Proxmox cluster.
+Each ACL consists of a path, a user, group or token, a role, and a flag to allow propagation of permissions.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `path` (String) Access control path
+- `role_id` (String) The role to apply
+
+### Optional
+
+- `group_id` (String) The group the ACL should apply to (mutually exclusive with `token_id` and `user_id`)
+- `propagate` (Boolean) Allow to propagate (inherit) permissions.
+- `token_id` (String) The token the ACL should apply to (mutually exclusive with `group_id` and `user_id`)
+- `user_id` (String) The user the ACL should apply to (mutually exclusive with `group_id` and `token_id`)
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.

docs/resources/realm_ldap.md

@@ -0,0 +1,138 @@
+---
+layout: page
+title: proxmox_realm_ldap
+parent: Resources
+subcategory: Virtual Environment
+description: |-
+  Manages an LDAP authentication realm in Proxmox VE.
+  LDAP realms allow Proxmox to authenticate users against an LDAP directory service.
+---
+
+# Resource: proxmox_realm_ldap
+
+Manages an LDAP authentication realm in Proxmox VE.
+
+LDAP realms allow Proxmox to authenticate users against an LDAP directory service.
+
+## Privileges Required
+
+| Path | Attribute |
+|-----------------|----------------|
+| /access/domains | Realm.Allocate |
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `base_dn` (String) LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
+- `realm` (String) Realm identifier (e.g., 'example.com').
+- `server1` (String) Primary LDAP server hostname or IP address.
+
+### Optional
+
+- `bind_dn` (String) LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
+- `bind_password` (String, Sensitive) Password for the bind DN. Note: stored in Proxmox but not returned by API.
+- `ca_path` (String) Path to CA certificate file for SSL verification.
+- `case_sensitive` (Boolean) Enable case-sensitive username matching.
+- `cert_key_path` (String) Path to client certificate key.
+- `cert_path` (String) Path to client certificate for SSL authentication.
+- `comment` (String) Description of the realm.
+- `default` (Boolean) Use this realm as the default for login.
+- `filter` (String) LDAP filter for user searches.
+- `group_classes` (String) LDAP objectClasses for groups (comma-separated).
+- `group_dn` (String) LDAP base DN for group searches.
+- `group_filter` (String) LDAP filter for group searches.
+- `group_name_attr` (String) LDAP attribute representing the group name.
+- `mode` (String) LDAP connection mode (ldap, ldaps, ldap+starttls).
+- `port` (Number) LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
+- `secure` (Boolean, Deprecated) Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
+- `server2` (String) Fallback LDAP server hostname or IP address.
+- `ssl_version` (String) SSL/TLS version (tlsv1, tlsv1_1, tlsv1_2, tlsv1_3).
+- `sync_attributes` (String) Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
+- `sync_defaults_options` (String) Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
+- `user_attr` (String) LDAP attribute representing the username.
+- `user_classes` (String) LDAP objectClasses for users (comma-separated).
+- `verify` (Boolean) Verify LDAP server SSL certificate.
+
+### Read-Only
+
+- `id` (String) Realm identifier (same as realm)
+
+## Notes
+
+### Password Security
+
+The `bind_password` is sent to Proxmox and stored securely, but it's never returned by the API. This means:
+- Terraform cannot detect if the password was changed outside of Terraform
+- You must maintain the password in your Terraform configuration or use a variable
+- The password will be marked as sensitive in Terraform state
+
+### LDAP vs LDAPS
+
+- **LDAP (port 389)**: Unencrypted connection. Not recommended for production.
+- **LDAPS (port 636)**: Encrypted connection using SSL/TLS. Recommended for production.
+- **LDAP+StartTLS**: Upgrades plain LDAP connection to TLS. Alternative to LDAPS.
+
+### User Synchronization
+
+To trigger synchronization, use the `proxmox_realm_sync` resource.
+
+### Common Configuration Scenarios
+
+#### Anonymous Binding
+For testing or public LDAP servers, omit `bind_dn` and `bind_password` to use anonymous binding:
+```hcl
+resource "proxmox_realm_ldap" "anonymous" {
+  realm     = "public-ldap"
+  server1   = "ldap.example.com"
+  base_dn   = "ou=users,dc=example,dc=com"
+  user_attr = "uid"
+}
+```
+
+#### Secure LDAPS with Failover
+```hcl
+resource "proxmox_realm_ldap" "secure" {
+  realm         = "secure-ldap"
+  server1       = "ldap1.example.com"
+  server2       = "ldap2.example.com"  # Failover server
+  port          = 636
+  base_dn       = "ou=users,dc=example,dc=com"
+  bind_dn       = "cn=readonly,dc=example,dc=com"
+  bind_password = var.ldap_password
+  mode          = "ldaps"
+  verify        = true
+  ca_path       = "/etc/pve/priv/ca.crt"
+}
+```
+
+#### With Group Synchronization
+```hcl
+resource "proxmox_realm_ldap" "with_groups" {
+  realm                 = "corporate-ldap"
+  server1               = "ldap.corp.example.com"
+  base_dn               = "ou=users,dc=corp,dc=example,dc=com"
+  bind_dn               = "cn=svc_ldap,ou=services,dc=corp,dc=example,dc=com"
+  bind_password         = var.ldap_password
+  mode                  = "ldap+starttls"
+  
+  # Group settings
+  group_dn              = "ou=groups,dc=corp,dc=example,dc=com"
+  group_filter          = "(objectClass=groupOfNames)"
+  group_name_attr       = "cn"
+  
+  # Sync configuration
+  sync_attributes       = "email=mail,firstname=givenName,lastname=sn"
+  sync_defaults_options = "scope=both,enable-new=1"
+}
+```
+
+## See Also
+
+- [Proxmox VE User Management](https://pve.proxmox.com/wiki/User_Management)
+- [Proxmox VE LDAP Authentication](https://pve.proxmox.com/wiki/User_Management#pveum_ldap)
+- [Proxmox API: /access/domains](https://pve.proxmox.com/pve-docs/api-viewer/index.html#/access/domains)
+

docs/resources/realm_openid.md

@@ -0,0 +1,111 @@
+---
+layout: page
+title: proxmox_realm_openid
+parent: Resources
+subcategory: Virtual Environment
+description: |-
+  Manages an OpenID Connect authentication realm in Proxmox VE.
+  OpenID Connect realms allow Proxmox to authenticate users against an external OpenID Connect provider.
+---
+
+# Resource: proxmox_realm_openid
+
+Manages an OpenID Connect authentication realm in Proxmox VE.
+
+OpenID Connect realms allow Proxmox to authenticate users against an external OpenID Connect provider.
+
+## Privileges Required
+
+| Path            | Attribute      |
+|-----------------|----------------|
+| /access/domains | Realm.Allocate |
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `client_id` (String) OpenID Connect Client ID.
+- `issuer_url` (String) OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
+- `realm` (String) Realm identifier (e.g., 'my-oidc').
+
+### Optional
+
+- `acr_values` (String) Authentication Context Class Reference values for the OpenID provider.
+- `autocreate` (Boolean) Automatically create users on the Proxmox cluster if they do not exist.
+- `client_key` (String, Sensitive) OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
+- `comment` (String) Description of the realm.
+- `default` (Boolean) Use this realm as the default for login.
+- `groups_autocreate` (Boolean) Automatically create groups from claims rather than using existing Proxmox VE groups.
+- `groups_claim` (String) OpenID claim used to retrieve user group memberships.
+- `groups_overwrite` (Boolean) Replace assigned groups on login instead of appending to existing ones.
+- `prompt` (String) Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
+- `query_userinfo` (Boolean) Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
+- `scopes` (String) Space-separated list of OpenID scopes to request.
+- `username_claim` (String) OpenID claim used to generate the unique username. Common values are `subject`, `username`, `email`, and `upn`.
+
+### Read-Only
+
+- `id` (String) Realm identifier (same as realm)
+
+## Notes
+
+### Client Key Security
+
+The `client_key` is sent to Proxmox and stored securely, but it's never returned by the API. This means:
+
+- Terraform cannot detect if the client key was changed outside of Terraform
+- You must maintain the client key in your Terraform configuration or use a variable
+- The client key will be marked as sensitive in Terraform state
+
+### Username Claim
+
+The `username_claim` attribute is **fixed after creation** — it cannot be changed once the realm is created. Changing it requires destroying and recreating the realm. Common values:
+
+- `subject` (default) — Uses the OpenID `sub` claim
+- `username` — Uses the `preferred_username` claim
+- `email` — Uses the `email` claim
+- `upn` — Uses the User Principal Name claim (common with ADFS/Azure AD)
+
+Any valid OpenID claim name can be used. Ensure the chosen claim provides unique, stable identifiers for your users.
+
+### Common Configuration Scenarios
+
+#### Minimal Configuration
+
+```hcl
+resource "proxmox_realm_openid" "minimal" {
+  realm      = "my-oidc"
+  issuer_url = "https://auth.example.com"
+  client_id  = var.oidc_client_id
+  client_key = var.oidc_client_secret
+}
+```
+
+#### With User and Group Provisioning
+
+```hcl
+resource "proxmox_realm_openid" "full" {
+  realm          = "corporate-oidc"
+  issuer_url     = "https://auth.example.com/realms/my-realm"
+  client_id      = var.oidc_client_id
+  client_key     = var.oidc_client_secret
+  username_claim = "email"
+  autocreate     = true
+
+  # Group synchronization
+  groups_claim      = "groups"
+  groups_autocreate = true
+
+  scopes         = "openid email profile"
+  query_userinfo = true
+}
+```
+
+## See Also
+
+- [Proxmox VE User Management](https://pve.proxmox.com/wiki/User_Management)
+- [Proxmox VE OpenID Connect Authentication](https://pve.proxmox.com/wiki/User_Management#pveum_openid)
+- [Proxmox API: /access/domains](https://pve.proxmox.com/pve-docs/api-viewer/index.html#/access/domains)

docs/resources/realm_sync.md

@@ -0,0 +1,48 @@
+---
+layout: page
+title: proxmox_realm_sync
+parent: Resources
+subcategory: Virtual Environment
+description: |-
+  Triggers synchronization of an existing authentication realm using /access/domains/{realm}/sync. This resource represents the last requested sync configuration; deleting it does not undo the sync.
+---
+
+# Resource: proxmox_realm_sync
+
+Triggers synchronization of an existing authentication realm using `/access/domains/{realm}/sync`. This resource represents the last requested sync configuration; deleting it does not undo the sync.
+
+This resource wraps the `/access/domains/{realm}/sync` API and is intended to be
+used alongside realm configuration resources such as
+`proxmox_realm_ldap`.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `realm` (String) Name of the realm to synchronize.
+
+### Optional
+
+- `dry_run` (Boolean) Only simulate the sync without applying changes.
+- `enable_new` (Boolean) Enable newly synced users.
+- `full` (Boolean, Deprecated) Perform a full sync.
+- `purge` (Boolean, Deprecated) Purge removed entries.
+- `remove_vanished` (String) How to handle vanished entries (e.g. `acl;properties;entry` or `none`).
+- `scope` (String) Sync scope: users, groups, or both.
+
+### Read-Only
+
+- `id` (String) Unique sync identifier (same as realm).
+
+## Behavior Notes
+
+- The sync operation is **one-shot**: applying the resource runs the sync
+  with the specified options. Proxmox does not expose a persistent sync
+  object, so this resource only records the last requested sync
+  configuration in Terraform state.
+- Destroying the resource does **not** undo any previously performed sync;
+  it simply removes the resource from Terraform state.
+

docs/resources/user_token.md

@@ -0,0 +1,33 @@
+---
+layout: page
+title: proxmox_user_token
+parent: Resources
+subcategory: Virtual Environment
+description: |-
+  User API tokens.
+---
+
+# Resource: proxmox_user_token
+
+User API tokens.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `token_name` (String) User-specific token identifier.
+- `user_id` (String) User identifier.
+
+### Optional
+
+- `comment` (String) Comment for the token.
+- `expiration_date` (String) Expiration date for the token.
+- `privileges_separation` (Boolean) Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
+
+### Read-Only
+
+- `id` (String) Unique token identifier with format `<user_id>!<token_name>`.
+- `value` (String, Sensitive) API token value used for authentication. It is populated only when creating a new token, and can't be retrieved at import.

docs/resources/virtual_environment_acl.md

@@ -11,6 +11,8 @@ description: |-
 
 # Resource: proxmox_virtual_environment_acl
 
+~> **Deprecated:** Use [`proxmox_acl`](acl.md) instead. This resource will be removed in v1.0.
+
 Manages ACLs on the Proxmox cluster.
 
 ACLs are used to control access to resources in the Proxmox cluster.

docs/resources/virtual_environment_realm_ldap.md

@@ -10,6 +10,8 @@ description: |-
 
 # Resource: proxmox_virtual_environment_realm_ldap
 
+~> **Deprecated:** Use [`proxmox_realm_ldap`](realm_ldap.md) instead. This resource will be removed in v1.0.
+
 Manages an LDAP authentication realm in Proxmox VE.
 
 LDAP realms allow Proxmox to authenticate users against an LDAP directory service.

docs/resources/virtual_environment_realm_openid.md

@@ -10,6 +10,8 @@ description: |-
 
 # Resource: proxmox_virtual_environment_realm_openid
 
+~> **Deprecated:** Use [`proxmox_realm_openid`](realm_openid.md) instead. This resource will be removed in v1.0.
+
 Manages an OpenID Connect authentication realm in Proxmox VE.
 
 OpenID Connect realms allow Proxmox to authenticate users against an external OpenID Connect provider.