feat: add stackit service account creation to tf provider (#708)

* feat: implement service account resource/datasource

Author: h3adex

docs/data-sources/service_account.md

@@ -0,0 +1,36 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_service_account Data Source - stackit"
+subcategory: ""
+description: |-
+  Service account data source schema.
+  ~> This resource is in beta and may be subject to breaking changes in the future. Use with caution. See our guide https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources for how to opt-in to use beta resources.
+---
+
+# stackit_service_account (Data Source)
+
+Service account data source schema.
+
+~> This resource is in beta and may be subject to breaking changes in the future. Use with caution. See our [guide](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources) for how to opt-in to use beta resources.
+
+## Example Usage
+
+```terraform
+data "stackit_service_account" "sa" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  email      = "sa01-8565oq1@sa.stackit.cloud"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `email` (String) Email of the service account.
+- `project_id` (String) STACKIT project ID to which the service account is associated.
+
+### Read-Only
+
+- `id` (String) Terraform's internal resource ID, structured as "`project_id`,`email`".
+- `name` (String) Name of the service account.

docs/index.md

@@ -176,6 +176,7 @@ Note: AWS specific checks must be skipped as they do not work on STACKIT. For de
 - `secretsmanager_custom_endpoint` (String) Custom endpoint for the Secrets Manager service
 - `server_backup_custom_endpoint` (String) Custom endpoint for the Server Backup service
 - `server_update_custom_endpoint` (String) Custom endpoint for the Server Update service
+- `service_account_custom_endpoint` (String) Custom endpoint for the Service Account service
 - `service_account_email` (String, Deprecated) Service account email. It can also be set using the environment variable STACKIT_SERVICE_ACCOUNT_EMAIL. It is required if you want to use the resource manager project resource.
 - `service_account_key` (String) Service account key used for authentication. If set, the key flow will be used to authenticate all operations.
 - `service_account_key_path` (String) Path for the service account key used for authentication. If set, the key flow will be used to authenticate all operations.

docs/resources/service_account.md

@@ -0,0 +1,36 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_service_account Resource - stackit"
+subcategory: ""
+description: |-
+  Service account resource schema.
+  ~> This resource is in beta and may be subject to breaking changes in the future. Use with caution. See our guide https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources for how to opt-in to use beta resources.
+---
+
+# stackit_service_account (Resource)
+
+Service account resource schema.
+
+~> This resource is in beta and may be subject to breaking changes in the future. Use with caution. See our [guide](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources) for how to opt-in to use beta resources.
+
+## Example Usage
+
+```terraform
+resource "stackit_service_account" "sa" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name       = "sa01"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) Name of the service account.
+- `project_id` (String) STACKIT project ID to which the service account is associated.
+
+### Read-Only
+
+- `email` (String) Email of the service account.
+- `id` (String) Terraform's internal resource ID, structured as "`project_id`,`email`".

examples/data-sources/stackit_service_account/data-source.tf

@@ -0,0 +1,4 @@
+data "stackit_service_account" "sa" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  email      = "sa01-8565oq1@sa.stackit.cloud"
+}

examples/resources/stackit_service_account/resource.tf

@@ -0,0 +1,4 @@
+resource "stackit_service_account" "sa" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name       = "sa01"
+}

go.mod

@@ -29,6 +29,7 @@ require (
 	github.com/stackitcloud/stackit-sdk-go/services/secretsmanager v0.11.0
 	github.com/stackitcloud/stackit-sdk-go/services/serverbackup v0.6.0
 	github.com/stackitcloud/stackit-sdk-go/services/serverupdate v0.5.0
+	github.com/stackitcloud/stackit-sdk-go/services/serviceaccount v0.6.0
 	github.com/stackitcloud/stackit-sdk-go/services/serviceenablement v0.5.0
 	github.com/stackitcloud/stackit-sdk-go/services/ske v0.22.0
 	github.com/stackitcloud/stackit-sdk-go/services/sqlserverflex v1.0.0

go.sum

@@ -189,6 +189,8 @@ github.com/stackitcloud/stackit-sdk-go/services/serverbackup v0.6.0 h1:cESGAkm0f
 github.com/stackitcloud/stackit-sdk-go/services/serverbackup v0.6.0/go.mod h1:aYPLsiImzWaYXEfYIZ0wJnV56PwcR+buy8Xu9jjbfGA=
 github.com/stackitcloud/stackit-sdk-go/services/serverupdate v0.5.0 h1:TMUxDh8XGgWUpnWo7GsawVq2ICDsy/r8dMlfC26MR5g=
 github.com/stackitcloud/stackit-sdk-go/services/serverupdate v0.5.0/go.mod h1:giHnHz3kHeLY8Av9MZLsyJlaTXYz+BuGqdP/SKB5Vo0=
+github.com/stackitcloud/stackit-sdk-go/services/serviceaccount v0.6.0 h1:y+XzJcntHJ7M+IWWvAUkiVFA8op+jZxwHs3ktW2aLoA=
+github.com/stackitcloud/stackit-sdk-go/services/serviceaccount v0.6.0/go.mod h1:J/Wa67cbDI1wAyxib9PiEbNqGfIoFUH+DSLueVazQx8=
 github.com/stackitcloud/stackit-sdk-go/services/serviceenablement v0.5.0 h1:QG+rGBHsyXOlJ3ZIeOgExGqu9PoTlGY1rltW/VpG6lw=
 github.com/stackitcloud/stackit-sdk-go/services/serviceenablement v0.5.0/go.mod h1:16dOVT052cMuHhUJ3NIcPuY7TrpCr9QlxmvvfjLZubA=
 github.com/stackitcloud/stackit-sdk-go/services/ske v0.22.0 h1:3KUVls8zXsbT2tOYRSHyp3/l0Kpjl4f3INmQKYTe65Y=

stackit/internal/core/core.go

@@ -40,6 +40,7 @@ type ProviderData struct {
 	ServerUpdateCustomEndpoint      string
 	SKECustomEndpoint               string
 	ServiceEnablementCustomEndpoint string
+	ServiceAccountCustomEndpoint    string
 	EnableBetaResources             bool
 	Experiments                     []string
 }

stackit/internal/services/serviceaccount/account/datasource.go

@@ -0,0 +1,176 @@
+package account
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-framework/datasource"
+	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/stackitcloud/stackit-sdk-go/core/config"
+	"github.com/stackitcloud/stackit-sdk-go/services/serviceaccount"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/core"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/features"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/validate"
+)
+
+// dataSourceBetaCheckDone is used to prevent multiple checks for beta resources.
+// This is a workaround for the lack of a global state in the provider and
+// needs to exist because the Configure method is called twice.
+var dataSourceBetaCheckDone bool
+
+// Ensure the implementation satisfies the expected interfaces.
+var (
+	_ datasource.DataSource = &serviceAccountDataSource{}
+)
+
+// NewServiceAccountDataSource creates a new instance of the serviceAccountDataSource.
+func NewServiceAccountDataSource() datasource.DataSource {
+	return &serviceAccountDataSource{}
+}
+
+// serviceAccountDataSource is the datasource implementation for service accounts.
+type serviceAccountDataSource struct {
+	client *serviceaccount.APIClient
+}
+
+// Configure initializes the serviceAccountDataSource with the provided provider data.
+func (r *serviceAccountDataSource) Configure(ctx context.Context, req datasource.ConfigureRequest, resp *datasource.ConfigureResponse) {
+	// Prevent panic if the provider has not been configured correctly.
+	if req.ProviderData == nil {
+		return
+	}
+
+	providerData, ok := req.ProviderData.(core.ProviderData)
+	if !ok {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error configuring API client", fmt.Sprintf("Expected configure type stackit.ProviderData, got %T", req.ProviderData))
+		return
+	}
+
+	if !dataSourceBetaCheckDone {
+		features.CheckBetaResourcesEnabled(ctx, &providerData, &resp.Diagnostics, "stackit_service_account", "datasource")
+		if resp.Diagnostics.HasError() {
+			return
+		}
+		dataSourceBetaCheckDone = true
+	}
+
+	var apiClient *serviceaccount.APIClient
+	var err error
+	if providerData.ServiceAccountCustomEndpoint != "" {
+		apiClient, err = serviceaccount.NewAPIClient(
+			config.WithCustomAuth(providerData.RoundTripper),
+			config.WithEndpoint(providerData.ServiceAccountCustomEndpoint),
+		)
+	} else {
+		apiClient, err = serviceaccount.NewAPIClient(
+			config.WithCustomAuth(providerData.RoundTripper),
+		)
+	}
+
+	if err != nil {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error configuring API client", fmt.Sprintf("Configuring client: %v. This is an error related to the provider configuration, not to the resource configuration", err))
+		return
+	}
+
+	r.client = apiClient
+	tflog.Info(ctx, "Service Account client configured")
+}
+
+// Metadata provides metadata for the service account datasource.
+func (r *serviceAccountDataSource) Metadata(_ context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_service_account"
+}
+
+// Schema defines the schema for the service account data source.
+func (r *serviceAccountDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) {
+	descriptions := map[string]string{
+		"id":         "Terraform's internal resource ID, structured as \"`project_id`,`email`\".",
+		"project_id": "STACKIT project ID to which the service account is associated.",
+		"name":       "Name of the service account.",
+		"email":      "Email of the service account.",
+	}
+
+	// Define the schema with validation rules and descriptions for each attribute.
+	// The datasource schema differs slightly from the resource schema.
+	// In this case, the email attribute is required to read the service account data from the API.
+	resp.Schema = schema.Schema{
+		MarkdownDescription: features.AddBetaDescription("Service account data source schema."),
+		Description:         "Service account data source schema.",
+		Attributes: map[string]schema.Attribute{
+			"id": schema.StringAttribute{
+				Description: descriptions["id"],
+				Computed:    true,
+			},
+			"project_id": schema.StringAttribute{
+				Description: descriptions["project_id"],
+				Required:    true,
+				Validators: []validator.String{
+					validate.UUID(),
+					validate.NoSeparator(),
+				},
+			},
+			"email": schema.StringAttribute{
+				Description: descriptions["email"],
+				Required:    true,
+			},
+			"name": schema.StringAttribute{
+				Description: descriptions["name"],
+				Computed:    true,
+			},
+		},
+	}
+}
+
+// Read reads all service accounts from the API and updates the state with the latest information.
+func (r *serviceAccountDataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) { // nolint:gocritic // function signature required by Terraform
+	var model Model
+	diags := req.Config.Get(ctx, &model)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// Extract the project ID from the model configuration
+	projectId := model.ProjectId.ValueString()
+
+	// Call the API to list service accounts in the specified project
+	listSaResp, err := r.client.ListServiceAccounts(ctx, projectId).Execute()
+	if err != nil {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading service account", fmt.Sprintf("Error calling API: %v", err))
+		return
+	}
+
+	// Iterate over the service accounts returned by the API to find the one matching the email
+	serviceAccounts := *listSaResp.Items
+	for i := range serviceAccounts {
+		// Skip if the service account email does not match
+		if *serviceAccounts[i].Email != model.Email.ValueString() {
+			continue
+		}
+
+		// Map the API response to the model, updating its fields with the service account data
+		err = mapFields(&serviceAccounts[i], &model)
+		if err != nil {
+			core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading service account", fmt.Sprintf("Error processing API response: %v", err))
+			return
+		}
+
+		// Try to parse the name from the provided email address
+		name, err := parseNameFromEmail(model.Email.ValueString())
+		if name != "" && err == nil {
+			model.Name = types.StringValue(name)
+		}
+
+		// Update the state with the service account model
+		diags = resp.State.Set(ctx, &model)
+		resp.Diagnostics.Append(diags...)
+		return
+	}
+
+	// If no matching service account is found, remove the resource from the state
+	core.LogAndAddError(ctx, &resp.Diagnostics, "Service account not found", "")
+	resp.State.RemoveResource(ctx)
+}