feat: implement sa access token resource

Author: h3adex

docs/resources/service_account_access_token.md

@@ -17,14 +17,11 @@ description: |-
     rotation_days = 80
   }
   
-  // The access token is valid for 180 days but is configured to rotate every 80 days
-  // when a Terraform apply is triggered.
   resource "stackit_service_account_access_token" "sa1" {
     project_id            = var.stackit_project_id
     service_account_email = stackit_service_account.sa.email
     ttl_days              = 180
   
-    // Trigger token rotation based on time_rotating changes.
     rotate_when_changed = {
       rotation = time_rotating.rotate.id
     }
@@ -50,14 +47,11 @@ resource "time_rotating" "rotate" {
   rotation_days = 80
 }
 
-// The access token is valid for 180 days but is configured to rotate every 80 days
-// when a Terraform apply is triggered.
 resource "stackit_service_account_access_token" "sa1" {
   project_id            = var.stackit_project_id
   service_account_email = stackit_service_account.sa.email
   ttl_days              = 180
 
-  // Trigger token rotation based on time_rotating changes.
   rotate_when_changed = {
     rotation = time_rotating.rotate.id
   }
@@ -83,6 +77,7 @@ resource "stackit_service_account_access_token" "sa1" {
 ### Read-Only
 
 - `access_token_id` (String) Identifier for the access token linked to the service account.
+- `active` (Boolean) Indicate whether the token is currently active or inactive
 - `created_at` (String) Timestamp indicating when the access token was created.
 - `id` (String) Unique internal resource ID for Terraform, formatted as "project_id,access_token_id".
 - `token` (String, Sensitive) JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.

stackit/internal/services/serviceaccount/serviceaccount_acc_test.go

@@ -60,7 +60,7 @@ func TestServiceAccount(t *testing.T) {
 		ProtoV6ProviderFactories: testutil.TestAccProtoV6ProviderFactories,
 		CheckDestroy:             testAccCheckServiceAccountDestroy,
 		Steps: []resource.TestStep{
-			// Create
+			// Creation
 			{
 				Config: inputServiceAccountResourceConfig(serviceAccountResource["name01"]),
 				Check: resource.ComposeAggregateTestCheckFunc(

stackit/internal/services/serviceaccount/token/const.go

@@ -16,14 +16,11 @@ resource "time_rotating" "rotate" {
   rotation_days = 80
 }
 
-// The access token is valid for 180 days but is configured to rotate every 80 days
-// when a Terraform apply is triggered.
 resource "stackit_service_account_access_token" "sa1" {
   project_id            = var.stackit_project_id
   service_account_email = stackit_service_account.sa.email
   ttl_days              = 180
 
-  // Trigger token rotation based on time_rotating changes.
   rotate_when_changed = {
     rotation = time_rotating.rotate.id
   }

stackit/internal/services/serviceaccount/token/resource.go

@@ -2,7 +2,9 @@ package token
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"net/http"
 	"strings"
 	"time"
 
@@ -19,6 +21,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/stackitcloud/stackit-sdk-go/core/config"
+	"github.com/stackitcloud/stackit-sdk-go/core/oapierror"
 	"github.com/stackitcloud/stackit-sdk-go/services/serviceaccount"
 	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/conversion"
 	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/core"
@@ -46,6 +49,7 @@ type Model struct {
 	TtlDays             types.Int64  `tfsdk:"ttl_days"`
 	RotateWhenChanged   types.Map    `tfsdk:"rotate_when_changed"`
 	Token               types.String `tfsdk:"token"`
+	Active              types.Bool   `tfsdk:"active"`
 	CreatedAt           types.String `tfsdk:"created_at"`
 	ValidUntil          types.String `tfsdk:"valid_until"`
 }
@@ -122,6 +126,7 @@ func (r *serviceAccountTokenResource) Schema(_ context.Context, _ resource.Schem
 		"rotate_when_changed":   "A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.",
 		"access_token_id":       "Identifier for the access token linked to the service account.",
 		"token":                 "JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.",
+		"active":                "Indicate whether the token is currently active or inactive",
 		"created_at":            "Timestamp indicating when the access token was created.",
 		"valid_until":           "Estimated expiration timestamp of the access token. For precise validity, check the JWT details.",
 	}
@@ -182,7 +187,10 @@ func (r *serviceAccountTokenResource) Schema(_ context.Context, _ resource.Schem
 				Computed:    true,
 				Sensitive:   true,
 			},
-
+			"active": schema.BoolAttribute{
+				Description: descriptions["active"],
+				Computed:    true,
+			},
 			"created_at": schema.StringAttribute{
 				Description: descriptions["created_at"],
 				Computed:    true,
@@ -259,6 +267,12 @@ func (r *serviceAccountTokenResource) Read(ctx context.Context, req resource.Rea
 	// Fetch the list of service account tokens from the API.
 	listSaTokensResp, err := r.client.ListAccessTokens(ctx, projectId, serviceAccountEmail).Execute()
 	if err != nil {
+		var oapiErr *oapierror.GenericOpenAPIError
+		ok := errors.As(err, &oapiErr) //nolint:errorlint //complaining that error.As should be used to catch wrapped errors, but this error should not be wrapped
+		if ok && oapiErr.StatusCode == http.StatusNotFound || oapiErr.StatusCode == http.StatusForbidden {
+			resp.State.RemoveResource(ctx)
+			return
+		}
 		core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading service account tokens", fmt.Sprintf("Error calling API: %v", err))
 		return
 	}
@@ -270,6 +284,12 @@ func (r *serviceAccountTokenResource) Read(ctx context.Context, req resource.Rea
 			continue
 		}
 
+		if !*saTokens[i].Active {
+			tflog.Info(ctx, fmt.Sprintf("Service account access token with id %s is not active", model.AccessTokenId.ValueString()))
+			resp.State.RemoveResource(ctx)
+			return
+		}
+
 		err = mapListResponse(&saTokens[i], &model)
 		if err != nil {
 			core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading service account", fmt.Sprintf("Error processing API response: %v", err))
@@ -365,6 +385,7 @@ func mapCreateResponse(resp *serviceaccount.AccessToken, model *Model) error {
 	model.Id = types.StringValue(strings.Join(idParts, core.Separator))
 	model.AccessTokenId = types.StringPointerValue(resp.Id)
 	model.Token = types.StringPointerValue(resp.Token)
+	model.Active = types.BoolPointerValue(resp.Active)
 	model.CreatedAt = createdAt
 	model.ValidUntil = validUntil
 

stackit/internal/testutil/testutil.go

@@ -404,23 +404,6 @@ func AuthorizationProviderConfig() string {
 	)
 }
 
-func ServiceAccountProviderConfig() string {
-	if ServiceAccountCustomEndpoint == "" {
-		return `
-		provider "stackit" {
-			region = "eu01"
-			enable_beta_resources = true
-		}`
-	}
-	return fmt.Sprintf(`
-		provider "stackit" {
-			service_account_custom_endpoint = "%s"
-			enable_beta_resources = true
-		}`,
-		ServiceAccountCustomEndpoint,
-	)
-}
-
 func ResourceNameWithDateTime(name string) string {
 	dateTime := time.Now().Format(time.RFC3339)
 	// Remove timezone to have a smaller datetime