Skip to content

Feat: implement sa tokens #712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
marceljk merged 6 commits into from
Mar 21, 2025
Merged

Feat: implement sa tokens #712

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c28554a
feat: implement sa access token resource
h3adex Mar 8, 2025
e09ca68
feat: implement service account resource/datasource
h3adex Mar 8, 2025
dec2848
feat: implement sa access token resource
h3adex Mar 8, 2025
f629b1f
review changes
h3adex Mar 19, 2025
9540c00
review changes 2
h3adex Mar 21, 2025
646aa44
change id order
h3adex Mar 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 84 additions & 0 deletions docs/resources/service_account_access_token.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "stackit_service_account_access_token Resource - stackit"
subcategory: ""
description: |-
Service account access token schema.
~> This resource is in beta and may be subject to breaking changes in the future. Use with caution. See our guide https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources for how to opt-in to use beta resources.
Example Usage
Automatically rotate access tokens

resource "stackit_service_account" "sa" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
name = "sa01"
}

resource "time_rotating" "rotate" {
rotation_days = 80
}

resource "stackit_service_account_access_token" "sa_token" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
service_account_email = stackit_service_account.sa.email
ttl_days = 180

rotate_when_changed = {
rotation = time_rotating.rotate.id
}
}
---

# stackit_service_account_access_token (Resource)

Service account access token schema.

~> This resource is in beta and may be subject to breaking changes in the future. Use with caution. See our [guide](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources) for how to opt-in to use beta resources.
## Example Usage


### Automatically rotate access tokens
```terraform
resource "stackit_service_account" "sa" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
name = "sa01"
}

resource "time_rotating" "rotate" {
rotation_days = 80
}

resource "stackit_service_account_access_token" "sa_token" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
service_account_email = stackit_service_account.sa.email
ttl_days = 180

rotate_when_changed = {
rotation = time_rotating.rotate.id
}
}

```



<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `project_id` (String) STACKIT project ID associated with the service account token.
- `service_account_email` (String) Email address linked to the service account.

### Optional

- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
- `ttl_days` (Number) Specifies the token's validity duration in days. If unspecified, defaults to 90 days.

### Read-Only

- `access_token_id` (String) Identifier for the access token linked to the service account.
- `active` (Boolean) Indicate whether the token is currently active or inactive
- `created_at` (String) Timestamp indicating when the access token was created.
- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`service_account_email`,`access_token_id`".
- `token` (String, Sensitive) JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.
- `valid_until` (String) Estimated expiration timestamp of the access token. For precise validity, check the JWT details.
15 changes: 15 additions & 0 deletions stackit/internal/services/serviceaccount/serviceaccount_acc_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@ func inputServiceAccountResourceConfig(name string) string {
project_id = "%s"
name = "%s"
}

resource "stackit_service_account_access_token" "token" {
project_id = stackit_service_account.sa.project_id
service_account_email = stackit_service_account.sa.email
}
`,
testutil.ServiceAccountProviderConfig(),
serviceAccountResource["project_id"],
Expand Down Expand Up @@ -62,6 +67,11 @@ func TestServiceAccount(t *testing.T) {
resource.TestCheckResourceAttr("stackit_service_account.sa", "project_id", serviceAccountResource["project_id"]),
resource.TestCheckResourceAttr("stackit_service_account.sa", "name", serviceAccountResource["name01"]),
resource.TestCheckResourceAttrSet("stackit_service_account.sa", "email"),
resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "token"),
resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "created_at"),
resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "valid_until"),
resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "service_account_email"),
resource.TestCheckResourceAttrPair("stackit_service_account.sa", "email", "stackit_service_account_access_token.token", "service_account_email"),
),
},
// Update
Expand All @@ -71,6 +81,11 @@ func TestServiceAccount(t *testing.T) {
resource.TestCheckResourceAttr("stackit_service_account.sa", "project_id", serviceAccountResource["project_id"]),
resource.TestCheckResourceAttr("stackit_service_account.sa", "name", serviceAccountResource["name02"]),
resource.TestCheckResourceAttrSet("stackit_service_account.sa", "email"),
resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "token"),
resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "created_at"),
resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "valid_until"),
resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "service_account_email"),
resource.TestCheckResourceAttrPair("stackit_service_account.sa", "email", "stackit_service_account_access_token.token", "service_account_email"),
),
},
// Data source
Expand Down
26 changes: 26 additions & 0 deletions stackit/internal/services/serviceaccount/token/const.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package token

const markdownDescription = `
## Example Usage` + "\n" + `

### Automatically rotate access tokens` + "\n" +
"```terraform" + `
resource "stackit_service_account" "sa" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
name = "sa01"
}

resource "time_rotating" "rotate" {
rotation_days = 80
}

resource "stackit_service_account_access_token" "sa_token" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
service_account_email = stackit_service_account.sa.email
ttl_days = 180

rotate_when_changed = {
rotation = time_rotating.rotate.id
}
}
` + "\n```"
Loading