add ability to rotate service api key

BartoszBlizniak · BartoszBlizniak · commit 5c0f7a7c0873 · 2025-12-16T09:38:33.000Z
diff --git a/cloudsmith/resource_service.go b/cloudsmith/resource_service.go
@@ -221,7 +221,31 @@ func resourceServiceUpdate(ctx context.Context, d *schema.ResourceData, m interf
 	if err := waiter(checkerFunc, defaultUpdateTimeout, defaultUpdateInterval); err != nil {
 		return diag.Errorf("error waiting for service (%s) to be updated: %s", d.Id(), err)
 	}
-	if !requiredBool(d, "store_api_key") {
+
+	// If the rotate_api_key field has changed to a non-empty value, trigger an
+	// API key refresh for this service account. The value of rotate_api_key
+	// itself is not sent to the API; it is only used to force a Terraform diff
+	// and therefore an update. Changing it to an empty value (or removing it)
+	// does not trigger a rotation.
+	if d.HasChange("rotate_api_key") {
+		_, newRaw := d.GetChange("rotate_api_key")
+		newVal, _ := newRaw.(string)
+
+		if newVal != "" {
+			refreshReq := pc.APIClient.OrgsApi.OrgsServicesRefresh(pc.Auth, org, d.Id())
+			refreshedService, _, err := pc.APIClient.OrgsApi.OrgsServicesRefreshExecute(refreshReq)
+			if err != nil {
+				return diag.Errorf("error rotating service (%s.%s) API key: %s", org, d.Id(), err)
+			}
+
+			if requiredBool(d, "store_api_key") {
+				d.Set("key", refreshedService.GetKey())
+			} else {
+				d.Set("key", "**redacted**")
+			}
+		}
+	} else if !requiredBool(d, "store_api_key") {
+		// Ensure we never persist the API key in state when store_api_key is false.
 		d.Set("key", "**redacted**")
 	}
 	return resourceServiceRead(ctx, d, m)
@@ -338,6 +362,11 @@ func resourceService() *schema.Resource {
 				Optional:    true,
 				Default:     true,
 			},
+			"rotate_api_key": {
+				Type:        schema.TypeString,
+				Description: "Arbitrary value used to trigger rotation of the service's API key. Change this value to rotate the key for a service account.",
+				Optional:    true,
+			},
 		},
 	}
 }
diff --git a/cloudsmith/resource_service_test.go b/cloudsmith/resource_service_test.go
@@ -50,7 +50,7 @@ func TestAccService_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccServiceCheckExists("cloudsmith_service.test"),
 					resource.TestCheckResourceAttrSet("cloudsmith_service.test", "team.#"),
-          resource.TestMatchTypeSetElemNestedAttrs("cloudsmith_service.test", "team.*", map[string]*regexp.Regexp{
+					resource.TestMatchTypeSetElemNestedAttrs("cloudsmith_service.test", "team.*", map[string]*regexp.Regexp{
 						"slug": regexp.MustCompile("^tf-test-team-svc(-[^2].*)?$"),
 						"role": regexp.MustCompile("^Member$"),
 					}),
@@ -81,6 +81,23 @@ func TestAccService_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("cloudsmith_service.test", "key", "**redacted**"),
 				),
 			},
+			{
+				Config: testAccServiceConfigRotateAPIKeyFirst,
+				Check: resource.ComposeTestCheckFunc(
+					testAccServiceCheckExists("cloudsmith_service.test"),
+					// key should be present in state when store_api_key is true
+					resource.TestCheckResourceAttrSet("cloudsmith_service.test", "key"),
+				),
+			},
+			{
+				Config: testAccServiceConfigRotateAPIKeySecond,
+				Check: resource.ComposeTestCheckFunc(
+					// ensure the resource still exists after rotation
+					testAccServiceCheckExists("cloudsmith_service.test"),
+					// key should still be set after rotation; we don't assert the value
+					resource.TestCheckResourceAttrSet("cloudsmith_service.test", "key"),
+				),
+			},
 			{
 				ResourceName: "cloudsmith_service.test",
 				ImportState:  true,
@@ -93,7 +110,46 @@ func TestAccService_basic(t *testing.T) {
 					), nil
 				},
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"key", "store_api_key"},
+				ImportStateVerifyIgnore: []string{"key", "store_api_key", "rotate_api_key"},
+			},
+		},
+	})
+}
+
+// TestAccService_rotate focuses specifically on exercising the rotate_api_key
+// trigger to ensure that rotating a service account's API key works without
+// involving team assignments or import behaviour.
+func TestAccService_rotate(t *testing.T) {
+	t.Parallel()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccServiceCheckDestroy("cloudsmith_service.test"),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccServiceConfigBasic,
+				Check: resource.ComposeTestCheckFunc(
+					testAccServiceCheckExists("cloudsmith_service.test"),
+					// initial key should be present when store_api_key is true (default)
+					resource.TestCheckResourceAttrSet("cloudsmith_service.test", "key"),
+				),
+			},
+			{
+				Config: testAccServiceConfigRotateAPIKeyFirst,
+				Check: resource.ComposeTestCheckFunc(
+					testAccServiceCheckExists("cloudsmith_service.test"),
+					// key should still be set after first rotation
+					resource.TestCheckResourceAttrSet("cloudsmith_service.test", "key"),
+				),
+			},
+			{
+				Config: testAccServiceConfigRotateAPIKeySecond,
+				Check: resource.ComposeTestCheckFunc(
+					testAccServiceCheckExists("cloudsmith_service.test"),
+					// key should remain set after subsequent rotations
+					resource.TestCheckResourceAttrSet("cloudsmith_service.test", "key"),
+				),
 			},
 		},
 	})
@@ -173,6 +229,22 @@ resource "cloudsmith_service" "test" {
 }
 `, os.Getenv("CLOUDSMITH_NAMESPACE"))
 
+var testAccServiceConfigRotateAPIKeyFirst = fmt.Sprintf(`
+resource "cloudsmith_service" "test" {
+	name          = "TF Test Service cs"
+	organization  = "%s"
+	rotate_api_key = "first-rotation"
+}
+`, os.Getenv("CLOUDSMITH_NAMESPACE"))
+
+var testAccServiceConfigRotateAPIKeySecond = fmt.Sprintf(`
+resource "cloudsmith_service" "test" {
+	name          = "TF Test Service cs"
+	organization  = "%s"
+	rotate_api_key = "second-rotation"
+}
+`, os.Getenv("CLOUDSMITH_NAMESPACE"))
+
 var testAccServiceConfigBasicAddToTeam = fmt.Sprintf(`
 resource "cloudsmith_team" "test" {
 	name         = "TF Test Team Svc"
diff --git a/docs/resources/service.md b/docs/resources/service.md
@@ -42,6 +42,7 @@ The following arguments are supported:
  	* `role` - (Optional) The service's role in the team. If defined, must be one of `Member` or `Manager`.
  	* `slug` - (Required) The team the service should be added to.
 * `store_api_key` - (Optional) The service's API key to be returned in state. Defaults to `true`. If set to `false`, the "key" value is replaced with `**redacted**`. **NOTE:** This will only be applied to newly created service accounts, **this won't take effect for existing service accounts**.
+* `rotate_api_key` - (Optional) Arbitrary string used to trigger rotation of the service's API key. Setting this to a non-empty value or changing it between non-empty values (for example from `rotation-one` to `rotation-two`) will rotate the API key for the service account. Removing this field or setting it back to an empty value will not trigger a rotation.
 
 ## Attribute Reference
 
