scaleway
diff --git a/‎GNUmakefile‎
Lines changed: 6 additions & 1 deletion b/‎GNUmakefile‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎docs/resources/key_manager_key.md‎
Lines changed: 61 additions & 26 deletions b/‎docs/resources/key_manager_key.md‎
Lines changed: 61 additions & 26 deletions
diff --git a/‎go.mod‎
Lines changed: 1 addition & 1 deletion b/‎go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 2 additions & 2 deletions b/‎go.sum‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎templates/template_test.go‎ renamed to ‎internal/docs/template_test.go‎
Lines changed: 10 additions & 3 deletions b/‎templates/template_test.go‎ renamed to ‎internal/docs/template_test.go‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎internal/services/keymanager/helpers.go‎
Lines changed: 59 additions & 8 deletions b/‎internal/services/keymanager/helpers.go‎
Lines changed: 59 additions & 8 deletions
@@ -53,7 +53,7 @@ test-compile:
 website:
 	@echo "Use this site to preview markdown rendering: https://registry.terraform.io/tools/doc-preview"
 
-.PHONY: build test testacc vet fmt fmtcheck errcheck test-compile website
+.PHONY: build test testacc vet fmt fmtcheck errcheck test-compile website docs
 
 tfproviderlint:
 	go tool tfproviderlint -R014=false -AT001.ignored-filename-suffixes=_data_source_test.go ./...
@@ -63,3 +63,8 @@ tfproviderdocs:
 
 tfproviderlintx:
 	go tool tfproviderlintx -XR001=false -XS002=false ./...
+
+docs:
+	go tool tfplugindocs validate
+	rm -fr ./docs
+	go tool tfplugindocs generate
@@ -9,33 +9,80 @@ This resource allows you to create and manage cryptographic keys in Scaleway Key
 
 ## Example Usage
 
+### Symmetric Encryption Key
+
 ```terraform
-resource "scaleway_key_manager_key" "main" {
-  name         = "my-kms-key"
-  region       = "fr-par"
-  project_id   = "your-project-id" # optional, will use provider default if omitted
-  usage        = "symmetric_encryption"
-  description  = "Key for encrypting secrets"
-  tags         = ["env:prod", "kms"]
-  unprotected  = true
+resource "scaleway_key_manager_key" "symmetric" {
+  name        = "my-kms-key"
+  region      = "fr-par"
+  project_id  = "your-project-id" # optional, will use provider default if omitted
+  usage       = "symmetric_encryption"
+  algorithm   = "aes_256_gcm"
+  description = "Key for encrypting secrets"
+  tags        = ["env:prod", "kms"]
+  unprotected = true
 
   rotation_policy {
     rotation_period = "720h" # 30 days
   }
 }
 ```
 
+### Asymmetric Encryption Key with RSA-4096
+
+```terraform
+resource "scaleway_key_manager_key" "rsa_4096" {
+  name        = "rsa-4096-key"
+  region      = "fr-par"
+  usage       = "asymmetric_encryption"
+  algorithm   = "rsa_oaep_4096_sha256"
+  description = "Key for encrypting large files with RSA-4096"
+  unprotected = true
+}
+```
+
+### Asymmetric Signing Key
+
+```terraform
+resource "scaleway_key_manager_key" "signing" {
+  name        = "signing-key"
+  region      = "fr-par"
+  usage       = "asymmetric_signing"
+  algorithm   = "rsa_pss_2048_sha256"
+  description = "Key for signing documents"
+  unprotected = true
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
 
 - `name` (String) – The name of the key.  
 - `region` (String) – The region in which to create the key (e.g., `fr-par`).  
-- `project_id` (String, Optional) – The ID of the project the key belongs to.  
-- `usage` (String, **Required**) – The usage of the key. Valid values are:
-    - `symmetric_encryption`
-    - `asymmetric_encryption`
-    - `asymmetric_signing`
+- `project_id` (String, Optional) – The ID of the project the key belongs to.
+
+**Key Usage and Algorithm (both required):**
+
+- `usage` (String, Required) – The usage type of the key. Valid values:
+    - `symmetric_encryption` – For symmetric encryption operations
+    - `asymmetric_encryption` – For asymmetric encryption operations
+    - `asymmetric_signing` – For digital signing operations
+
+- `algorithm` (String, Required) – The cryptographic algorithm to use. Valid values depend on the `usage`:
+    - For `symmetric_encryption`:
+        - `aes_256_gcm`
+    - For `asymmetric_encryption`:
+        - `rsa_oaep_2048_sha256`
+        - `rsa_oaep_3072_sha256`
+        - `rsa_oaep_4096_sha256`
+    - For `asymmetric_signing`:
+        - `ec_p256_sha256`
+        - `rsa_pss_2048_sha256`
+        - `rsa_pkcs1_2048_sha256`
+
+**Other arguments:**
+
 - `description` (String, Optional) – A description for the key.
 - `tags` (List of String, Optional) – A list of tags to assign to the key.
 - `unprotected` (Boolean, Optional) – If `true`, the key can be deleted. Defaults to `false` (protected).
@@ -57,8 +104,6 @@ In addition to all arguments above, the following attributes are exported:
 - `protected` – Whether the key is protected from deletion.
 - `locked` – Whether the key is locked.
 - `rotated_at` – The date and time when the key was last rotated.
-- `origin_read` – The origin of the key as returned by the API.
-- `region_read` – The region of the key as returned by the API.
 - `rotation_policy` (Block)
     - `rotation_period` – The period between key rotations.
     - `next_rotation_at` – The date and time of the next scheduled rotation.
@@ -77,15 +122,5 @@ terraform import scaleway_key_manager_key.main fr-par/11111111-2222-3333-4444-55
 - **Rotation Policy**: The `rotation_policy` block allows you to set automatic rotation for your key.
 - **Origin**: The `origin` argument is optional and defaults to `scaleway_kms`. Use `external` if you want to import an external key (see Scaleway documentation for details).
 - **Project and Region**: If not specified, `project_id` and `region` will default to the provider configuration.
+- **Algorithm Validation**: The provider validates that the specified `algorithm` is compatible with the `usage` type at plan time, providing early feedback on configuration errors.
 
-## Example: Asymmetric Key
-
-```terraform
-resource "scaleway_key_manager_key" "asym" {
-  name        = "asymmetric-key"
-  region      = "fr-par"
-  usage       = "asymmetric_signing"
-  description = "Key for signing documents"
-  unprotected = true
-}
-```
 
@@ -30,7 +30,7 @@ require (
 	github.com/nats-io/jwt/v2 v2.8.0
 	github.com/nats-io/nats.go v1.46.1
 	github.com/robfig/cron/v3 v3.0.1
-	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.35.0.20250929150437-c65b49480cff
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.35.0.20251015050748-12aafea99911
 	github.com/stretchr/testify v1.11.1
 	golang.org/x/crypto v0.43.0
 	golang.org/x/sync v0.17.0
 
@@ -457,8 +457,8 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/scaleway/scaleway-sdk-go v1.0.0-beta.35.0.20250929150437-c65b49480cff h1:1XC8rVPK4hr2lHdHajSurEV2Orp8eMGQ42vqh4hVX7M=
-github.com/scaleway/scaleway-sdk-go v1.0.0-beta.35.0.20250929150437-c65b49480cff/go.mod h1:DVB9HV7nK7TdTRqlpdxw6T0Wxg+aB9xPBEpO3aM2iqQ=
+github.com/scaleway/scaleway-sdk-go v1.0.0-beta.35.0.20251015050748-12aafea99911 h1:puwRtGGoGw9Rw3qlB7ltimV2+uugkalN08DyVEL1VoE=
+github.com/scaleway/scaleway-sdk-go v1.0.0-beta.35.0.20251015050748-12aafea99911/go.mod h1:SVm1Zk6UpZtqZN6KtEQpjC+v+Lir4tyVfhQTU19q3PA=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 
@@ -1,4 +1,4 @@
-package template_test
+package docs_test
 
 import (
 	"bufio"
@@ -13,23 +13,30 @@ import (
 var gotypeRE = regexp.MustCompile(`\{\{.*gotype:.*}}`)
 
 func TestGoTypeDefined(t *testing.T) {
-	err := filepath.WalkDir("resources", func(path string, _ fs.DirEntry, _ error) error {
+	err := filepath.WalkDir("../../templates/resources", func(path string, _ fs.DirEntry, _ error) error {
 		if isTemplate := strings.Contains(path, "tmpl"); isTemplate {
 			f, err := os.Open(path)
 			if err != nil {
 				t.Fatalf("cannot open %s", path)
 			}
-			defer f.Close()
+			defer func(f *os.File) {
+				err := f.Close()
+				if err != nil {
+					t.Fatal(err.Error())
+				}
+			}(f)
 
 			scanner := bufio.NewScanner(f)
 			if !scanner.Scan() {
 				t.Logf("❌ %s: file is empty", path)
 				t.Fail()
 			}
+
 			firstLine := scanner.Text()
 			if gotypeRE.MatchString(firstLine) {
 				return nil
 			}
+
 			t.Logf("gotype missing at top of file: %s", path)
 			t.Fail()
 		}
 
@@ -13,21 +13,27 @@ import (
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/types"
 )
 
+const (
+	usageSymmetricEncryption  = "symmetric_encryption"
+	usageAsymmetricEncryption = "asymmetric_encryption"
+	usageAsymmetricSigning    = "asymmetric_signing"
+)
+
 func UsageToString(u *key_manager.KeyUsage) string {
 	if u == nil {
 		return ""
 	}
 
 	if u.SymmetricEncryption != nil {
-		return "symmetric_encryption"
+		return usageSymmetricEncryption
 	}
 
 	if u.AsymmetricEncryption != nil {
-		return "asymmetric_encryption"
+		return usageAsymmetricEncryption
 	}
 
 	if u.AsymmetricSigning != nil {
-		return "asymmetric_signing"
+		return usageAsymmetricSigning
 	}
 
 	return ""
@@ -55,17 +61,43 @@ func NewKeyManagerAPIWithRegionAndID(m any, id string) (*key_manager.API, scw.Re
 	return client, region, keyID, nil
 }
 
-func ExpandKeyUsage(usage string) *key_manager.KeyUsage {
+func ExpandKeyUsageFromFields(d *schema.ResourceData) *key_manager.KeyUsage {
+	if v, ok := d.GetOk("usage_symmetric_encryption"); ok {
+		alg := key_manager.KeyAlgorithmSymmetricEncryption(v.(string))
+
+		return &key_manager.KeyUsage{SymmetricEncryption: &alg}
+	}
+
+	if v, ok := d.GetOk("usage_asymmetric_encryption"); ok {
+		alg := key_manager.KeyAlgorithmAsymmetricEncryption(v.(string))
+
+		return &key_manager.KeyUsage{AsymmetricEncryption: &alg}
+	}
+
+	if v, ok := d.GetOk("usage_asymmetric_signing"); ok {
+		alg := key_manager.KeyAlgorithmAsymmetricSigning(v.(string))
+
+		return &key_manager.KeyUsage{AsymmetricSigning: &alg}
+	}
+
+	if v, ok := d.GetOk("usage"); ok {
+		return ExpandKeyUsageLegacy(v.(string))
+	}
+
+	return nil
+}
+
+func ExpandKeyUsageLegacy(usage string) *key_manager.KeyUsage {
 	switch usage {
-	case "symmetric_encryption":
+	case usageSymmetricEncryption:
 		alg := key_manager.KeyAlgorithmSymmetricEncryptionAes256Gcm
 
 		return &key_manager.KeyUsage{SymmetricEncryption: &alg}
-	case "asymmetric_encryption":
+	case usageAsymmetricEncryption:
 		alg := key_manager.KeyAlgorithmAsymmetricEncryptionRsaOaep3072Sha256
 
 		return &key_manager.KeyUsage{AsymmetricEncryption: &alg}
-	case "asymmetric_signing":
+	case usageAsymmetricSigning:
 		alg := key_manager.KeyAlgorithmAsymmetricSigningEcP256Sha256
 
 		return &key_manager.KeyUsage{AsymmetricSigning: &alg}
@@ -74,6 +106,26 @@ func ExpandKeyUsage(usage string) *key_manager.KeyUsage {
 	}
 }
 
+func AlgorithmFromKeyUsage(u *key_manager.KeyUsage) string {
+	if u == nil {
+		return ""
+	}
+
+	if u.SymmetricEncryption != nil {
+		return string(*u.SymmetricEncryption)
+	}
+
+	if u.AsymmetricEncryption != nil {
+		return string(*u.AsymmetricEncryption)
+	}
+
+	if u.AsymmetricSigning != nil {
+		return string(*u.AsymmetricSigning)
+	}
+
+	return ""
+}
+
 func ExpandKeyRotationPolicy(v any) (*key_manager.KeyRotationPolicy, error) {
 	list, ok := v.([]any)
 	if !ok || len(list) == 0 {
@@ -99,7 +151,6 @@ func ExpandKeyRotationPolicy(v any) (*key_manager.KeyRotationPolicy, error) {
 		RotationPeriod: scw.NewDurationFromTimeDuration(period),
 	}
 
-	// Handle next_rotation_at if provided
 	if nextRotationStr, ok := m["next_rotation_at"].(string); ok && nextRotationStr != "" {
 		nextRotation, err := time.Parse(time.RFC3339, nextRotationStr)
 		if err != nil {