feat: allow explicit algorithm selection in Key Manager keys

Author: jremy42

internal/services/keymanager/helpers.go

@@ -55,28 +55,39 @@ func NewKeyManagerAPIWithRegionAndID(m any, id string) (*key_manager.API, scw.Re
 	return client, region, keyID, nil
 }
 
-func ExpandKeyUsage(usage string, algorithm string) *key_manager.KeyUsage {
+func ExpandKeyUsageFromFields(d *schema.ResourceData) *key_manager.KeyUsage {
+	if v, ok := d.GetOk("usage_symmetric_encryption"); ok {
+		alg := key_manager.KeyAlgorithmSymmetricEncryption(v.(string))
+		return &key_manager.KeyUsage{SymmetricEncryption: &alg}
+	}
+
+	if v, ok := d.GetOk("usage_asymmetric_encryption"); ok {
+		alg := key_manager.KeyAlgorithmAsymmetricEncryption(v.(string))
+		return &key_manager.KeyUsage{AsymmetricEncryption: &alg}
+	}
+
+	if v, ok := d.GetOk("usage_asymmetric_signing"); ok {
+		alg := key_manager.KeyAlgorithmAsymmetricSigning(v.(string))
+		return &key_manager.KeyUsage{AsymmetricSigning: &alg}
+	}
+
+	if v, ok := d.GetOk("usage"); ok {
+		return ExpandKeyUsageLegacy(v.(string))
+	}
+
+	return nil
+}
+
+func ExpandKeyUsageLegacy(usage string) *key_manager.KeyUsage {
 	switch usage {
 	case "symmetric_encryption":
 		alg := key_manager.KeyAlgorithmSymmetricEncryptionAes256Gcm
-		if algorithm != "" {
-			alg = key_manager.KeyAlgorithmSymmetricEncryption(algorithm)
-		}
-
 		return &key_manager.KeyUsage{SymmetricEncryption: &alg}
 	case "asymmetric_encryption":
 		alg := key_manager.KeyAlgorithmAsymmetricEncryptionRsaOaep3072Sha256
-		if algorithm != "" {
-			alg = key_manager.KeyAlgorithmAsymmetricEncryption(algorithm)
-		}
-
 		return &key_manager.KeyUsage{AsymmetricEncryption: &alg}
 	case "asymmetric_signing":
 		alg := key_manager.KeyAlgorithmAsymmetricSigningEcP256Sha256
-		if algorithm != "" {
-			alg = key_manager.KeyAlgorithmAsymmetricSigning(algorithm)
-		}
-
 		return &key_manager.KeyUsage{AsymmetricSigning: &alg}
 	default:
 		return nil
@@ -128,7 +139,6 @@ func ExpandKeyRotationPolicy(v any) (*key_manager.KeyRotationPolicy, error) {
 		RotationPeriod: scw.NewDurationFromTimeDuration(period),
 	}
 
-	// Handle next_rotation_at if provided
 	if nextRotationStr, ok := m["next_rotation_at"].(string); ok && nextRotationStr != "" {
 		nextRotation, err := time.Parse(time.RFC3339, nextRotationStr)
 		if err != nil {

internal/services/keymanager/key_resource.go

@@ -29,17 +29,65 @@ func ResourceKeyManagerKey() *schema.Resource {
 			"region":     regional.Schema(),
 			"usage": {
 				Type:     schema.TypeString,
-				Required: true,
+				Optional: true,
+				Computed: true,
 				ValidateFunc: validation.StringInSlice([]string{
 					"symmetric_encryption", "asymmetric_encryption", "asymmetric_signing",
 				}, false),
-				Description: "Key usage. Keys with a usage set to 'symmetric_encryption' can encrypt and decrypt data using the AES-256-GCM key algorithm. Possible values: symmetric_encryption, asymmetric_encryption, asymmetric_signing.",
+				Deprecated:  "Use usage_symmetric_encryption, usage_asymmetric_encryption, or usage_asymmetric_signing instead",
+				Description: "DEPRECATED: Use usage_symmetric_encryption, usage_asymmetric_encryption, or usage_asymmetric_signing instead. Key usage. Possible values: symmetric_encryption, asymmetric_encryption, asymmetric_signing.",
+				ExactlyOneOf: []string{
+					"usage",
+					"usage_symmetric_encryption",
+					"usage_asymmetric_encryption",
+					"usage_asymmetric_signing",
+				},
 			},
-			"algorithm": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Computed:    true,
-				Description: "Algorithm for the key. If not specified, a default algorithm is chosen based on usage. See Key Manager documentation for supported algorithms.",
+			"usage_symmetric_encryption": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					"aes_256_gcm",
+				}, false),
+				Description: "Algorithm for symmetric encryption. Possible values: aes_256_gcm",
+				ExactlyOneOf: []string{
+					"usage",
+					"usage_symmetric_encryption",
+					"usage_asymmetric_encryption",
+					"usage_asymmetric_signing",
+				},
+			},
+			"usage_asymmetric_encryption": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					"rsa_oaep_2048_sha256",
+					"rsa_oaep_3072_sha256",
+					"rsa_oaep_4096_sha256",
+				}, false),
+				Description: "Algorithm for asymmetric encryption. Possible values: rsa_oaep_2048_sha256, rsa_oaep_3072_sha256, rsa_oaep_4096_sha256",
+				ExactlyOneOf: []string{
+					"usage",
+					"usage_symmetric_encryption",
+					"usage_asymmetric_encryption",
+					"usage_asymmetric_signing",
+				},
+			},
+			"usage_asymmetric_signing": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					"ec_p256_sha256",
+					"rsa_pss_2048_sha256",
+					"rsa_pkcs1_2048_sha256",
+				}, false),
+				Description: "Algorithm for asymmetric signing. Possible values: ec_p256_sha256, rsa_pss_2048_sha256, rsa_pkcs1_2048_sha256",
+				ExactlyOneOf: []string{
+					"usage",
+					"usage_symmetric_encryption",
+					"usage_asymmetric_encryption",
+					"usage_asymmetric_signing",
+				},
 			},
 			"description": {
 				Type:        schema.TypeString,
@@ -122,8 +170,7 @@ func resourceKeyManagerKeyCreate(ctx context.Context, d *schema.ResourceData, m
 		createReq.Origin = key_manager.KeyOrigin(v.(string))
 	}
 
-	algorithm := d.Get("algorithm").(string)
-	createReq.Usage = ExpandKeyUsage(d.Get("usage").(string), algorithm)
+	createReq.Usage = ExpandKeyUsageFromFields(d)
 
 	key, err := api.CreateKey(createReq)
 	if err != nil {
@@ -152,8 +199,25 @@ func resourceKeyManagerKeyRead(ctx context.Context, d *schema.ResourceData, m an
 	_ = d.Set("name", key.Name)
 	_ = d.Set("project_id", key.ProjectID)
 	_ = d.Set("region", key.Region.String())
-	_ = d.Set("usage", UsageToString(key.Usage))
-	_ = d.Set("algorithm", AlgorithmFromKeyUsage(key.Usage))
+
+	usageType := UsageToString(key.Usage)
+	algorithm := AlgorithmFromKeyUsage(key.Usage)
+
+	_ = d.Set("usage", usageType)
+
+	_, usesLegacy := d.GetOk("usage")
+
+	if !usesLegacy {
+		switch usageType {
+		case "symmetric_encryption":
+			_ = d.Set("usage_symmetric_encryption", algorithm)
+		case "asymmetric_encryption":
+			_ = d.Set("usage_asymmetric_encryption", algorithm)
+		case "asymmetric_signing":
+			_ = d.Set("usage_asymmetric_signing", algorithm)
+		}
+	}
+
 	_ = d.Set("description", key.Description)
 	_ = d.Set("tags", key.Tags)
 	_ = d.Set("rotation_count", int(key.RotationCount))

internal/services/keymanager/key_resource_test.go

@@ -24,18 +24,19 @@ func TestAccKeyManagerKey_Basic(t *testing.T) {
 			{
 				Config: `
 				resource "scaleway_key_manager_key" "main" {
-				  name         = "tf-test-kms-key-unprotected-a"
-				  region       = "fr-par"
-				  usage        = "symmetric_encryption"
-				  description  = "Test key"
-				  tags         = ["tf", "test"]
-				  unprotected  = true
+				  name                        = "tf-test-kms-key-unprotected-a"
+				  region                      = "fr-par"
+				  usage_symmetric_encryption  = "aes_256_gcm"
+				  description                 = "Test key"
+				  tags                        = ["tf", "test"]
+				  unprotected                 = true
 				}
 				`,
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "name", "tf-test-kms-key-unprotected-a"),
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "region", "fr-par"),
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "usage", "symmetric_encryption"),
+					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "usage_symmetric_encryption", "aes_256_gcm"),
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "description", "Test key"),
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "tags.0", "tf"),
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "tags.1", "test"),
@@ -57,34 +58,36 @@ func TestAccKeyManagerKey_Update(t *testing.T) {
 			{
 				Config: `
 				resource "scaleway_key_manager_key" "main" {
-				  name         = "tf-test-kms-key-update"
-				  region       = "fr-par"
-				  usage        = "symmetric_encryption"
-				  description  = "Test key"
-				  tags         = ["tf", "test"]
-				  unprotected  = true
+				  name                        = "tf-test-kms-key-update"
+				  region                      = "fr-par"
+				  usage_symmetric_encryption  = "aes_256_gcm"
+				  description                 = "Test key"
+				  tags                        = ["tf", "test"]
+				  unprotected                 = true
 				}
 				`,
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "name", "tf-test-kms-key-update"),
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "description", "Test key"),
+					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "usage_symmetric_encryption", "aes_256_gcm"),
 				),
 			},
 			{
 				Config: `
 				resource "scaleway_key_manager_key" "main" {
-				  name         = "tf-test-kms-key-updated"
-				  region       = "fr-par"
-				  usage        = "symmetric_encryption"
-				  description  = "Test key updated"
-				  tags         = ["tf", "updated"]
-				  unprotected  = true
+				  name                        = "tf-test-kms-key-updated"
+				  region                      = "fr-par"
+				  usage_symmetric_encryption  = "aes_256_gcm"
+				  description                 = "Test key updated"
+				  tags                        = ["tf", "updated"]
+				  unprotected                 = true
 				}
 				`,
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "name", "tf-test-kms-key-updated"),
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "description", "Test key updated"),
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "tags.1", "updated"),
+					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "usage_symmetric_encryption", "aes_256_gcm"),
 				),
 			},
 		},
@@ -136,11 +139,11 @@ func TestAccKeyManagerKey_WithRotationPolicy(t *testing.T) {
 			{
 				Config: `
 				resource "scaleway_key_manager_key" "main" {
-				  name         = "tf-test-kms-key-rotation"
-				  region       = "fr-par"
-				  usage        = "symmetric_encryption"
-				  description  = "Test key with rotation policy"
-				  unprotected  = true
+				  name                        = "tf-test-kms-key-rotation"
+				  region                      = "fr-par"
+				  usage_symmetric_encryption  = "aes_256_gcm"
+				  description                 = "Test key with rotation policy"
+				  unprotected                 = true
 				  
 				  rotation_policy {
 				    rotation_period = "720h"
@@ -151,6 +154,7 @@ func TestAccKeyManagerKey_WithRotationPolicy(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "name", "tf-test-kms-key-rotation"),
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "usage", "symmetric_encryption"),
+					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "usage_symmetric_encryption", "aes_256_gcm"),
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "description", "Test key with rotation policy"),
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.main", "rotation_policy.0.rotation_period", "720h0m0s"),
 				),
@@ -171,18 +175,17 @@ func TestAccKeyManagerKey_WithCustomAlgorithm(t *testing.T) {
 			{
 				Config: `
 				resource "scaleway_key_manager_key" "rsa_4096" {
-				  name         = "tf-test-kms-key-rsa4096"
-				  region       = "fr-par"
-				  usage        = "asymmetric_encryption"
-				  algorithm    = "rsa_oaep_4096_sha256"
-				  description  = "Test key with RSA-4096 algorithm"
-				  unprotected  = true
+				  name                            = "tf-test-kms-key-rsa4096"
+				  region                          = "fr-par"
+				  usage_asymmetric_encryption     = "rsa_oaep_4096_sha256"
+				  description                     = "Test key with RSA-4096 algorithm"
+				  unprotected                     = true
 				}
 				`,
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.rsa_4096", "name", "tf-test-kms-key-rsa4096"),
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.rsa_4096", "usage", "asymmetric_encryption"),
-					resource.TestCheckResourceAttr("scaleway_key_manager_key.rsa_4096", "algorithm", "rsa_oaep_4096_sha256"),
+					resource.TestCheckResourceAttr("scaleway_key_manager_key.rsa_4096", "usage_asymmetric_encryption", "rsa_oaep_4096_sha256"),
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.rsa_4096", "description", "Test key with RSA-4096 algorithm"),
 				),
 			},
@@ -202,19 +205,47 @@ func TestAccKeyManagerKey_DefaultAlgorithm(t *testing.T) {
 			{
 				Config: `
 				resource "scaleway_key_manager_key" "default_alg" {
-				  name         = "tf-test-kms-key-default-alg"
-				  region       = "fr-par"
-				  usage        = "asymmetric_encryption"
-				  description  = "Test key with default algorithm"
-				  unprotected  = true
+				  name                            = "tf-test-kms-key-default-alg"
+				  region                          = "fr-par"
+				  usage_asymmetric_encryption     = "rsa_oaep_3072_sha256"
+				  description                     = "Test key with RSA-3072 algorithm"
+				  unprotected                     = true
 				}
 				`,
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.default_alg", "name", "tf-test-kms-key-default-alg"),
 					resource.TestCheckResourceAttr("scaleway_key_manager_key.default_alg", "usage", "asymmetric_encryption"),
-					// Verify default algorithm is set (RSA-OAEP-3072-SHA256)
-					resource.TestCheckResourceAttr("scaleway_key_manager_key.default_alg", "algorithm", "rsa_oaep_3072_sha256"),
-					resource.TestCheckResourceAttr("scaleway_key_manager_key.default_alg", "description", "Test key with default algorithm"),
+					resource.TestCheckResourceAttr("scaleway_key_manager_key.default_alg", "usage_asymmetric_encryption", "rsa_oaep_3072_sha256"),
+					resource.TestCheckResourceAttr("scaleway_key_manager_key.default_alg", "description", "Test key with RSA-3072 algorithm"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccKeyManagerKey_LegacyUsage(t *testing.T) {
+	tt := acctest.NewTestTools(t)
+	defer tt.Cleanup()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t) },
+		ProtoV6ProviderFactories: tt.ProviderFactories,
+		CheckDestroy:             IsKeyManagerKeyDestroyed(tt),
+		Steps: []resource.TestStep{
+			{
+				Config: `
+				resource "scaleway_key_manager_key" "legacy" {
+				  name         = "tf-test-kms-key-legacy"
+				  region       = "fr-par"
+				  usage        = "symmetric_encryption"
+				  description  = "Test key with deprecated usage field"
+				  unprotected  = true
+				}
+				`,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("scaleway_key_manager_key.legacy", "name", "tf-test-kms-key-legacy"),
+					resource.TestCheckResourceAttr("scaleway_key_manager_key.legacy", "usage", "symmetric_encryption"),
+					resource.TestCheckResourceAttr("scaleway_key_manager_key.legacy", "description", "Test key with deprecated usage field"),
 				),
 			},
 		},