feat(keymanager): add algorithm field to allow custom key algorithms (#3403)

* feat(keymanager): add algorithm field to allow custom key algorithms

* docs(keymanager): document algorithm parameter with examples

* test(keymanager): add tests and cassettes for algorithm parameter

* test(keymanager): add cassette for custom algorithm test

* feat: allow explicit algorithm selection in Key Manager keys

* fix: lint issues in Key Manager implementation

* feat: use SDK enums for Key Manager algorithm validation

* feat: refactor Key Manager to use usage + algorithm (AWS-like approach)

* chore: go mod tidy

* refactor: remove comments from functions

Author: jremy42

internal/services/keymanager/helpers.go

@@ -13,21 +13,27 @@ import (
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/types"
 )
 
+const (
+	usageSymmetricEncryption  = "symmetric_encryption"
+	usageAsymmetricEncryption = "asymmetric_encryption"
+	usageAsymmetricSigning    = "asymmetric_signing"
+)
+
 func UsageToString(u *key_manager.KeyUsage) string {
 	if u == nil {
 		return ""
 	}
 
 	if u.SymmetricEncryption != nil {
-		return "symmetric_encryption"
+		return usageSymmetricEncryption
 	}
 
 	if u.AsymmetricEncryption != nil {
-		return "asymmetric_encryption"
+		return usageAsymmetricEncryption
 	}
 
 	if u.AsymmetricSigning != nil {
-		return "asymmetric_signing"
+		return usageAsymmetricSigning
 	}
 
 	return ""
@@ -55,17 +61,43 @@ func NewKeyManagerAPIWithRegionAndID(m any, id string) (*key_manager.API, scw.Re
 	return client, region, keyID, nil
 }
 
-func ExpandKeyUsage(usage string) *key_manager.KeyUsage {
+func ExpandKeyUsageFromFields(d *schema.ResourceData) *key_manager.KeyUsage {
+	if v, ok := d.GetOk("usage_symmetric_encryption"); ok {
+		alg := key_manager.KeyAlgorithmSymmetricEncryption(v.(string))
+
+		return &key_manager.KeyUsage{SymmetricEncryption: &alg}
+	}
+
+	if v, ok := d.GetOk("usage_asymmetric_encryption"); ok {
+		alg := key_manager.KeyAlgorithmAsymmetricEncryption(v.(string))
+
+		return &key_manager.KeyUsage{AsymmetricEncryption: &alg}
+	}
+
+	if v, ok := d.GetOk("usage_asymmetric_signing"); ok {
+		alg := key_manager.KeyAlgorithmAsymmetricSigning(v.(string))
+
+		return &key_manager.KeyUsage{AsymmetricSigning: &alg}
+	}
+
+	if v, ok := d.GetOk("usage"); ok {
+		return ExpandKeyUsageLegacy(v.(string))
+	}
+
+	return nil
+}
+
+func ExpandKeyUsageLegacy(usage string) *key_manager.KeyUsage {
 	switch usage {
-	case "symmetric_encryption":
+	case usageSymmetricEncryption:
 		alg := key_manager.KeyAlgorithmSymmetricEncryptionAes256Gcm
 
 		return &key_manager.KeyUsage{SymmetricEncryption: &alg}
-	case "asymmetric_encryption":
+	case usageAsymmetricEncryption:
 		alg := key_manager.KeyAlgorithmAsymmetricEncryptionRsaOaep3072Sha256
 
 		return &key_manager.KeyUsage{AsymmetricEncryption: &alg}
-	case "asymmetric_signing":
+	case usageAsymmetricSigning:
 		alg := key_manager.KeyAlgorithmAsymmetricSigningEcP256Sha256
 
 		return &key_manager.KeyUsage{AsymmetricSigning: &alg}
@@ -74,6 +106,26 @@ func ExpandKeyUsage(usage string) *key_manager.KeyUsage {
 	}
 }
 
+func AlgorithmFromKeyUsage(u *key_manager.KeyUsage) string {
+	if u == nil {
+		return ""
+	}
+
+	if u.SymmetricEncryption != nil {
+		return string(*u.SymmetricEncryption)
+	}
+
+	if u.AsymmetricEncryption != nil {
+		return string(*u.AsymmetricEncryption)
+	}
+
+	if u.AsymmetricSigning != nil {
+		return string(*u.AsymmetricSigning)
+	}
+
+	return ""
+}
+
 func ExpandKeyRotationPolicy(v any) (*key_manager.KeyRotationPolicy, error) {
 	list, ok := v.([]any)
 	if !ok || len(list) == 0 {
@@ -99,7 +151,6 @@ func ExpandKeyRotationPolicy(v any) (*key_manager.KeyRotationPolicy, error) {
 		RotationPeriod: scw.NewDurationFromTimeDuration(period),
 	}
 
-	// Handle next_rotation_at if provided
 	if nextRotationStr, ok := m["next_rotation_at"].(string); ok && nextRotationStr != "" {
 		nextRotation, err := time.Parse(time.RFC3339, nextRotationStr)
 		if err != nil {

internal/services/keymanager/key_resource.go

@@ -2,15 +2,19 @@ package keymanager
 
 import (
 	"context"
+	"fmt"
 
+	"github.com/hashicorp/go-cty/cty"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	key_manager "github.com/scaleway/scaleway-sdk-go/api/key_manager/v1alpha1"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/dsf"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/locality/regional"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/services/account"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/types"
+	"github.com/scaleway/terraform-provider-scaleway/v2/internal/verify"
 )
 
 func ResourceKeyManagerKey() *schema.Resource {
@@ -19,6 +23,9 @@ func ResourceKeyManagerKey() *schema.Resource {
 		ReadContext:   resourceKeyManagerKeyRead,
 		UpdateContext: resourceKeyManagerKeyUpdate,
 		DeleteContext: resourceKeyManagerKeyDelete,
+		CustomizeDiff: customdiff.All(
+			validateUsageAlgorithmCombination(),
+		),
 		Schema: map[string]*schema.Schema{
 			"name": {
 				Type:        schema.TypeString,
@@ -33,7 +40,32 @@ func ResourceKeyManagerKey() *schema.Resource {
 				ValidateFunc: validation.StringInSlice([]string{
 					"symmetric_encryption", "asymmetric_encryption", "asymmetric_signing",
 				}, false),
-				Description: "Key usage. Keys with a usage set to 'symmetric_encryption' can encrypt and decrypt data using the AES-256-GCM key algorithm. Possible values: symmetric_encryption, asymmetric_encryption, asymmetric_signing.",
+				Description: "Key usage type. Possible values: symmetric_encryption, asymmetric_encryption, asymmetric_signing.",
+			},
+			"algorithm": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "Algorithm to use for the key. The valid algorithms depend on the usage type.",
+				ValidateDiagFunc: func(i any, p cty.Path) diag.Diagnostics {
+					var allKnownAlgos []string
+
+					symAlgos := key_manager.KeyAlgorithmSymmetricEncryption("").Values()
+					for _, algo := range symAlgos {
+						allKnownAlgos = append(allKnownAlgos, string(algo))
+					}
+
+					asymEncAlgos := key_manager.KeyAlgorithmAsymmetricEncryption("").Values()
+					for _, algo := range asymEncAlgos {
+						allKnownAlgos = append(allKnownAlgos, string(algo))
+					}
+
+					asymSignAlgos := key_manager.KeyAlgorithmAsymmetricSigning("").Values()
+					for _, algo := range asymSignAlgos {
+						allKnownAlgos = append(allKnownAlgos, string(algo))
+					}
+
+					return verify.ValidateStringInSliceWithWarning(allKnownAlgos, "algorithm")(i, p)
+				},
 			},
 			"description": {
 				Type:        schema.TypeString,
@@ -116,7 +148,15 @@ func resourceKeyManagerKeyCreate(ctx context.Context, d *schema.ResourceData, m
 		createReq.Origin = key_manager.KeyOrigin(v.(string))
 	}
 
-	createReq.Usage = ExpandKeyUsage(d.Get("usage").(string))
+	usage := d.Get("usage").(string)
+	algorithm := d.Get("algorithm").(string)
+
+	keyUsage, err := expandUsageAlgorithm(usage, algorithm)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	createReq.Usage = keyUsage
 
 	key, err := api.CreateKey(createReq)
 	if err != nil {
@@ -145,7 +185,13 @@ func resourceKeyManagerKeyRead(ctx context.Context, d *schema.ResourceData, m an
 	_ = d.Set("name", key.Name)
 	_ = d.Set("project_id", key.ProjectID)
 	_ = d.Set("region", key.Region.String())
-	_ = d.Set("usage", UsageToString(key.Usage))
+
+	usageType := UsageToString(key.Usage)
+	algorithm := AlgorithmFromKeyUsage(key.Usage)
+
+	_ = d.Set("usage", usageType)
+	_ = d.Set("algorithm", algorithm)
+
 	_ = d.Set("description", key.Description)
 	_ = d.Set("tags", key.Tags)
 	_ = d.Set("rotation_count", int(key.RotationCount))
@@ -222,3 +268,31 @@ func resourceKeyManagerKeyDelete(ctx context.Context, d *schema.ResourceData, m
 
 	return nil
 }
+
+func validateUsageAlgorithmCombination() schema.CustomizeDiffFunc {
+	return func(ctx context.Context, diff *schema.ResourceDiff, _ any) error {
+		return nil
+	}
+}
+
+func expandUsageAlgorithm(usage, algorithm string) (*key_manager.KeyUsage, error) {
+	switch usage {
+	case usageSymmetricEncryption:
+		typedAlgo := key_manager.KeyAlgorithmSymmetricEncryption(algorithm)
+
+		return &key_manager.KeyUsage{SymmetricEncryption: &typedAlgo}, nil
+
+	case usageAsymmetricEncryption:
+		typedAlgo := key_manager.KeyAlgorithmAsymmetricEncryption(algorithm)
+
+		return &key_manager.KeyUsage{AsymmetricEncryption: &typedAlgo}, nil
+
+	case usageAsymmetricSigning:
+		typedAlgo := key_manager.KeyAlgorithmAsymmetricSigning(algorithm)
+
+		return &key_manager.KeyUsage{AsymmetricSigning: &typedAlgo}, nil
+
+	default:
+		return nil, fmt.Errorf("unknown usage type: %s", usage)
+	}
+}