feat(keymanager): add algorithm field to allow custom key algorithms

internal/services/keymanager/helpers.go

@@ -13,21 +13,27 @@ import (
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/types"
 )
 
+const (
+	usageSymmetricEncryption  = "symmetric_encryption"
+	usageAsymmetricEncryption = "asymmetric_encryption"
+	usageAsymmetricSigning    = "asymmetric_signing"
+)
+
 func UsageToString(u *key_manager.KeyUsage) string {
 	if u == nil {
 		return ""
 	}
 
 	if u.SymmetricEncryption != nil {
-		return "symmetric_encryption"
+		return usageSymmetricEncryption
 	}
 
 	if u.AsymmetricEncryption != nil {
-		return "asymmetric_encryption"
+		return usageAsymmetricEncryption
 	}
 
 	if u.AsymmetricSigning != nil {
-		return "asymmetric_signing"
+		return usageAsymmetricSigning
 	}
 
 	return ""
@@ -55,17 +61,43 @@ func NewKeyManagerAPIWithRegionAndID(m any, id string) (*key_manager.API, scw.Re
 	return client, region, keyID, nil
 }
 
-func ExpandKeyUsage(usage string) *key_manager.KeyUsage {
+func ExpandKeyUsageFromFields(d *schema.ResourceData) *key_manager.KeyUsage {
+	if v, ok := d.GetOk("usage_symmetric_encryption"); ok {
+		alg := key_manager.KeyAlgorithmSymmetricEncryption(v.(string))
+
+		return &key_manager.KeyUsage{SymmetricEncryption: &alg}
+	}
+
+	if v, ok := d.GetOk("usage_asymmetric_encryption"); ok {
+		alg := key_manager.KeyAlgorithmAsymmetricEncryption(v.(string))
+
+		return &key_manager.KeyUsage{AsymmetricEncryption: &alg}
+	}
+
+	if v, ok := d.GetOk("usage_asymmetric_signing"); ok {
+		alg := key_manager.KeyAlgorithmAsymmetricSigning(v.(string))
+
+		return &key_manager.KeyUsage{AsymmetricSigning: &alg}
+	}
+
+	if v, ok := d.GetOk("usage"); ok {
+		return ExpandKeyUsageLegacy(v.(string))
+	}
+
+	return nil
+}
+
+func ExpandKeyUsageLegacy(usage string) *key_manager.KeyUsage {
 	switch usage {
-	case "symmetric_encryption":
+	case usageSymmetricEncryption:
 		alg := key_manager.KeyAlgorithmSymmetricEncryptionAes256Gcm
 
 		return &key_manager.KeyUsage{SymmetricEncryption: &alg}
-	case "asymmetric_encryption":
+	case usageAsymmetricEncryption:
 		alg := key_manager.KeyAlgorithmAsymmetricEncryptionRsaOaep3072Sha256
 
 		return &key_manager.KeyUsage{AsymmetricEncryption: &alg}
-	case "asymmetric_signing":
+	case usageAsymmetricSigning:
 		alg := key_manager.KeyAlgorithmAsymmetricSigningEcP256Sha256
 
 		return &key_manager.KeyUsage{AsymmetricSigning: &alg}
@@ -74,6 +106,26 @@ func ExpandKeyUsage(usage string) *key_manager.KeyUsage {
 	}
 }
 
+func AlgorithmFromKeyUsage(u *key_manager.KeyUsage) string {
+	if u == nil {
+		return ""
+	}
+
+	if u.SymmetricEncryption != nil {
+		return string(*u.SymmetricEncryption)
+	}
+
+	if u.AsymmetricEncryption != nil {
+		return string(*u.AsymmetricEncryption)
+	}
+
+	if u.AsymmetricSigning != nil {
+		return string(*u.AsymmetricSigning)
+	}
+
+	return ""
+}
+
 func ExpandKeyRotationPolicy(v any) (*key_manager.KeyRotationPolicy, error) {
 	list, ok := v.([]any)
 	if !ok || len(list) == 0 {
@@ -99,7 +151,6 @@ func ExpandKeyRotationPolicy(v any) (*key_manager.KeyRotationPolicy, error) {
 		RotationPeriod: scw.NewDurationFromTimeDuration(period),
 	}
 
-	// Handle next_rotation_at if provided
 	if nextRotationStr, ok := m["next_rotation_at"].(string); ok && nextRotationStr != "" {
 		nextRotation, err := time.Parse(time.RFC3339, nextRotationStr)
 		if err != nil {

internal/services/keymanager/key_resource.go

@@ -29,11 +29,65 @@ func ResourceKeyManagerKey() *schema.Resource {
 			"region":     regional.Schema(),
 			"usage": {
 				Type:     schema.TypeString,
-				Required: true,
+				Optional: true,
+				Computed: true,
 				ValidateFunc: validation.StringInSlice([]string{
 					"symmetric_encryption", "asymmetric_encryption", "asymmetric_signing",
 				}, false),
-				Description: "Key usage. Keys with a usage set to 'symmetric_encryption' can encrypt and decrypt data using the AES-256-GCM key algorithm. Possible values: symmetric_encryption, asymmetric_encryption, asymmetric_signing.",
+				Deprecated:  "Use usage_symmetric_encryption, usage_asymmetric_encryption, or usage_asymmetric_signing instead",
+				Description: "DEPRECATED: Use usage_symmetric_encryption, usage_asymmetric_encryption, or usage_asymmetric_signing instead. Key usage. Possible values: symmetric_encryption, asymmetric_encryption, asymmetric_signing.",
+				ExactlyOneOf: []string{
+					"usage",
+					"usage_symmetric_encryption",
+					"usage_asymmetric_encryption",
+					"usage_asymmetric_signing",
+				},
+			},
+			"usage_symmetric_encryption": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					"aes_256_gcm",
+				}, false),
+				Description: "Algorithm for symmetric encryption. Possible values: aes_256_gcm",
+				ExactlyOneOf: []string{
+					"usage",
+					"usage_symmetric_encryption",
+					"usage_asymmetric_encryption",
+					"usage_asymmetric_signing",
+				},
+			},
+			"usage_asymmetric_encryption": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					"rsa_oaep_2048_sha256",
+					"rsa_oaep_3072_sha256",
+					"rsa_oaep_4096_sha256",
+				}, false),
+				Description: "Algorithm for asymmetric encryption. Possible values: rsa_oaep_2048_sha256, rsa_oaep_3072_sha256, rsa_oaep_4096_sha256",
+				ExactlyOneOf: []string{
+					"usage",
+					"usage_symmetric_encryption",
+					"usage_asymmetric_encryption",
+					"usage_asymmetric_signing",
+				},
+			},
+			"usage_asymmetric_signing": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					"ec_p256_sha256",
+					"rsa_pss_2048_sha256",
+					"rsa_pkcs1_2048_sha256",
+				}, false),
+				Description: "Algorithm for asymmetric signing. Possible values: ec_p256_sha256, rsa_pss_2048_sha256, rsa_pkcs1_2048_sha256",
+				ExactlyOneOf: []string{
+					"usage",
+					"usage_symmetric_encryption",
+					"usage_asymmetric_encryption",
+					"usage_asymmetric_signing",
+				},
 			},
 			"description": {
 				Type:        schema.TypeString,
@@ -116,7 +170,7 @@ func resourceKeyManagerKeyCreate(ctx context.Context, d *schema.ResourceData, m
 		createReq.Origin = key_manager.KeyOrigin(v.(string))
 	}
 
-	createReq.Usage = ExpandKeyUsage(d.Get("usage").(string))
+	createReq.Usage = ExpandKeyUsageFromFields(d)
 
 	key, err := api.CreateKey(createReq)
 	if err != nil {
@@ -145,7 +199,25 @@ func resourceKeyManagerKeyRead(ctx context.Context, d *schema.ResourceData, m an
 	_ = d.Set("name", key.Name)
 	_ = d.Set("project_id", key.ProjectID)
 	_ = d.Set("region", key.Region.String())
-	_ = d.Set("usage", UsageToString(key.Usage))
+
+	usageType := UsageToString(key.Usage)
+	algorithm := AlgorithmFromKeyUsage(key.Usage)
+
+	_ = d.Set("usage", usageType)
+
+	_, usesLegacy := d.GetOk("usage")
+
+	if !usesLegacy {
+		switch usageType {
+		case usageSymmetricEncryption:
+			_ = d.Set("usage_symmetric_encryption", algorithm)
+		case usageAsymmetricEncryption:
+			_ = d.Set("usage_asymmetric_encryption", algorithm)
+		case usageAsymmetricSigning:
+			_ = d.Set("usage_asymmetric_signing", algorithm)
+		}
+	}
+
 	_ = d.Set("description", key.Description)
 	_ = d.Set("tags", key.Tags)
 	_ = d.Set("rotation_count", int(key.RotationCount))