review changes

Signed-off-by: Mauritz Uphoff <[email protected]>

Author: h3adex

stackit/internal/conversion/conversion.go

@@ -183,3 +183,18 @@ func ParseProviderData(ctx context.Context, providerData any, diags *diag.Diagno
 	}
 	return stackitProviderData, true
 }
+
+// TODO: write tests
+func ParseEphemeralProviderData(ctx context.Context, providerData any, diags *diag.Diagnostics) (core.EphemeralProviderData, bool) {
+	// Prevent panic if the provider has not been configured.
+	if providerData == nil {
+		return core.EphemeralProviderData{}, false
+	}
+
+	stackitProviderData, ok := providerData.(core.EphemeralProviderData)
+	if !ok {
+		core.LogAndAddError(ctx, diags, "Error configuring API client", fmt.Sprintf("Expected configure type stackit.ProviderData, got %T", providerData))
+		return core.EphemeralProviderData{}, false
+	}
+	return stackitProviderData, true
+}

stackit/internal/core/core.go

@@ -25,14 +25,19 @@ const (
 	DatasourceRegionFallbackDocstring = "Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on datasource level."
 )
 
-type ProviderData struct {
-	RoundTripper        http.RoundTripper
-	ServiceAccountEmail string // Deprecated: ServiceAccountEmail is not required and will be removed after 12th June 2025.
+type EphemeralProviderData struct {
+	ProviderData
 
 	PrivateKey            string
 	PrivateKeyPath        string
 	ServiceAccountKey     string
 	ServiceAccountKeyPath string
+	TokenCustomEndpoint   string
+}
+
+type ProviderData struct {
+	RoundTripper        http.RoundTripper
+	ServiceAccountEmail string // Deprecated: ServiceAccountEmail is not required and will be removed after 12th June 2025.
 
 	// Deprecated: Use DefaultRegion instead
 	Region                          string

stackit/internal/services/access_token/access_token_acc_test.go

@@ -0,0 +1 @@
+package access_token

stackit/internal/services/access_token/ephemeral_access_token.go

@@ -0,0 +1,111 @@
+package access_token
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-framework/ephemeral"
+	"github.com/hashicorp/terraform-plugin-framework/ephemeral/schema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/stackitcloud/stackit-sdk-go/core/auth"
+	"github.com/stackitcloud/stackit-sdk-go/core/clients"
+	"github.com/stackitcloud/stackit-sdk-go/core/config"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/conversion"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/core"
+)
+
+var (
+	_ ephemeral.EphemeralResource              = &accessTokenEphemeralResource{}
+	_ ephemeral.EphemeralResourceWithConfigure = &accessTokenEphemeralResource{}
+)
+
+func NewAccessTokenEphemeralResource() ephemeral.EphemeralResource {
+	return &accessTokenEphemeralResource{}
+}
+
+type accessTokenEphemeralResource struct {
+	serviceAccountKeyPath string
+	serviceAccountKey     string
+	privateKeyPath        string
+	privateKey            string
+	tokenCustomEndpoint   string
+}
+
+func (e *accessTokenEphemeralResource) Configure(ctx context.Context, req ephemeral.ConfigureRequest, resp *ephemeral.ConfigureResponse) {
+	providerData, ok := conversion.ParseEphemeralProviderData(ctx, req.ProviderData, &resp.Diagnostics)
+	if !ok {
+		return
+	}
+
+	e.serviceAccountKey = providerData.ServiceAccountKey
+	e.serviceAccountKeyPath = providerData.ServiceAccountKeyPath
+	e.privateKey = providerData.PrivateKey
+	e.privateKeyPath = providerData.PrivateKeyPath
+	e.tokenCustomEndpoint = providerData.TokenCustomEndpoint
+}
+
+type ephemeralTokenModel struct {
+	AccessToken types.String `tfsdk:"access_token"`
+}
+
+func (e *accessTokenEphemeralResource) Metadata(_ context.Context, req ephemeral.MetadataRequest, resp *ephemeral.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_access_token"
+}
+
+func (e *accessTokenEphemeralResource) Schema(_ context.Context, _ ephemeral.SchemaRequest, resp *ephemeral.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		Description: "STACKIT Access Token ephemeral resource schema.",
+		Attributes: map[string]schema.Attribute{
+			"access_token": schema.StringAttribute{
+				Description: "JWT access token for STACKIT API authentication.",
+				Computed:    true,
+				Sensitive:   true,
+			},
+		},
+	}
+}
+
+func (e *accessTokenEphemeralResource) Open(ctx context.Context, req ephemeral.OpenRequest, resp *ephemeral.OpenResponse) {
+	var model ephemeralTokenModel
+
+	resp.Diagnostics.Append(req.Config.Get(ctx, &model)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	cfg := config.Configuration{
+		ServiceAccountKey:     e.serviceAccountKey,
+		ServiceAccountKeyPath: e.serviceAccountKeyPath,
+		PrivateKeyPath:        e.privateKeyPath,
+		PrivateKey:            e.privateKey,
+		TokenCustomUrl:        e.tokenCustomEndpoint,
+	}
+
+	rt, err := auth.KeyAuth(&cfg)
+	if err != nil {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Access token generation failed", fmt.Sprintf("Failed to initialize authentication: %v", err))
+		return
+	}
+
+	// Type assert to access token functionality
+	client, ok := rt.(*clients.KeyFlow)
+	if !ok {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Access token generation failed", "Internal error: expected *clients.KeyFlow, but received a different implementation of http.RoundTripper")
+		return
+	}
+
+	// Retrieve the access token
+	accessToken, err := client.GetAccessToken()
+	if err != nil {
+		core.LogAndAddError(
+			ctx,
+			&resp.Diagnostics,
+			"Access token retrieval failed",
+			fmt.Sprintf("Error obtaining access token: %v", err),
+		)
+		return
+	}
+
+	model.AccessToken = types.StringValue(accessToken)
+	resp.Diagnostics.Append(resp.Result.Set(ctx, model)...)
+}

stackit/internal/services/access_token/ephemeral_resource.go

@@ -0,0 +1 @@
+package access_token

stackit/internal/services/access_token/ephemeral_resource_test.go

@@ -467,12 +467,13 @@ func (p *Provider) Configure(ctx context.Context, req provider.ConfigureRequest,
 	resp.DataSourceData = providerData
 	resp.ResourceData = providerData
 
-	// Copy service account and private key credentials to support ephemeral access token generation
-	ephemeralProviderData := providerData
+	// Copy service account, private key credentials and custom-token endpoint to support ephemeral access token generation
+	var ephemeralProviderData core.EphemeralProviderData
 	setStringField(providerConfig.ServiceAccountKey, func(v string) { ephemeralProviderData.ServiceAccountKey = v })
 	setStringField(providerConfig.ServiceAccountKeyPath, func(v string) { ephemeralProviderData.ServiceAccountKeyPath = v })
 	setStringField(providerConfig.PrivateKey, func(v string) { ephemeralProviderData.PrivateKey = v })
 	setStringField(providerConfig.PrivateKeyPath, func(v string) { ephemeralProviderData.PrivateKeyPath = v })
+	setStringField(providerConfig.TokenCustomEndpoint, func(v string) { ephemeralProviderData.TokenCustomEndpoint = v })
 	resp.EphemeralResourceData = ephemeralProviderData
 
 	providerData.Version = p.version