review changes 2

Signed-off-by: Mauritz Uphoff <[email protected]>

Author: h3adex

docs/ephemeral-resources/access_token.md

@@ -3,12 +3,12 @@
 page_title: "stackit_access_token Ephemeral Resource - stackit"
 subcategory: ""
 description: |-
-  STACKIT Access Token ephemeral resource schema.
+  Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. A new token is generated each time the resource is evaluated, and it remains consistent for the duration of a Terraform operation. If a private key is not explicitly provided, the provider attempts to extract it from the service account key instead. Token generation logic prioritizes environment variables first, followed by provider configuration. Access tokens generated from service account keys expire after 60 minutes.
 ---
 
 # stackit_access_token (Ephemeral Resource)
 
-STACKIT Access Token ephemeral resource schema.
+Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. A new token is generated each time the resource is evaluated, and it remains consistent for the duration of a Terraform operation. If a private key is not explicitly provided, the provider attempts to extract it from the service account key instead. Token generation logic prioritizes environment variables first, followed by provider configuration. Access tokens generated from service account keys expire after 60 minutes.
 
 ## Example Usage
 
@@ -17,17 +17,35 @@ ephemeral "stackit_access_token" "example" {}
 
 // https://registry.terraform.io/providers/Mastercard/restapi/latest/docs
 provider "restapi" {
-  alias                = "stackit_iaas"
-  uri                  = "https://iaas.api.eu01.stackit.cloud"
+  uri                  = "https://iaas.api.eu01.stackit.cloud/"
   write_returns_object = true
 
   headers = {
-    "Authorization" = "Bearer ${ephemeral.stackit_access_token.example.access_token}"
+    Authorization = "Bearer ${ephemeral.stackit_access_token.example.access_token}"
+    Content-Type  = "application/json"
   }
 
-  create_method  = "GET"
-  update_method  = "GET"
-  destroy_method = "GET"
+  create_method  = "POST"
+  update_method  = "PUT"
+  destroy_method = "DELETE"
+}
+
+resource "restapi_object" "iaas_keypair" {
+  path = "/v2/keypairs"
+
+  data = jsonencode({
+    labels = {
+      key = "testvalue"
+    }
+    name      = "test-keypair-123"
+    publicKey = file(chomp("~/.ssh/id_rsa.pub"))
+  })
+
+  id_attribute   = "name"
+  read_method    = "GET"
+  create_method  = "POST"
+  update_method  = "PATCH"
+  destroy_method = "DELETE"
 }
 ```
 

examples/ephemeral-resources/stackit_access_token/ephemeral-resource.tf

@@ -2,15 +2,33 @@ ephemeral "stackit_access_token" "example" {}
 
 // https://registry.terraform.io/providers/Mastercard/restapi/latest/docs
 provider "restapi" {
-  alias                = "stackit_iaas"
-  uri                  = "https://iaas.api.eu01.stackit.cloud"
+  uri                  = "https://iaas.api.eu01.stackit.cloud/"
   write_returns_object = true
 
   headers = {
-    "Authorization" = "Bearer ${ephemeral.stackit_access_token.example.access_token}"
+    Authorization = "Bearer ${ephemeral.stackit_access_token.example.access_token}"
+    Content-Type  = "application/json"
   }
 
-  create_method  = "GET"
-  update_method  = "GET"
-  destroy_method = "GET"
-}
+  create_method  = "POST"
+  update_method  = "PUT"
+  destroy_method = "DELETE"
+}
+
+resource "restapi_object" "iaas_keypair" {
+  path = "/v2/keypairs"
+
+  data = jsonencode({
+    labels = {
+      key = "testvalue"
+    }
+    name      = "test-keypair-123"
+    publicKey = file(chomp("~/.ssh/id_rsa.pub"))
+  })
+
+  id_attribute   = "name"
+  read_method    = "GET"
+  create_method  = "POST"
+  update_method  = "PATCH"
+  destroy_method = "DELETE"
+}

stackit/internal/conversion/conversion.go

@@ -184,7 +184,6 @@ func ParseProviderData(ctx context.Context, providerData any, diags *diag.Diagno
 	return stackitProviderData, true
 }
 
-// TODO: write tests
 func ParseEphemeralProviderData(ctx context.Context, providerData any, diags *diag.Diagnostics) (core.EphemeralProviderData, bool) {
 	// Prevent panic if the provider has not been configured.
 	if providerData == nil {

stackit/internal/conversion/conversion_test.go

@@ -304,3 +304,91 @@ func TestParseProviderData(t *testing.T) {
 		})
 	}
 }
+
+func TestParseEphemeralProviderData(t *testing.T) {
+	type args struct {
+		providerData any
+	}
+	type want struct {
+		ok           bool
+		providerData core.EphemeralProviderData
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    want
+		wantErr bool
+	}{
+		{
+			name: "provider has not been configured",
+			args: args{
+				providerData: nil,
+			},
+			want: want{
+				ok: false,
+			},
+			wantErr: false,
+		},
+		{
+			name: "invalid provider data",
+			args: args{
+				providerData: struct{}{},
+			},
+			want: want{
+				ok: false,
+			},
+			wantErr: true,
+		},
+		{
+			name: "valid provider data 1",
+			args: args{
+				providerData: core.EphemeralProviderData{},
+			},
+			want: want{
+				ok:           true,
+				providerData: core.EphemeralProviderData{},
+			},
+			wantErr: false,
+		},
+		{
+			name: "valid provider data 2",
+			args: args{
+				providerData: core.EphemeralProviderData{
+					PrivateKey:            "",
+					PrivateKeyPath:        "/home/dev/foo/private-key.json",
+					ServiceAccountKey:     "",
+					ServiceAccountKeyPath: "/home/dev/foo/key.json",
+					TokenCustomEndpoint:   "",
+				},
+			},
+			want: want{
+				ok: true,
+				providerData: core.EphemeralProviderData{
+					PrivateKey:            "",
+					PrivateKeyPath:        "/home/dev/foo/private-key.json",
+					ServiceAccountKey:     "",
+					ServiceAccountKeyPath: "/home/dev/foo/key.json",
+					TokenCustomEndpoint:   "",
+				},
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := context.Background()
+			diags := diag.Diagnostics{}
+
+			actual, ok := ParseEphemeralProviderData(ctx, tt.args.providerData, &diags)
+			if diags.HasError() != tt.wantErr {
+				t.Errorf("ConfigureClient() error = %v, want %v", diags.HasError(), tt.wantErr)
+			}
+			if ok != tt.want.ok {
+				t.Errorf("ParseProviderData() got = %v, want %v", ok, tt.want.ok)
+			}
+			if !reflect.DeepEqual(actual, tt.want.providerData) {
+				t.Errorf("ParseProviderData() got = %v, want %v", actual, tt.want)
+			}
+		})
+	}
+}

stackit/internal/core/core.go

@@ -26,8 +26,6 @@ const (
 )
 
 type EphemeralProviderData struct {
-	ProviderData
-
 	PrivateKey            string
 	PrivateKeyPath        string
 	ServiceAccountKey     string
@@ -38,7 +36,6 @@ type EphemeralProviderData struct {
 type ProviderData struct {
 	RoundTripper        http.RoundTripper
 	ServiceAccountEmail string // Deprecated: ServiceAccountEmail is not required and will be removed after 12th June 2025.
-
 	// Deprecated: Use DefaultRegion instead
 	Region                          string
 	DefaultRegion                   string

stackit/internal/services/access_token/access_token_acc_test.go

@@ -1 +1,50 @@
-package access_token
+package access_token_test
+
+import (
+	_ "embed"
+	"regexp"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/config"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/statecheck"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
+	"github.com/hashicorp/terraform-plugin-testing/tfversion"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/testutil"
+)
+
+//go:embed testdata/ephemeral_resource.tf
+var ephemeralResourceConfig string
+
+var testConfigVars = config.Variables{
+	"default_region": config.StringVariable(testutil.Region),
+}
+
+func TestAccEphemeralAccessToken(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		TerraformVersionChecks: []tfversion.TerraformVersionCheck{
+			tfversion.SkipBelow(tfversion.Version1_10_0),
+		},
+		ProtoV6ProviderFactories: testutil.TestEphemeralAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config:          ephemeralResourceConfig,
+				ConfigVariables: testConfigVars,
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(
+						"echo.example",
+						tfjsonpath.New("data").AtMapKey("access_token"),
+						knownvalue.NotNull(),
+					),
+					// JWT access tokens start with "ey" because the first part is base64-encoded JSON that begins with "{".
+					statecheck.ExpectKnownValue(
+						"echo.example",
+						tfjsonpath.New("data").AtMapKey("access_token"),
+						knownvalue.StringRegexp(regexp.MustCompile(`^ey`)),
+					),
+				},
+			},
+		},
+	})
+}

stackit/internal/services/access_token/ephemeral_resource.go

@@ -24,11 +24,7 @@ func NewAccessTokenEphemeralResource() ephemeral.EphemeralResource {
 }
 
 type accessTokenEphemeralResource struct {
-	serviceAccountKeyPath string
-	serviceAccountKey     string
-	privateKeyPath        string
-	privateKey            string
-	tokenCustomEndpoint   string
+	keyAuthConfig config.Configuration
 }
 
 func (e *accessTokenEphemeralResource) Configure(ctx context.Context, req ephemeral.ConfigureRequest, resp *ephemeral.ConfigureResponse) {
@@ -37,11 +33,13 @@ func (e *accessTokenEphemeralResource) Configure(ctx context.Context, req epheme
 		return
 	}
 
-	e.serviceAccountKey = providerData.ServiceAccountKey
-	e.serviceAccountKeyPath = providerData.ServiceAccountKeyPath
-	e.privateKey = providerData.PrivateKey
-	e.privateKeyPath = providerData.PrivateKeyPath
-	e.tokenCustomEndpoint = providerData.TokenCustomEndpoint
+	e.keyAuthConfig = config.Configuration{
+		ServiceAccountKey:     providerData.ServiceAccountKey,
+		ServiceAccountKeyPath: providerData.ServiceAccountKeyPath,
+		PrivateKeyPath:        providerData.PrivateKey,
+		PrivateKey:            providerData.PrivateKeyPath,
+		TokenCustomUrl:        providerData.TokenCustomEndpoint,
+	}
 }
 
 type ephemeralTokenModel struct {
@@ -54,7 +52,11 @@ func (e *accessTokenEphemeralResource) Metadata(_ context.Context, req ephemeral
 
 func (e *accessTokenEphemeralResource) Schema(_ context.Context, _ ephemeral.SchemaRequest, resp *ephemeral.SchemaResponse) {
 	resp.Schema = schema.Schema{
-		Description: "STACKIT Access Token ephemeral resource schema.",
+		Description: "Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. " +
+			"A new token is generated each time the resource is evaluated, and it remains consistent for the duration of a Terraform operation. " +
+			"If a private key is not explicitly provided, the provider attempts to extract it from the service account key instead. " +
+			"Token generation logic prioritizes environment variables first, followed by provider configuration. " +
+			"Access tokens generated from service account keys expire after 60 minutes.",
 		Attributes: map[string]schema.Attribute{
 			"access_token": schema.StringAttribute{
 				Description: "JWT access token for STACKIT API authentication.",
@@ -73,15 +75,7 @@ func (e *accessTokenEphemeralResource) Open(ctx context.Context, req ephemeral.O
 		return
 	}
 
-	cfg := config.Configuration{
-		ServiceAccountKey:     e.serviceAccountKey,
-		ServiceAccountKeyPath: e.serviceAccountKeyPath,
-		PrivateKeyPath:        e.privateKeyPath,
-		PrivateKey:            e.privateKey,
-		TokenCustomUrl:        e.tokenCustomEndpoint,
-	}
-
-	rt, err := auth.KeyAuth(&cfg)
+	rt, err := auth.KeyAuth(&e.keyAuthConfig)
 	if err != nil {
 		core.LogAndAddError(ctx, &resp.Diagnostics, "Access token generation failed", fmt.Sprintf("Failed to initialize authentication: %v", err))
 		return
@@ -97,12 +91,7 @@ func (e *accessTokenEphemeralResource) Open(ctx context.Context, req ephemeral.O
 	// Retrieve the access token
 	accessToken, err := client.GetAccessToken()
 	if err != nil {
-		core.LogAndAddError(
-			ctx,
-			&resp.Diagnostics,
-			"Access token retrieval failed",
-			fmt.Sprintf("Error obtaining access token: %v", err),
-		)
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Access token retrieval failed", fmt.Sprintf("Error obtaining access token: %v", err))
 		return
 	}
 

stackit/internal/services/access_token/ephemeral_resource_test.go

@@ -0,0 +1,14 @@
+variable "default_region" {}
+
+provider "stackit" {
+  default_region = var.default_region
+}
+
+ephemeral "stackit_access_token" "example" {}
+
+provider "echo" {
+  data = ephemeral.stackit_access_token.example
+}
+
+resource "echo" "example" {
+}

stackit/internal/services/access_token/testdata/ephemeral_resource.tf

@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/providerserver"
 	"github.com/hashicorp/terraform-plugin-go/tfprotov6"
 	"github.com/hashicorp/terraform-plugin-testing/config"
+	"github.com/hashicorp/terraform-plugin-testing/echoprovider"
 
 	"github.com/stackitcloud/terraform-provider-stackit/stackit"
 )
@@ -29,6 +30,18 @@ var (
 		"stackit": providerserver.NewProtocol6WithError(stackit.New("test-version")()),
 	}
 
+	// TestEphemeralAccProtoV6ProviderFactories is used to instantiate a provider during
+	// acceptance testing. The factory function will be invoked for every Terraform
+	// CLI command executed to create a provider server to which the CLI can
+	// reattach.
+	//
+	// See the Terraform acceptance test documentation on ephemeral resources for more information:
+	// https://developer.hashicorp.com/terraform/plugin/testing/acceptance-tests/ephemeral-resources
+	TestEphemeralAccProtoV6ProviderFactories = map[string]func() (tfprotov6.ProviderServer, error){
+		"stackit": providerserver.NewProtocol6WithError(stackit.New("test-version")()),
+		"echo":    echoprovider.NewProviderServer(),
+	}
+
 	// E2ETestsEnabled checks if end-to-end tests should be run.
 	// It is enabled when the TF_ACC environment variable is set to "1".
 	E2ETestsEnabled = os.Getenv("TF_ACC") == "1"