stackit-dev-tools/terraform-provider-stackitprivatepreview
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore(provider): mark deprecation for service_account_token (#920)

Browse source 
* chore(provider): make deprecation for service_account_token

---------

Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
Co-authored-by: Ruben Hoenle <Ruben.Hoenle@stackit.cloud>
This commit is contained in:
Mauritz Uphoff 2025-08-05 11:31:26 +02:00 committed by GitHub
parent 54b483d007
commit 5320e0cd7e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 26 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

2
CONTRIBUTION.md
View file

@ -121,7 +121,7 @@ To test your changes locally, you have to compile the provider (requires Go 1.24
1. Go to the copied example and initialize Terraform by running `terraform init -reconfigure -upgrade`. This will throw an error ("Failed to query available provider packages") which can be ignored since we are using the local provider build. 1. Go to the copied example and initialize Terraform by running `terraform init -reconfigure -upgrade`. This will throw an error ("Failed to query available provider packages") which can be ignored since we are using the local provider build.
> Note: Terraform will store its resources' states locally. To allow multiple people to use the same resources, check [Setup for multi-person usage](#setup-centralized-terraform-state) > Note: Terraform will store its resources' states locally. To allow multiple people to use the same resources, check [Setup for multi-person usage](#setup-centralized-terraform-state)
1. Setup authentication by setting the env var `STACKIT_SERVICE_ACCOUNT_TOKEN` as a valid token (see [Authentication](#authentication) for more details on how to autenticate). 1. Setup authentication (see [Authentication](#authentication) for more details on how to authenticate).
1. Run `terraform plan` or `terraform apply` commands. 1. Run `terraform plan` or `terraform apply` commands.
1. To debug the terraform provider, execute the following steps: 1. To debug the terraform provider, execute the following steps:
* install the compiled terraform provider to binary path defined in the .terraformrc file * install the compiled terraform provider to binary path defined in the .terraformrc file

4
README.md
View file

@ -37,7 +37,7 @@ Check one of the examples in the [examples](examples/) folder.
To authenticate, you will need a [service account](https://docs.stackit.cloud/stackit/en/service-accounts-134415819.html). Create it in the [STACKIT Portal](https://portal.stackit.cloud/) and assign the necessary permissions to it, e.g. `project.owner`. There are multiple ways to authenticate: To authenticate, you will need a [service account](https://docs.stackit.cloud/stackit/en/service-accounts-134415819.html). Create it in the [STACKIT Portal](https://portal.stackit.cloud/) and assign the necessary permissions to it, e.g. `project.owner`. There are multiple ways to authenticate:
- Key flow (recommended) - Key flow (recommended)
- Token flow - Token flow (is scheduled for deprecation and will be removed on December 17, 2025.)
When setting up authentication, the provider will always try to use the key flow first and search for credentials in several locations, following a specific order: When setting up authentication, the provider will always try to use the key flow first and search for credentials in several locations, following a specific order:
@ -112,6 +112,8 @@ To configure the key flow, follow this steps:
### Token flow ### Token flow
> Is scheduled for deprecation and will be removed on December 17, 2025.
Using this flow is less secure since the token is long-lived. You can provide the token in several ways: Using this flow is less secure since the token is long-lived. You can provide the token in several ways:
1. Setting the field `service_account_token` in the provider 1. Setting the field `service_account_token` in the provider

8
docs/index.md
View file

@ -11,7 +11,7 @@ provider "stackit" {
# Authentication # Authentication
# Token flow # Token flow (scheduled for deprecation and will be removed on December 17, 2025)
provider "stackit" { provider "stackit" {
default_region = "eu01" default_region = "eu01"
service_account_token = var.service_account_token service_account_token = var.service_account_token
@ -37,7 +37,7 @@ provider "stackit" {
To authenticate, you will need a [service account](https://docs.stackit.cloud/stackit/en/service-accounts-134415819.html). Create it in the [STACKIT Portal](https://portal.stackit.cloud/) and assign it the necessary permissions, e.g. `project.owner`. There are multiple ways to authenticate: To authenticate, you will need a [service account](https://docs.stackit.cloud/stackit/en/service-accounts-134415819.html). Create it in the [STACKIT Portal](https://portal.stackit.cloud/) and assign it the necessary permissions, e.g. `project.owner`. There are multiple ways to authenticate:
- Key flow (recommended) - Key flow (recommended)
- Token flow - Token flow (is scheduled for deprecation and will be removed on December 17, 2025)
When setting up authentication, the provider will always try to use the key flow first and search for credentials in several locations, following a specific order: When setting up authentication, the provider will always try to use the key flow first and search for credentials in several locations, following a specific order:
@ -112,6 +112,8 @@ To configure the key flow, follow this steps:
### Token flow ### Token flow
> Is scheduled for deprecation and will be removed on December 17, 2025.
Using this flow is less secure since the token is long-lived. You can provide the token in several ways: Using this flow is less secure since the token is long-lived. You can provide the token in several ways:
1. Setting the field `service_account_token` in the provider 1. Setting the field `service_account_token` in the provider
@ -182,7 +184,7 @@ Note: AWS specific checks must be skipped as they do not work on STACKIT. For de
- `service_account_email` (String, Deprecated) Service account email. It can also be set using the environment variable STACKIT_SERVICE_ACCOUNT_EMAIL. It is required if you want to use the resource manager project resource. - `service_account_email` (String, Deprecated) Service account email. It can also be set using the environment variable STACKIT_SERVICE_ACCOUNT_EMAIL. It is required if you want to use the resource manager project resource.
- `service_account_key` (String) Service account key used for authentication. If set, the key flow will be used to authenticate all operations. - `service_account_key` (String) Service account key used for authentication. If set, the key flow will be used to authenticate all operations.
- `service_account_key_path` (String) Path for the service account key used for authentication. If set, the key flow will be used to authenticate all operations. - `service_account_key_path` (String) Path for the service account key used for authentication. If set, the key flow will be used to authenticate all operations.
- `service_account_token` (String) Token used for authentication. If set, the token flow will be used to authenticate all operations. - `service_account_token` (String, Deprecated) Token used for authentication. If set, the token flow will be used to authenticate all operations.
- `service_enablement_custom_endpoint` (String) Custom endpoint for the Service Enablement API - `service_enablement_custom_endpoint` (String) Custom endpoint for the Service Enablement API
- `ske_custom_endpoint` (String) Custom endpoint for the Kubernetes Engine (SKE) service - `ske_custom_endpoint` (String) Custom endpoint for the Kubernetes Engine (SKE) service
- `sqlserverflex_custom_endpoint` (String) Custom endpoint for the SQL Server Flex service - `sqlserverflex_custom_endpoint` (String) Custom endpoint for the SQL Server Flex service

4
docs/resources/service_account_access_token.md
View file

@ -4,6 +4,7 @@ page_title: "stackit_service_account_access_token Resource - stackit"
subcategory: "" subcategory: ""
description: |- description: |-
Service account access token schema. Service account access token schema.
!> This resource is scheduled for deprecation and will be removed on December 17, 2025. To ensure a smooth transition, please refer to our migration guide at https://docs.stackit.cloud/stackit/en/deprecation-plan-for-service-account-access-tokens-and-migration-guide-373293307.html for detailed instructions and recommendations.
Example Usage Example Usage
Automatically rotate access tokens Automatically rotate access tokens
@ -30,6 +31,9 @@ description: |-
# stackit_service_account_access_token (Resource) # stackit_service_account_access_token (Resource)
Service account access token schema. Service account access token schema.
!> This resource is scheduled for deprecation and will be removed on December 17, 2025. To ensure a smooth transition, please refer to our migration guide at https://docs.stackit.cloud/stackit/en/deprecation-plan-for-service-account-access-tokens-and-migration-guide-373293307.html for detailed instructions and recommendations.
## Example Usage ## Example Usage

2
examples/provider/provider.tf
View file

@ -4,7 +4,7 @@ provider "stackit" {
# Authentication # Authentication
# Token flow # Token flow (scheduled for deprecation and will be removed on December 17, 2025)
provider "stackit" { provider "stackit" {
default_region = "eu01" default_region = "eu01"
service_account_token = var.service_account_token service_account_token = var.service_account_token

8
stackit/internal/services/serviceaccount/token/resource.go
View file

@ -85,6 +85,7 @@ func (r *serviceAccountTokenResource) Schema(_ context.Context, _ resource.Schem
descriptions := map[string]string{ descriptions := map[string]string{
"id": "Terraform's internal resource identifier. It is structured as \"`project_id`,`service_account_email`,`access_token_id`\".", "id": "Terraform's internal resource identifier. It is structured as \"`project_id`,`service_account_email`,`access_token_id`\".",
"main": "Service account access token schema.", "main": "Service account access token schema.",
"deprecation_message": "This resource is scheduled for deprecation and will be removed on December 17, 2025. To ensure a smooth transition, please refer to our migration guide at https://docs.stackit.cloud/stackit/en/deprecation-plan-for-service-account-access-tokens-and-migration-guide-373293307.html for detailed instructions and recommendations.",
"project_id": "STACKIT project ID associated with the service account token.", "project_id": "STACKIT project ID associated with the service account token.",
"service_account_email": "Email address linked to the service account.", "service_account_email": "Email address linked to the service account.",
"ttl_days": "Specifies the token's validity duration in days. If unspecified, defaults to 90 days.", "ttl_days": "Specifies the token's validity duration in days. If unspecified, defaults to 90 days.",
@ -96,9 +97,9 @@ func (r *serviceAccountTokenResource) Schema(_ context.Context, _ resource.Schem
"valid_until": "Estimated expiration timestamp of the access token. For precise validity, check the JWT details.", "valid_until": "Estimated expiration timestamp of the access token. For precise validity, check the JWT details.",
} }
resp.Schema = schema.Schema{ resp.Schema = schema.Schema{
MarkdownDescription: fmt.Sprintf("%s%s", descriptions["main"], markdownDescription), MarkdownDescription: fmt.Sprintf("%s\n\n!> %s\n%s", descriptions["main"], descriptions["deprecation_message"], markdownDescription),
Description: descriptions["main"], Description: descriptions["main"],
DeprecationMessage: "This resource is scheduled for deprecation and will be removed on December 17, 2025. To ensure a smooth transition, please refer to our migration guide at https://docs.stackit.cloud/stackit/en/deprecation-plan-for-service-account-access-tokens-and-migration-guide-373293307.html for detailed instructions and recommendations.", DeprecationMessage: descriptions["deprecation_message"],
Attributes: map[string]schema.Attribute{ Attributes: map[string]schema.Attribute{
"id": schema.StringAttribute{ "id": schema.StringAttribute{
Description: descriptions["id"], Description: descriptions["id"],
@ -169,6 +170,7 @@ func (r *serviceAccountTokenResource) Schema(_ context.Context, _ resource.Schem
// Create creates the resource and sets the initial Terraform state for service accounts. // Create creates the resource and sets the initial Terraform state for service accounts.
func (r *serviceAccountTokenResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) { // nolint:gocritic // function signature required by Terraform func (r *serviceAccountTokenResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) { // nolint:gocritic // function signature required by Terraform
core.LogAndAddWarning(ctx, &resp.Diagnostics, "stackit_service_account_access_token resource deprecated", "use stackit_service_account_key resource instead")
// Retrieve the planned values for the resource. // Retrieve the planned values for the resource.
var model Model var model Model
diags := req.Plan.Get(ctx, &model) diags := req.Plan.Get(ctx, &model)
@ -216,6 +218,7 @@ func (r *serviceAccountTokenResource) Create(ctx context.Context, req resource.C
// Read refreshes the Terraform state with the latest service account data. // Read refreshes the Terraform state with the latest service account data.
func (r *serviceAccountTokenResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) { // nolint:gocritic // function signature required by Terraform func (r *serviceAccountTokenResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) { // nolint:gocritic // function signature required by Terraform
core.LogAndAddWarning(ctx, &resp.Diagnostics, "stackit_service_account_access_token resource deprecated", "use stackit_service_account_key resource instead")
// Retrieve the current state of the resource. // Retrieve the current state of the resource.
var model Model var model Model
diags := req.State.Get(ctx, &model) diags := req.State.Get(ctx, &model)
@ -284,6 +287,7 @@ func (r *serviceAccountTokenResource) Update(ctx context.Context, _ resource.Upd
// Delete deletes the service account and removes it from the Terraform state on success. // Delete deletes the service account and removes it from the Terraform state on success.
func (r *serviceAccountTokenResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) { // nolint:gocritic // function signature required by Terraform func (r *serviceAccountTokenResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) { // nolint:gocritic // function signature required by Terraform
core.LogAndAddWarning(ctx, &resp.Diagnostics, "stackit_service_account_access_token resource deprecated", "use stackit_service_account_key resource instead")
// Retrieve current state of the resource. // Retrieve current state of the resource.
var model Model var model Model
diags := req.State.Get(ctx, &model) diags := req.State.Get(ctx, &model)

3
stackit/provider.go
View file

@ -204,6 +204,9 @@ func (p *Provider) Schema(_ context.Context, _ provider.SchemaRequest, resp *pro
"service_account_token": schema.StringAttribute{ "service_account_token": schema.StringAttribute{
Optional: true, Optional: true,
Description: descriptions["service_account_token"], Description: descriptions["service_account_token"],
DeprecationMessage: "Authentication via Service Account Token is deprecated and will be removed on December 17, 2025. " +
"Please use `service_account_key` or `service_account_key_path` instead. " +
"For a smooth transition, refer to our migration guide: https://docs.stackit.cloud/stackit/en/deprecation-plan-for-service-account-access-tokens-and-migration-guide-373293307.html",
}, },
"service_account_key_path": schema.StringAttribute{ "service_account_key_path": schema.StringAttribute{
Optional: true, Optional: true,

4
templates/index.md.tmpl
View file

@ -11,7 +11,7 @@ The STACKIT Terraform provider is the official Terraform provider to integrate a
To authenticate, you will need a [service account](https://docs.stackit.cloud/stackit/en/service-accounts-134415819.html). Create it in the [STACKIT Portal](https://portal.stackit.cloud/) and assign it the necessary permissions, e.g. `project.owner`. There are multiple ways to authenticate: To authenticate, you will need a [service account](https://docs.stackit.cloud/stackit/en/service-accounts-134415819.html). Create it in the [STACKIT Portal](https://portal.stackit.cloud/) and assign it the necessary permissions, e.g. `project.owner`. There are multiple ways to authenticate:
- Key flow (recommended) - Key flow (recommended)
- Token flow - Token flow (is scheduled for deprecation and will be removed on December 17, 2025)
When setting up authentication, the provider will always try to use the key flow first and search for credentials in several locations, following a specific order: When setting up authentication, the provider will always try to use the key flow first and search for credentials in several locations, following a specific order:
@ -86,6 +86,8 @@ To configure the key flow, follow this steps:
### Token flow ### Token flow
> Is scheduled for deprecation and will be removed on December 17, 2025.
Using this flow is less secure since the token is long-lived. You can provide the token in several ways: Using this flow is less secure since the token is long-lived. You can provide the token in several ways:
1. Setting the field `service_account_token` in the provider 1. Setting the field `service_account_token` in the provider