Key flow authentication (#67)

* Add key flow params to provider

* Update docs, add examples

docs/data-sources/argus_instance.md

@@ -35,7 +35,7 @@ data "stackit_argus_instance" "example" {
 - `grafana_initial_admin_user` (String) Specifies an initial Grafana admin username.
 - `grafana_public_read_access` (Boolean) If true, anyone can access Grafana dashboards without logging in.
 - `grafana_url` (String) Specifies Grafana URL.
-- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`instance_id`".
+- `id` (String) Terraform's internal data source. ID. It is structured as "`project_id`,`instance_id`".
 - `is_updatable` (Boolean) Specifies if the instance can be updated.
 - `jaeger_traces_url` (String)
 - `jaeger_ui_url` (String)

docs/data-sources/argus_scrapeconfig.md

@@ -32,7 +32,7 @@ data "stackit_argus_scrapeconfig" "example" {
 ### Read-Only
 
 - `basic_auth` (Attributes) A basic authentication block. (see [below for nested schema](#nestedatt--basic_auth))
-- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`instance_id`,`name`".
+- `id` (String) Terraform's internal data source. ID. It is structured as "`project_id`,`instance_id`,`name`".
 - `metrics_path` (String) Specifies the job scraping url path.
 - `saml2` (Attributes) A SAML2 configuration block (see [below for nested schema](#nestedatt--saml2))
 - `scheme` (String) Specifies the http scheme.

docs/data-sources/dns_record_set.md

@@ -34,7 +34,7 @@ data "stackit_dns_record_set" "example" {
 - `active` (Boolean) Specifies if the record set is active or not.
 - `comment` (String) Comment.
 - `error` (String) Error shows error in case create/update/delete failed.
-- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`zone_id`,`record_set_id`".
+- `id` (String) Terraform's internal data source. ID. It is structured as "`project_id`,`zone_id`,`record_set_id`".
 - `name` (String) Name of the record which should be a valid domain according to rfc1035 Section 2.3.4. E.g. `example.com`
 - `records` (List of String) Records.
 - `state` (String) Record set state.

docs/data-sources/dns_zone.md

@@ -36,7 +36,7 @@ data "stackit_dns_zone" "example" {
 - `description` (String) Description of the zone.
 - `dns_name` (String) The zone name. E.g. `example.com`
 - `expire_time` (Number) Expire time.
-- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`zone_id`".
+- `id` (String) Terraform's internal data source. ID. It is structured as "`project_id`,`zone_id`".
 - `is_reverse_zone` (Boolean) Specifies, if the zone is a reverse zone or not.
 - `name` (String) The user given name of the zone.
 - `negative_cache` (Number) Negative caching.

docs/data-sources/logme_credentials.md

@@ -34,7 +34,7 @@ data "stackit_logme_credentials" "example" {
 - `host` (String)
 - `hosts` (List of String)
 - `http_api_uri` (String)
-- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`instance_id`,`credentials_id`".
+- `id` (String) Terraform's internal data source. identifier. It is structured as "`project_id`,`instance_id`,`credentials_id`".
 - `name` (String)
 - `password` (String, Sensitive)
 - `port` (Number)

docs/data-sources/logme_instance.md

@@ -33,7 +33,7 @@ data "stackit_logme_instance" "example" {
 - `cf_organization_guid` (String)
 - `cf_space_guid` (String)
 - `dashboard_url` (String)
-- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`instance_id`".
+- `id` (String) Terraform's internal data source. identifier. It is structured as "`project_id`,`instance_id`".
 - `image_url` (String)
 - `name` (String) Instance name.
 - `parameters` (Attributes) (see [below for nested schema](#nestedatt--parameters))

docs/data-sources/mariadb_credentials.md

@@ -34,7 +34,7 @@ data "stackit_mariadb_credentials" "example" {
 - `host` (String)
 - `hosts` (List of String)
 - `http_api_uri` (String)
-- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`instance_id`,`credentials_id`".
+- `id` (String) Terraform's internal data source. identifier. It is structured as "`project_id`,`instance_id`,`credentials_id`".
 - `name` (String)
 - `password` (String, Sensitive)
 - `port` (Number)

docs/data-sources/mariadb_instance.md

@@ -33,7 +33,7 @@ data "stackit_mariadb_instance" "example" {
 - `cf_organization_guid` (String)
 - `cf_space_guid` (String)
 - `dashboard_url` (String)
-- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`instance_id`".
+- `id` (String) Terraform's internal data source. identifier. It is structured as "`project_id`,`instance_id`".
 - `image_url` (String)
 - `name` (String) Instance name.
 - `parameters` (Attributes) (see [below for nested schema](#nestedatt--parameters))

docs/data-sources/objectstorage_bucket.md

@@ -0,0 +1,27 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_objectstorage_bucket Data Source - stackit"
+subcategory: ""
+description: |-
+  ObjectStorage credentials data source schema.
+---
+
+# stackit_objectstorage_bucket (Data Source)
+
+ObjectStorage credentials data source schema.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `bucket_name` (String) The bucket name. It must be DNS conform.
+- `project_id` (String) STACKIT Project ID to which the bucket is associated.
+
+### Read-Only
+
+- `id` (String) Terraform's internal data source identifier. It is structured as "`project_id`,`bucket_name`".
+- `url_path_style` (String)
+- `url_virtual_hosted_style` (String)

docs/data-sources/opensearch_credentials.md

@@ -34,7 +34,7 @@ data "stackit_opensearch_credentials" "example" {
 - `host` (String)
 - `hosts` (List of String)
 - `http_api_uri` (String)
-- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`instance_id`,`credentials_id`".
+- `id` (String) Terraform's internal data source. identifier. It is structured as "`project_id`,`instance_id`,`credentials_id`".
 - `name` (String)
 - `password` (String, Sensitive)
 - `port` (Number)

docs/data-sources/opensearch_instance.md

@@ -33,7 +33,7 @@ data "stackit_opensearch_instance" "example" {
 - `cf_organization_guid` (String)
 - `cf_space_guid` (String)
 - `dashboard_url` (String)
-- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`instance_id`".
+- `id` (String) Terraform's internal data source. identifier. It is structured as "`project_id`,`instance_id`".
 - `image_url` (String)
 - `name` (String) Instance name.
 - `parameters` (Attributes) (see [below for nested schema](#nestedatt--parameters))

docs/data-sources/postgresflex_instance.md

@@ -32,7 +32,7 @@ data "stackit_postgresflex_instance" "example" {
 - `acl` (List of String) The Access Control List (ACL) for the PostgresFlex instance.
 - `backup_schedule` (String)
 - `flavor` (Attributes) (see [below for nested schema](#nestedatt--flavor))
-- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`instance_id`".
+- `id` (String) Terraform's internal data source. ID. It is structured as "`project_id`,`instance_id`".
 - `name` (String) Instance name.
 - `replicas` (Number)
 - `storage` (Attributes) (see [below for nested schema](#nestedatt--storage))

docs/data-sources/postgresflex_user.md

@@ -32,8 +32,7 @@ data "stackit_postgresflex_user" "example" {
 ### Read-Only
 
 - `host` (String)
-- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`instance_id`,`user_id`".
-- `password` (String, Sensitive)
+- `id` (String) Terraform's internal data source. ID. It is structured as "`project_id`,`instance_id`,`user_id`".
 - `port` (Number)
 - `roles` (Set of String)
 - `username` (String)

docs/data-sources/postgresql_credentials.md

@@ -34,7 +34,7 @@ data "stackit_postgresql_credentials" "example" {
 - `host` (String)
 - `hosts` (List of String)
 - `http_api_uri` (String)
-- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`instance_id`,`credentials_id`".
+- `id` (String) Terraform's internal data source. identifier. It is structured as "`project_id`,`instance_id`,`credentials_id`".
 - `name` (String)
 - `password` (String, Sensitive)
 - `port` (Number)

docs/data-sources/postgresql_instance.md

@@ -33,7 +33,7 @@ data "stackit_postgresql_instance" "example" {
 - `cf_organization_guid` (String)
 - `cf_space_guid` (String)
 - `dashboard_url` (String)
-- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`instance_id`".
+- `id` (String) Terraform's internal data source. identifier. It is structured as "`project_id`,`instance_id`".
 - `image_url` (String)
 - `name` (String) Instance name.
 - `parameters` (Attributes) (see [below for nested schema](#nestedatt--parameters))

docs/data-sources/rabbitmq_credentials.md

@@ -34,7 +34,7 @@ data "stackit_rabbitmq_credentials" "example" {
 - `host` (String)
 - `hosts` (List of String)
 - `http_api_uri` (String)
-- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`instance_id`,`credentials_id`".
+- `id` (String) Terraform's internal data source. identifier. It is structured as "`project_id`,`instance_id`,`credentials_id`".
 - `name` (String)
 - `password` (String, Sensitive)
 - `port` (Number)

docs/data-sources/rabbitmq_instance.md

@@ -33,7 +33,7 @@ data "stackit_rabbitmq_instance" "example" {
 - `cf_organization_guid` (String)
 - `cf_space_guid` (String)
 - `dashboard_url` (String)
-- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`instance_id`".
+- `id` (String) Terraform's internal data source. identifier. It is structured as "`project_id`,`instance_id`".
 - `image_url` (String)
 - `name` (String) Instance name.
 - `parameters` (Attributes) (see [below for nested schema](#nestedatt--parameters))

docs/data-sources/redis_credentials.md

@@ -34,7 +34,7 @@ data "stackit_redis_credentials" "example" {
 - `host` (String)
 - `hosts` (List of String)
 - `http_api_uri` (String)
-- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`instance_id`,`credentials_id`".
+- `id` (String) Terraform's internal data source. identifier. It is structured as "`project_id`,`instance_id`,`credentials_id`".
 - `name` (String)
 - `password` (String, Sensitive)
 - `port` (Number)

docs/data-sources/redis_instance.md

@@ -33,7 +33,7 @@ data "stackit_redis_instance" "example" {
 - `cf_organization_guid` (String)
 - `cf_space_guid` (String)
 - `dashboard_url` (String)
-- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`instance_id`".
+- `id` (String) Terraform's internal data source. identifier. It is structured as "`project_id`,`instance_id`".
 - `image_url` (String)
 - `name` (String) Instance name.
 - `parameters` (Attributes) (see [below for nested schema](#nestedatt--parameters))

docs/data-sources/resourcemanager_project.md

@@ -28,7 +28,7 @@ data "stackit_resourcemanager_project" "example" {
 
 ### Read-Only
 
-- `id` (String) Terraform's internal resource ID. It is structured as "`container_id`".
+- `id` (String) Terraform's internal data source. ID. It is structured as "`container_id`".
 - `labels` (Map of String) Labels are key-value string pairs which can be attached to a resource container. A label key must match the regex [A-ZÄÜÖa-zäüöß0-9_-]{1,64}. A label value must match the regex ^$|[A-ZÄÜÖa-zäüöß0-9_-]{1,64}
 - `name` (String) Project name.
 - `parent_container_id` (String) Parent container ID

docs/data-sources/ske_cluster.md

@@ -34,7 +34,7 @@ data "stackit_ske_cluster" "example" {
 This should be used with care since it also disables a couple of other features like the use of some volume type (e.g. PVCs).
 - `extensions` (Attributes) A single extensions block as defined below (see [below for nested schema](#nestedatt--extensions))
 - `hibernations` (Attributes List) One or more hibernation block as defined below. (see [below for nested schema](#nestedatt--hibernations))
-- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`name`".
+- `id` (String) Terraform's internal data source. ID. It is structured as "`project_id`,`name`".
 - `kube_config` (String, Sensitive) Kube config file used for connecting to the cluster
 - `kubernetes_version` (String) Kubernetes version.
 - `kubernetes_version_used` (String) Full Kubernetes version used. For example, if `1.22` was selected, this value may result to `1.22.15`

docs/data-sources/ske_project.md

@@ -27,4 +27,4 @@ data "stackit_ske_project" "example" {
 
 ### Read-Only
 
-- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`".
+- `id` (String) Terraform's internal data source. ID. It is structured as "`project_id`".

docs/index.md

@@ -8,11 +8,96 @@ The STACKIT provider is the official Terraform provider to integrate all the res
 provider "stackit" {
   region = "eu01"
 }
+
+# Authentication
+
+# Token flow
+provider "stackit" {
+  region                = "eu01"
+  service_account_token = var.service_account_token
+}
+
+# Key flow
+provider "stackit" {
+  region              = "eu01"
+  service_account_key = var.service_account_key
+  private_key         = var.private_key
+}
+
+# Key flow (using path)
+provider "stackit" {
+  region                   = "eu01"
+  service_account_key_path = var.service_account_key_path
+  private_key_path         = var.private_key_path
+}
 ```
 
 ## Authentication
 
-Currently, only the *token flow* is supported. The Terraform provider will first try to find a token in the `STACKIT_SERVICE_ACCOUNT_TOKEN` env var. If not present, it will check the credentials file located in the path defined by the `STACKIT_CREDENTIALS_PATH` env var, if specified, or in `$HOME/.stackit/credentials.json` as a fallback. If the token is found, all the requests are authenticated using that token.
+To authenticate, you will need a [service account](https://docs.stackit.cloud/stackit/en/service-accounts-134415819.html). Create it in the STACKIT Portal an assign it the necessary permissions, e.g. `project.owner`. There are multiple ways to authenticate:
+
+- Key flow (recommended)
+- Token flow
+
+When setting up authentication, the provider will always try to use the key flow first and search for credentials in several locations, following a specific order:
+
+1. Explicit configuration, e.g. by seting the fiel `stackit_service_account_key_path` in the provider block (see example below)
+2. Environment variable, e.g. by setting `STACKIT_SERVICE_ACCOUNT_KEY_PATH`
+3. Credentials file
+
+   The SDK will check the credentials file located in the path defined by the `STACKIT_CREDENTIALS_PATH` env var, if specified,
+   or in `$HOME/.stackit/credentials.json` as a fallback.
+   The credentials should be set using the same name as the environmnet variables. Example:
+
+   ```json
+   {
+     "STACKIT_SERVICE_ACCOUNT_TOKEN": "foo_token",
+     "STACKIT_SERVICE_ACCOUNT_KEY_PATH": "path/to/sa_key.json",
+     "STACKIT_PRIVATE_KEY_PATH": "path/to/private_key.pem"
+   }
+   ```
+
+### Key flow
+
+To use the key flow, you need to have a service account key and an RSA key-pair.
+To configure it, follow this steps:
+
+    The following instructions assume that you have created a service account and assigned it the necessary permissions, e.g. project.owner.
+
+1. In the Portal, go to `Service Account -> Service Account Keys` and create a key.
+   - You can create your own RSA key-pair or have the Portal generate one for you.
+2. Save the content of the service account key and the corresponding private key by copying them or saving them in a file. The expected format of the service account key is the following:
+   ```json
+   {
+     "id": "uuid",
+     "publicKey": "public key",
+     "createdAt": "2023-08-24T14:15:22Z",
+     "validUntil": "2023-08-24T14:15:22Z",
+     "keyType": "USER_MANAGED",
+     "keyOrigin": "USER_PROVIDED",
+     "keyAlgorithm": "RSA_2048",
+     "active": true,
+     "credentials": {
+       "kid": "string",
+       "iss": "my-sa@sa.stackit.cloud",
+       "sub": "uuid",
+       "aud": "string",
+       (optional) "privateKey": "private key when generated by the SA service"
+     }
+   }
+   ```
+3. Configure the service account key and private key for authentication in the SDK:
+   - setting the fiels in the provider block: `service_account_key` or `service_account_key_path`, `private_key` or `private_key_path`
+   - setting environment variables: `STACKIT_SERVICE_ACCOUNT_KEY_PATH` and `STACKIT_PRIVATE_KEY_PATH`
+   - setting them in the credentials file (see above)
+
+### Token flow
+
+Using this flow is less secure since the token is long-lived. You can provide the token in several ways:
+
+1. Setting the field `service_account_token` in the provider
+2. Setting the environment variable `STACKIT_SERVICE_ACCOUNT_TOKEN`
+3. Setting it in the credentials file (see above)
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
@@ -22,15 +107,22 @@ Currently, only the *token flow* is supported. The Terraform provider will first
 - `argus_custom_endpoint` (String) Custom endpoint for the Argus service
 - `credentials_path` (String) Path of JSON from where the credentials are read. Takes precedence over the env var `STACKIT_CREDENTIALS_PATH`. Default value is `~/.stackit/credentials.json`.
 - `dns_custom_endpoint` (String) Custom endpoint for the DNS service
+- `jwks_custom_endpoint` (String) Custom endpoint for the jwks API, which is used to get the json web key sets (jwks) to validate tokens when using the key flow
 - `logme_custom_endpoint` (String) Custom endpoint for the LogMe service
 - `mariadb_custom_endpoint` (String) Custom endpoint for the MariaDB service
+- `objectstorage_custom_endpoint` (String) Custom endpoint for the Object Storage service
 - `opensearch_custom_endpoint` (String) Custom endpoint for the OpenSearch service
 - `postgresflex_custom_endpoint` (String) Custom endpoint for the PostgresFlex service
 - `postgresql_custom_endpoint` (String) Custom endpoint for the PostgreSQL service
+- `private_key` (String) Private RSA key used for authentication. If set alongside the service account key, the key flow will be used to authenticate all operations.
+- `private_key_path` (String) Path for the private RSA key used for authentication. If set alongside the service account key, the key flow will be used to authenticate all operations.
 - `rabbitmq_custom_endpoint` (String) Custom endpoint for the RabbitMQ service
 - `redis_custom_endpoint` (String)
 - `region` (String) Region will be used as the default location for regional services. Not all services require a region, some are global
 - `resourcemanager_custom_endpoint` (String) Custom endpoint for the Resource Manager service
 - `service_account_email` (String) Service account email. It can also be set using the environment variable STACKIT_SERVICE_ACCOUNT_EMAIL
+- `service_account_key` (String) Service account key used for authentication. If set alongside private key, the key flow will be used to authenticate all operations.
+- `service_account_key_path` (String) Path for the service account key used for authentication. If set alongside the private key, the key flow will be used to authenticate all operations.
 - `service_account_token` (String) Token used for authentication. If set, the token flow will be used to authenticate all operations.
 - `ske_custom_endpoint` (String) Custom endpoint for the Kubernetes Engine (SKE) service
+- `token_custom_endpoint` (String) Custom endpoint for the token API, which is used to request access tokens when using the key flow

docs/resources/objectstorage_bucket.md

@@ -0,0 +1,27 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_objectstorage_bucket Resource - stackit"
+subcategory: ""
+description: |-
+  ObjectStorage bucket resource schema.
+---
+
+# stackit_objectstorage_bucket (Resource)
+
+ObjectStorage bucket resource schema.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `bucket_name` (String) The bucket name. It must be DNS conform.
+- `project_id` (String) STACKIT Project ID to which the bucket is associated.
+
+### Read-Only
+
+- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`bucket_name`".
+- `url_path_style` (String)
+- `url_virtual_hosted_style` (String)