Deprecate service_account_email config (#610)

* Deprecate service_account_email config
 - it could be extracted from the JWT if needed

Co-authored-by: João Palet <joao.palet@outlook.com>

docs/index.md

@@ -174,7 +174,7 @@ Note: AWS specific checks must be skipped as they do not work on STACKIT. For de
 - `secretsmanager_custom_endpoint` (String) Custom endpoint for the Secrets Manager service
 - `server_backup_custom_endpoint` (String) Custom endpoint for the Server Backup service
 - `server_update_custom_endpoint` (String) Custom endpoint for the Server Update service
-- `service_account_email` (String) Service account email. It can also be set using the environment variable STACKIT_SERVICE_ACCOUNT_EMAIL. It is required if you want to use the resource manager project resource.
+- `service_account_email` (String, Deprecated) Service account email. It can also be set using the environment variable STACKIT_SERVICE_ACCOUNT_EMAIL. It is required if you want to use the resource manager project resource.
 - `service_account_key` (String) Service account key used for authentication. If set, the key flow will be used to authenticate all operations.
 - `service_account_key_path` (String) Path for the service account key used for authentication. If set, the key flow will be used to authenticate all operations.
 - `service_account_token` (String) Token used for authentication. If set, the token flow will be used to authenticate all operations.

stackit/internal/core/core.go

@@ -15,7 +15,7 @@ const Separator = ","
 
 type ProviderData struct {
 	RoundTripper                    http.RoundTripper
-	ServiceAccountEmail             string
+	ServiceAccountEmail             string // Deprecated: ServiceAccountEmail is not required and will be removed after 12th June 2025.
 	Region                          string
 	ArgusCustomEndpoint             string
 	AuthorizationCustomEndpoint     string

stackit/internal/services/resourcemanager/project/datasource.go

@@ -62,13 +62,11 @@ func (d *projectDataSource) Configure(ctx context.Context, req datasource.Config
 	if providerData.ResourceManagerCustomEndpoint != "" {
 		rmClient, err = resourcemanager.NewAPIClient(
 			config.WithCustomAuth(providerData.RoundTripper),
-			config.WithServiceAccountEmail(providerData.ServiceAccountEmail),
 			config.WithEndpoint(providerData.ResourceManagerCustomEndpoint),
 		)
 	} else {
 		rmClient, err = resourcemanager.NewAPIClient(
 			config.WithCustomAuth(providerData.RoundTripper),
-			config.WithServiceAccountEmail(providerData.ServiceAccountEmail),
 		)
 	}
 	if err != nil {

stackit/internal/services/resourcemanager/project/resource.go

@@ -107,13 +107,11 @@ func (r *projectResource) Configure(ctx context.Context, req resource.ConfigureR
 		ctx = tflog.SetField(ctx, "resourcemanager_custom_endpoint", providerData.ResourceManagerCustomEndpoint)
 		rmClient, err = resourcemanager.NewAPIClient(
 			config.WithCustomAuth(providerData.RoundTripper),
-			config.WithServiceAccountEmail(providerData.ServiceAccountEmail),
 			config.WithEndpoint(providerData.ResourceManagerCustomEndpoint),
 		)
 	} else {
 		rmClient, err = resourcemanager.NewAPIClient(
 			config.WithCustomAuth(providerData.RoundTripper),
-			config.WithServiceAccountEmail(providerData.ServiceAccountEmail),
 		)
 	}
 
@@ -278,12 +276,6 @@ func (r *projectResource) Create(ctx context.Context, req resource.CreateRequest
 	containerId := model.ContainerId.ValueString()
 	ctx = tflog.SetField(ctx, "project_container_id", containerId)
 
-	serviceAccountEmail := r.resourceManagerClient.GetConfig().ServiceAccountEmail
-	if serviceAccountEmail == "" {
-		core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating project", "The service account e-mail cannot be empty: set it in the provider configuration or through the STACKIT_SERVICE_ACCOUNT_EMAIL or in your credentials file (default filepath is ~/.stackit/credentials.json)")
-		return
-	}
-
 	// Generate API request body from model
 	payload, err := toCreatePayload(ctx, &model)
 	if err != nil {

stackit/provider.go

@@ -95,7 +95,7 @@ func (p *Provider) Metadata(_ context.Context, _ provider.MetadataRequest, resp
 
 type providerModel struct {
 	CredentialsFilePath             types.String `tfsdk:"credentials_path"`
-	ServiceAccountEmail             types.String `tfsdk:"service_account_email"`
+	ServiceAccountEmail             types.String `tfsdk:"service_account_email"` // Deprecated: ServiceAccountEmail is not required and will be removed after 12th June 2025
 	ServiceAccountKey               types.String `tfsdk:"service_account_key"`
 	ServiceAccountKeyPath           types.String `tfsdk:"service_account_key_path"`
 	PrivateKey                      types.String `tfsdk:"private_key"`
@@ -170,8 +170,9 @@ func (p *Provider) Schema(_ context.Context, _ provider.SchemaRequest, resp *pro
 				Description: descriptions["credentials_path"],
 			},
 			"service_account_email": schema.StringAttribute{
-				Optional:    true,
+				Optional:           true,
-				Description: descriptions["service_account_email"],
+				Description:        descriptions["service_account_email"],
+				DeprecationMessage: "The `service_account_email` field has been deprecated because it is not required. Will be removed after June 12th 2025.",
 			},
 			"service_account_token": schema.StringAttribute{
 				Optional:    true,
@@ -310,10 +311,6 @@ func (p *Provider) Configure(ctx context.Context, req provider.ConfigureRequest,
 	if !(providerConfig.CredentialsFilePath.IsUnknown() || providerConfig.CredentialsFilePath.IsNull()) {
 		sdkConfig.CredentialsFilePath = providerConfig.CredentialsFilePath.ValueString()
 	}
-	if !(providerConfig.ServiceAccountEmail.IsUnknown() || providerConfig.ServiceAccountEmail.IsNull()) {
-		providerData.ServiceAccountEmail = providerConfig.ServiceAccountEmail.ValueString()
-		sdkConfig.ServiceAccountEmail = providerConfig.ServiceAccountEmail.ValueString()
-	}
 	if !(providerConfig.ServiceAccountKey.IsUnknown() || providerConfig.ServiceAccountKey.IsNull()) {
 		sdkConfig.ServiceAccountKey = providerConfig.ServiceAccountKey.ValueString()
 	}