Skip to content

feat(access-token): add ephemeral access-token resource #1068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(access-token): add ephemeral access-token resource #1068

wants to merge 1 commit into from
+280 −2

Conversation

@h3adex
Copy link
Contributor

@h3adex h3adex commented Nov 21, 2025

Description

Internal Issue: STACKITTPR-353

Checklist

  • Issue was linked above
  • Code format was applied: make fmt
  • Examples were added / adjusted (see examples/ directory)
  • Docs are up-to-date: make generate-docs (will be checked by CI)
  • Unit tests got implemented or updated
  • Acceptance tests got implemented or updated (see e.g. here)
  • Unit tests are passing: make test (will be checked by CI)
  • No linter issues: make lint (will be checked by CI)

@h3adex
feat(access-token): add ephemeral access-token resource
6641b0c 
Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
@h3adex h3adex requested a review from a team as a code owner November 21, 2025 13:49
rubenhoenle
rubenhoenle reviewed Nov 21, 2025
View reviewed changes
stackit/internal/core/core.go
RoundTripper http.RoundTripper
ServiceAccountEmail string // Deprecated: ServiceAccountEmail is not required and will be removed after 12th June 2025.

PrivateKey string
Copy link
Member

@rubenhoenle rubenhoenle Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we have a seperate struct for that? E.g. by using https://gobyexample.com/struct-embedding

type EphermalProviderData struct {
    ProviderData
    
    PrivateKey            string
    PrivateKeyPath        string
	ServiceAccountKey     string
	ServiceAccountKeyPath string
}

The fields like PrivateKey, ... don't belong into regular resources and datasources. You don't even set them there (what is good of course 😅). So some abstraction won't hurt here to keep things clean.

rubenhoenle
rubenhoenle reviewed Nov 21, 2025
View reviewed changes
stackit/internal/services/access_token/ephemeral_access_token.go
return
}

ctx = tflog.SetField(ctx, "access_token", accessToken)
Copy link
Member

@rubenhoenle rubenhoenle Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a HUGE no no, please don't ever (!!) log credentials

rubenhoenle
rubenhoenle reviewed Nov 21, 2025
View reviewed changes
stackit/internal/services/access_token/ephemeral_access_token.go
func resolvePrivateKey(ctx context.Context, cfgValue, cfgPath string, key *clients.ServiceAccountKeyResponse) (string, diag.Diagnostics) {
var diags diag.Diagnostics

env := os.Getenv("STACKIT_PRIVATE_KEY")
Copy link
Member

@rubenhoenle rubenhoenle Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't this be done already by the provider logic? I'm not willing to read env variables here...

Copy link
Member

@rubenhoenle rubenhoenle Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it's not done there, it belongs there. This doesn't belong into some resource implementation for sure.

rubenhoenle
rubenhoenle reviewed Nov 21, 2025
View reviewed changes
stackit/internal/services/access_token/ephemeral_access_token.go
func loadServiceAccountKey(ctx context.Context, cfgValue, cfgPath string) (*clients.ServiceAccountKeyResponse, diag.Diagnostics) {
var diags diag.Diagnostics

env := os.Getenv("STACKIT_SERVICE_ACCOUNT_KEY")
Copy link
Member

@rubenhoenle rubenhoenle Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't this be done already by the provider logic? I'm not willing to read env variables here...

rubenhoenle
rubenhoenle reviewed Nov 21, 2025
View reviewed changes
stackit/internal/services/access_token/ephemeral_access_token.go
)

// #nosec G101 tokenUrl is a public endpoint, not a hardcoded credential
const tokenUrl = "https://service-account.api.stackit.cloud/token"
Copy link
Member

@rubenhoenle rubenhoenle Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to duplicate, this is already the default

https://github.com/stackitcloud/stackit-sdk-go/blob/ca0bcc279e1be97bcb1a4b4377091f26c737483e/core/clients/key_flow.go#L134-L136

Copy link
Member

@rubenhoenle rubenhoenle Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other question, what's with custom endpoints?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rubenhoenle rubenhoenle rubenhoenle left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@h3adex @rubenhoenle