review changes

Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>

Author: h3adex

stackit/internal/conversion/conversion.go

@@ -183,3 +183,18 @@ func ParseProviderData(ctx context.Context, providerData any, diags *diag.Diagno
 	}
 	return stackitProviderData, true
 }
+
+// TODO: write tests
+func ParseEphemeralProviderData(ctx context.Context, providerData any, diags *diag.Diagnostics) (core.EphemeralProviderData, bool) {
+	// Prevent panic if the provider has not been configured.
+	if providerData == nil {
+		return core.EphemeralProviderData{}, false
+	}
+
+	stackitProviderData, ok := providerData.(core.EphemeralProviderData)
+	if !ok {
+		core.LogAndAddError(ctx, diags, "Error configuring API client", fmt.Sprintf("Expected configure type stackit.ProviderData, got %T", providerData))
+		return core.EphemeralProviderData{}, false
+	}
+	return stackitProviderData, true
+}

stackit/internal/core/core.go

@@ -25,14 +25,19 @@ const (
 	DatasourceRegionFallbackDocstring = "Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on datasource level."
 )
 
-type ProviderData struct {
-	RoundTripper        http.RoundTripper
-	ServiceAccountEmail string // Deprecated: ServiceAccountEmail is not required and will be removed after 12th June 2025.
+type EphemeralProviderData struct {
+	ProviderData
 
 	PrivateKey            string
 	PrivateKeyPath        string
 	ServiceAccountKey     string
 	ServiceAccountKeyPath string
+	TokenCustomEndpoint   string
+}
+
+type ProviderData struct {
+	RoundTripper        http.RoundTripper
+	ServiceAccountEmail string // Deprecated: ServiceAccountEmail is not required and will be removed after 12th June 2025.
 
 	// Deprecated: Use DefaultRegion instead
 	Region                          string

stackit/internal/services/access_token/access_token_acc_test.go

@@ -0,0 +1 @@
+package access_token

stackit/internal/services/access_token/ephemeral_access_token.go renamed to stackit/internal/services/access_token/ephemeral_resource.go

@@ -10,15 +10,11 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/ephemeral"
 	"github.com/hashicorp/terraform-plugin-framework/ephemeral/schema"
 	"github.com/hashicorp/terraform-plugin-framework/types"
-	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/stackitcloud/stackit-sdk-go/core/clients"
 	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/conversion"
 	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/core"
 )
 
-// #nosec G101 tokenUrl is a public endpoint, not a hardcoded credential
-const tokenUrl = "https://service-account.api.stackit.cloud/token"
-
 var (
 	_ ephemeral.EphemeralResource              = &accessTokenEphemeralResource{}
 	_ ephemeral.EphemeralResourceWithConfigure = &accessTokenEphemeralResource{}
@@ -33,10 +29,11 @@ type accessTokenEphemeralResource struct {
 	serviceAccountKey     string
 	privateKeyPath        string
 	privateKey            string
+	tokenCustomEndpoint   string
 }
 
 func (e *accessTokenEphemeralResource) Configure(ctx context.Context, req ephemeral.ConfigureRequest, resp *ephemeral.ConfigureResponse) {
-	providerData, ok := conversion.ParseProviderData(ctx, req.ProviderData, &resp.Diagnostics)
+	providerData, ok := conversion.ParseEphemeralProviderData(ctx, req.ProviderData, &resp.Diagnostics)
 	if !ok {
 		return
 	}
@@ -45,6 +42,7 @@ func (e *accessTokenEphemeralResource) Configure(ctx context.Context, req epheme
 	e.serviceAccountKeyPath = providerData.ServiceAccountKeyPath
 	e.privateKey = providerData.PrivateKey
 	e.privateKeyPath = providerData.PrivateKeyPath
+	e.tokenCustomEndpoint = providerData.TokenCustomEndpoint
 }
 
 type ephemeralTokenModel struct {
@@ -88,7 +86,7 @@ func (e *accessTokenEphemeralResource) Open(ctx context.Context, req ephemeral.O
 		return
 	}
 
-	client, diags := initKeyFlowClient(ctx, serviceAccountKey, privateKey)
+	client, diags := initKeyFlowClient(ctx, serviceAccountKey, privateKey, e.tokenCustomEndpoint)
 	resp.Diagnostics.Append(diags...)
 	if resp.Diagnostics.HasError() {
 		return
@@ -100,7 +98,6 @@ func (e *accessTokenEphemeralResource) Open(ctx context.Context, req ephemeral.O
 		return
 	}
 
-	ctx = tflog.SetField(ctx, "access_token", accessToken)
 	model.AccessToken = types.StringValue(accessToken)
 	resp.Diagnostics.Append(resp.Result.Set(ctx, model)...)
 }
@@ -181,14 +178,17 @@ func resolvePrivateKey(ctx context.Context, cfgValue, cfgPath string, key *clien
 }
 
 // initKeyFlowClient configures and initializes a new KeyFlow client using the key and private key.
-func initKeyFlowClient(ctx context.Context, key *clients.ServiceAccountKeyResponse, privateKey string) (*clients.KeyFlow, diag.Diagnostics) {
+func initKeyFlowClient(ctx context.Context, key *clients.ServiceAccountKeyResponse, privateKey string, tokenCustomEndpoint string) (*clients.KeyFlow, diag.Diagnostics) {
 	var diags diag.Diagnostics
 
 	client := &clients.KeyFlow{}
 	cfg := &clients.KeyFlowConfig{
 		ServiceAccountKey: key,
 		PrivateKey:        privateKey,
-		TokenUrl:          tokenUrl,
+	}
+
+	if tokenCustomEndpoint != "" {
+		cfg.TokenUrl = tokenCustomEndpoint
 	}
 
 	if err := client.Init(cfg); err != nil {

stackit/internal/services/access_token/ephemeral_resource_test.go

@@ -0,0 +1 @@
+package access_token

stackit/provider.go

@@ -467,12 +467,13 @@ func (p *Provider) Configure(ctx context.Context, req provider.ConfigureRequest,
 	resp.DataSourceData = providerData
 	resp.ResourceData = providerData
 
-	// Copy service account and private key credentials to support ephemeral access token generation
-	ephemeralProviderData := providerData
+	// Copy service account, private key credentials and custom-token endpoint to support ephemeral access token generation
+	var ephemeralProviderData core.EphemeralProviderData
 	setStringField(providerConfig.ServiceAccountKey, func(v string) { ephemeralProviderData.ServiceAccountKey = v })
 	setStringField(providerConfig.ServiceAccountKeyPath, func(v string) { ephemeralProviderData.ServiceAccountKeyPath = v })
 	setStringField(providerConfig.PrivateKey, func(v string) { ephemeralProviderData.PrivateKey = v })
 	setStringField(providerConfig.PrivateKeyPath, func(v string) { ephemeralProviderData.PrivateKeyPath = v })
+	setStringField(providerConfig.TokenCustomEndpoint, func(v string) { ephemeralProviderData.TokenCustomEndpoint = v })
 	resp.EphemeralResourceData = ephemeralProviderData
 
 	providerData.Version = p.version