review changes 5 (improve note docs)

h3adex · h3adex · commit d35433332e3d · 2025-11-28T16:13:08.000+01:00
Signed-off-by: Mauritz Uphoff &lt;mauritz.uphoff@stackit.cloud&gt;
diff --git a/docs/ephemeral-resources/access_token.md b/docs/ephemeral-resources/access_token.md
@@ -3,15 +3,17 @@
 page_title: "stackit_access_token Ephemeral Resource - stackit"
 subcategory: ""
 description: |-
-  Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. A new token is generated each time the resource is evaluated, and it remains consistent for the duration of a Terraform operation. If a private key is not explicitly provided, the provider attempts to extract it from the service account key instead. Token generation logic prioritizes environment variables first, followed by provider configuration. Access tokens generated from service account keys expire after 60 minutes.
+  Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. A new token is generated each time the resource is evaluated, and it remains consistent for the duration of a Terraform operation. If a private key is not explicitly provided, the provider attempts to extract it from the service account key instead. Access tokens generated from service account keys expire after 60 minutes.
   ~> This ephemeral-resource is in beta and may be subject to breaking changes in the future. Use with caution. See our guide https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources for how to opt-in to use beta resources.
+  ~> Important: A service account key credentials must be configured either in the STACKIT provider configuration or via environment variables. If any other authentication method is configured, this ephemeral resource generation will fail with an error.
 ---
 
 # stackit_access_token (Ephemeral Resource)
 
-Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. A new token is generated each time the resource is evaluated, and it remains consistent for the duration of a Terraform operation. If a private key is not explicitly provided, the provider attempts to extract it from the service account key instead. Token generation logic prioritizes environment variables first, followed by provider configuration. Access tokens generated from service account keys expire after 60 minutes.
+Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. A new token is generated each time the resource is evaluated, and it remains consistent for the duration of a Terraform operation. If a private key is not explicitly provided, the provider attempts to extract it from the service account key instead. Access tokens generated from service account keys expire after 60 minutes.
 
 ~> This ephemeral-resource is in beta and may be subject to breaking changes in the future. Use with caution. See our [guide](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources) for how to opt-in to use beta resources.
+~> Important: A service account key credentials must be configured either in the STACKIT provider configuration or via environment variables. If any other authentication method is configured, this ephemeral resource generation will fail with an error.
 
 ## Example Usage
 
diff --git a/stackit/internal/services/access_token/ephemeral_resource.go b/stackit/internal/services/access_token/ephemeral_resource.go
@@ -36,7 +36,7 @@ func (e *accessTokenEphemeralResource) Configure(ctx context.Context, req epheme
 
 	features.CheckBetaResourcesEnabled(
 		ctx,
-		&core.ProviderData{EnableBetaResources: ephemeralProviderData.EnableBetaResources},
+		&ephemeralProviderData.ProviderData,
 		&resp.Diagnostics,
 		"stackit_access_token", "ephemeral_resource",
 	)
@@ -62,12 +62,18 @@ func (e *accessTokenEphemeralResource) Metadata(_ context.Context, req ephemeral
 }
 
 func (e *accessTokenEphemeralResource) Schema(_ context.Context, _ ephemeral.SchemaRequest, resp *ephemeral.SchemaResponse) {
-	resp.Schema = schema.Schema{
-		Description: features.AddBetaDescription("Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. "+
+	description := features.AddBetaDescription(
+		"Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. "+
 			"A new token is generated each time the resource is evaluated, and it remains consistent for the duration of a Terraform operation. "+
 			"If a private key is not explicitly provided, the provider attempts to extract it from the service account key instead. "+
-			"Token generation logic prioritizes environment variables first, followed by provider configuration. "+
-			"Access tokens generated from service account keys expire after 60 minutes.", core.EphemeralResource),
+			"Access tokens generated from service account keys expire after 60 minutes.",
+		core.EphemeralResource,
+	)
+	descriptionNote := "~> Important: A service account key credentials must be configured either in the STACKIT provider configuration or via environment variables. " +
+		"If any other authentication method is configured, this ephemeral resource generation will fail with an error."
+
+	resp.Schema = schema.Schema{
+		Description: fmt.Sprintf("%s\n%s", description, descriptionNote),
 		Attributes: map[string]schema.Attribute{
 			"access_token": schema.StringAttribute{
 				Description: "JWT access token for STACKIT API authentication.",
