From 5872de621f69dc8ac908b59aa92d5f6566adeca4 Mon Sep 17 00:00:00 2001 From: Frank Louwers Date: Fri, 28 Nov 2025 08:44:25 +0100 Subject: [PATCH 1/2] feat: add CLI authentication support for provider configuration This commit adds support for CLI-based authentication in the Terraform provider, enabling users to authenticate using credentials from the STACKIT CLI without managing separate service account credentials. Changes: - Add cli_auth boolean attribute to enable CLI authentication - Add cli_profile string attribute for profile selection - Implement authentication priority: explicit credentials > CLI > env vars - Integrate with SDK's WithCLIProviderAuth() configuration option The implementation follows the explicit opt-in pattern requested in RFC #880, requiring users to set cli_auth = true to enable the feature. Profile resolution follows the standard precedence: explicit config > STACKIT_CLI_PROFILE env var > ~/.config/stackit/cli-profile.txt > default. This change depends on SDK PR stackitcloud/stackit-sdk-go#3865 which adds the core CLI authentication functionality, and CLI PR stackitcloud/stackit-cli#1130 which implements the provider credential storage. Closes #719 Related to #880 --- stackit/provider.go | 50 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 48 insertions(+), 2 deletions(-) diff --git a/stackit/provider.go b/stackit/provider.go index 3a2795ad3..9cc00194a 100644 --- a/stackit/provider.go +++ b/stackit/provider.go @@ -160,8 +160,10 @@ type providerModel struct { SqlServerFlexCustomEndpoint types.String `tfsdk:"sqlserverflex_custom_endpoint"` TokenCustomEndpoint types.String `tfsdk:"token_custom_endpoint"` - EnableBetaResources types.Bool `tfsdk:"enable_beta_resources"` - Experiments types.List `tfsdk:"experiments"` + EnableBetaResources types.Bool `tfsdk:"enable_beta_resources"` + Experiments types.List `tfsdk:"experiments"` + CliAuth types.Bool `tfsdk:"cli_auth"` + CliProfile types.String `tfsdk:"cli_profile"` } // Schema defines the provider-level schema for configuration data. @@ -205,6 +207,8 @@ func (p *Provider) Schema(_ context.Context, _ provider.SchemaRequest, resp *pro "token_custom_endpoint": "Custom endpoint for the token API, which is used to request access tokens when using the key flow", "enable_beta_resources": "Enable beta resources. Default is false.", "experiments": fmt.Sprintf("Enables experiments. These are unstable features without official support. More information can be found in the README. Available Experiments: %v", strings.Join(features.AvailableExperiments, ", ")), + "cli_auth": "Enable authentication using STACKIT CLI credentials. When enabled, the provider will use credentials from 'stackit auth provider login' if no explicit service account credentials are provided. Default is false.", + "cli_profile": "STACKIT CLI profile to use for authentication when cli_auth is enabled. If not specified, uses STACKIT_CLI_PROFILE environment variable, then ~/.config/stackit/cli-profile.txt, then 'default'.", } resp.Schema = schema.Schema{ @@ -374,6 +378,14 @@ func (p *Provider) Schema(_ context.Context, _ provider.SchemaRequest, resp *pro Optional: true, Description: descriptions["token_custom_endpoint"], }, + "cli_auth": schema.BoolAttribute{ + Optional: true, + Description: descriptions["cli_auth"], + }, + "cli_profile": schema.StringAttribute{ + Optional: true, + Description: descriptions["cli_profile"], + }, }, } } @@ -460,6 +472,40 @@ func (p *Provider) Configure(ctx context.Context, req provider.ConfigureRequest, providerData.Experiments = experimentValues } + // Setup authentication with priority order: + // 1. Explicit provider configuration (service_account_key, token, etc.) + // 2. CLI provider credentials (if cli_auth = true and authenticated via STACKIT CLI) + // 3. Environment variables and credentials file (handled by sdkauth.SetupAuth) + var err error + + // Check if CLI auth is explicitly enabled + cliAuthEnabled := !providerConfig.CliAuth.IsNull() && !providerConfig.CliAuth.IsUnknown() && providerConfig.CliAuth.ValueBool() + + // Check if explicit authentication is configured + hasExplicitAuth := (!providerConfig.ServiceAccountKey.IsNull() && !providerConfig.ServiceAccountKey.IsUnknown()) || + (!providerConfig.ServiceAccountKeyPath.IsNull() && !providerConfig.ServiceAccountKeyPath.IsUnknown()) || + (!providerConfig.Token.IsNull() && !providerConfig.Token.IsUnknown()) + + // Configure CLI provider authentication via SDK if enabled + if !hasExplicitAuth && cliAuthEnabled { + // Get CLI profile from config + var cliProfile string + if !providerConfig.CliProfile.IsNull() && !providerConfig.CliProfile.IsUnknown() { + cliProfile = providerConfig.CliProfile.ValueString() + } + + // Apply CLI provider auth configuration option + // The SDK will handle credential reading, token refresh, and authentication + err := config.WithCLIProviderAuth(cliProfile)(sdkConfig) + if err != nil { + core.LogAndAddError(ctx, &resp.Diagnostics, "Error configuring provider", + fmt.Sprintf("%v", err)) + return + } + } + + // Setup authentication using the configured SDK + // This respects explicit credentials, CLI auth (if enabled), or env vars/credentials file roundTripper, err := sdkauth.SetupAuth(sdkConfig) if err != nil { core.LogAndAddError(ctx, &resp.Diagnostics, "Error configuring provider", fmt.Sprintf("Setting up authentication: %v", err)) From 8a3bd780eb76e2b4aa04f65facd9d0a27920c532 Mon Sep 17 00:00:00 2001 From: Frank Louwers Date: Fri, 28 Nov 2025 09:07:59 +0100 Subject: [PATCH 2/2] chore: add temporary replace directive for SDK CLI auth support Add replace directive to use SDK fork with CLI authentication support from PR stackitcloud/stackit-sdk-go#3865 until it's merged and released. This allows the provider to be built and tested with the CLI auth functionality before the SDK changes are officially released. The replace directive references commit 25b6b99bd648 from github.com/franklouwers/stackit-sdk-go/core which includes the core/cliauth package and config.WithCLIProviderAuth() function. Once SDK PR #3865 is merged and a new SDK version is released, this replace directive should be removed and the provider updated to require the new SDK version. --- go.mod | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/go.mod b/go.mod index ffd2c117d..54125bba9 100644 --- a/go.mod +++ b/go.mod @@ -102,3 +102,9 @@ require ( ) tool golang.org/x/tools/cmd/goimports + +// Temporary: Use local SDK with CLI auth support until SDK PR #3865 is merged +// See: https://github.com/stackitcloud/stackit-sdk-go/pull/3865 +// For testing, use: replace github.com/stackitcloud/stackit-sdk-go/core => ../stackit-sdk-go/core +// For CI/others: replace github.com/stackitcloud/stackit-sdk-go/core => github.com/franklouwers/stackit-sdk-go/core v0.0.0-20251127223915-25b6b99bd648 +replace github.com/stackitcloud/stackit-sdk-go/core => github.com/franklouwers/stackit-sdk-go/core v0.0.0-20251127223915-25b6b99bd648