feat: Support Federated Identity Providers for service accounts

[JorTurFer]

Description

As STACKIT supports workload identity federation via public API, this PR supports it as part of terraform

Checklist

• Code format was applied: make fmt
• Examples were added / adjusted (see examples/ directory)
• Docs are up-to-date: make generate-docs (will be checked by CI)
• Unit tests got implemented or updated
• Acceptance tests got implemented or updated (see e.g. here)
• Unit tests are passing: make test (will be checked by CI)
• No linter issues: make lint (will be checked by CI)

[github-actions]

This PR was marked as stale after 7 days of inactivity and will be closed after another 7 days of further inactivity. If this PR should be kept open, just add a comment, remove the stale label or push new commits to it.

[JorTurFer]

not stale

[github-actions]

This PR was marked as stale after 7 days of inactivity and will be closed after another 7 days of further inactivity. If this PR should be kept open, just add a comment, remove the stale label or push new commits to it.

[github-actions]

This PR was closed automatically because it has been stalled for 7 days with no activity. Feel free to re-open it at any time.

[Fyusel]

Hi @JorTurFer,
had a first look 👍
What about a datasource?

[Fyusel]

As far as I can see this function does not return a good error message what IDs(attributes) are needed.

E.g. looking at the other resources we have something like this:

idParts := strings.Split(req.ID, core.Separator)
if len(idParts) != 3 || idParts[0] == "" || idParts[1] == "" || idParts[2] == "" {
	core.LogAndAddError(ctx, &resp.Diagnostics,
		"Error importing image",
		fmt.Sprintf("Expected import identifier with format: [project_id],[region],[image_id]  Got: %q", req.ID),
	)
	return
}

ctx = utils.SetAndLogStateFields(ctx, &resp.Diagnostics, &resp.State, map[string]any{
	"project_id": idParts[0],
	"region":     idParts[1],
	"image_id":   idParts[2],
})

tflog.Info(ctx, "Image state imported")

[Fyusel]

@JorTurFer This is still open

[JorTurFer]

I missed this, sorry. Now it's fixed

[JorTurFer]

What about a datasource?

As this is something that we are waiting for integrations, I'd prefer to not depend on the datasource. I'm willing to open a follow up PR adding the datasource but I'm not sure it makes sense as it's not unique, so a customer can just create another one and eventually delete the duplicated, but as I said, if you think that it's useful, it's fine for me and I'm willing to create it in another PR or as part of this if they must be added at same time

[Fyusel]

Is this correct? In the API this is not listed as required (https://docs.api.stackit.cloud/documentation/service-account/version/v2#tag/v2/operation/post-projects-projectId-service-accounts-federations)

[JorTurFer]

it is required indeed, there is a validation on backend that rejects the request if there isn't any assertion and also if there isn't any assertion for aud in specific.

[Fyusel]

Ok, can you update the API doc as well, please

[Fyusel]

We need a GET endpoint here. Then the filtering below can be removed.

Additionally a datasource for thsi GET endpoint can be implemented.
A datasource for the list endpoint is not needed right now since we need to check how a good approach looks like for pagination.

[Fyusel]

To summarize:

• GET endpoint is needed (Read() in resource needs to be updated)
• datasource for GET endpoint is needed
• datasource for LIST is not needed