feat(resource_fastly_object_storage_access_key): add ability to manage access keys (#955)

* feat(resource_fastly_object_storage_access_key): add ability to manage access keys

Author: anthony-gomez-fastly

CHANGELOG.md

@@ -19,6 +19,7 @@
 - feat(fastly_vcl_service): Add DDoS protection product enablement/configuration ([#954](https://github.com/fastly/terraform-provider-fastly/pull/954))
 - feat(fastly_compute_service): Add Next-Gen WAF product enablement/configuration ([#956](https://github.com/fastly/terraform-provider-fastly/pull/956))
 - feat(fastly_vcl_service): Add Next-Gen WAF product enablement/configuration ([#956](https://github.com/fastly/terraform-provider-fastly/pull/956))
+- feat(resource_fastly_object_storage_access_key): Add object storage access keys configuration ([#955](https://github.com/fastly/terraform-provider-fastly/pull/955))
 
 ### BUG FIXES:
 

docs/resources/object_storage_access_keys.md

@@ -0,0 +1,43 @@
+---
+layout: "fastly"
+page_title: "fastly_object_storage_access_keys Resource - terraform-provider-fastly"
+sidebar_current: "docs-fastly-resource-object-storage-access-keys"
+description: |-
+  An access key can be used to manage different object storage buckets in your cloud of choice
+---
+
+# fastly_object_storage_access_keys (Resource)
+
+Provides an Object Storage Access Key, which can be used to manage resources in various clouds.
+
+Implements the [Object Storage Access Key API functions](https://www.fastly.com/documentation/reference/api/services/resources/object-storage-access-keys/)
+
+-> **Note:** Access Keys cannot be updated, so when you change a value in any of the editable fields the key is destroyed and remade
+
+Basic usage
+
+```terraform
+resource "fastly_object_storage_access_keys" "demo" {
+    buckets = ["bucket1", "bucket2" ]
+    description = "this is a bucket"
+    permission = ""
+}
+```
+-> **Note:** Permissions can only be one of these values listed [here](https://quic.fastly.com/documentation/reference/api/services/resources/object-storage-access-keys/#permissions), any other values will return an error
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `description` (String) The description of the access key
+- `permission` (String) The permissions of the access key
+
+### Optional
+
+- `buckets` (List of String) Optional list of buckets the access key will be associated with.  Example: `["bucket1", "bucket2"]`
+
+### Read-Only
+
+- `access_key_id` (String) ID for the object storage access token
+- `id` (String) The ID of this resource.
+- `secret_key` (String, Sensitive) Secret key for the object storage access token

fastly/fastly_test.go

@@ -7,15 +7,13 @@ import (
 	"errors"
 	"fmt"
 	"os"
-	"reflect"
 	"strings"
 	"testing"
 	"text/template"
 
 	mapset "github.com/deckarep/golang-set/v2"
 	gofastly "github.com/fastly/go-fastly/v9/fastly"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 )
 
@@ -109,30 +107,6 @@ func appendNewLine(s string) string {
 	return s + "\n"
 }
 
-// assertEqualsSliceOfMaps compares a slice of maps even if they include schema.Set values
-func assertEqualsSliceOfMaps(t *testing.T, actualSlice []map[string]any, expectedSlice []map[string]any) {
-	for i, actualMap := range actualSlice {
-		var keysToBeRemoved []string
-		for key, value := range actualMap {
-			if v, ok := value.(*schema.Set); ok {
-				expected := expectedSlice[i][key]
-				keysToBeRemoved = append(keysToBeRemoved, key)
-				if !v.Equal(expected) {
-					t.Errorf("expected sets %s to be equal: %#v\n     got: %#v", key, expected, actualSlice)
-				}
-			}
-		}
-		for _, key := range keysToBeRemoved {
-			delete(actualMap, key)
-			delete(expectedSlice[i], key)
-		}
-	}
-
-	if !reflect.DeepEqual(actualSlice, expectedSlice) {
-		t.Fatalf("Error matching:\nexpected: %#v\n     got: %#v", expectedSlice, actualSlice)
-	}
-}
-
 // generateHex produces a slice of 16 random bytes.
 // This is useful for dynamically generating resource names.
 func generateHex() string {

fastly/provider.go

@@ -75,6 +75,7 @@ func Provider() *schema.Provider {
 			"fastly_domain_v1":                       resourceFastlyDomainV1(),
 			"fastly_integration":                     resourceFastlyIntegration(),
 			"fastly_kvstore":                         resourceFastlyKVStore(),
+			"fastly_object_storage_access_keys":      resourceObjectStorageAccessKey(),
 			"fastly_secretstore":                     resourceFastlySecretStore(),
 			"fastly_service_acl_entries":             resourceServiceACLEntries(),
 			"fastly_service_authorization":           resourceServiceAuthorization(),

fastly/resource_fastly_object_storage_access_key.go

@@ -0,0 +1,136 @@
+package fastly
+
+import (
+	"context"
+	"log"
+
+	gofastly "github.com/fastly/go-fastly/v9/fastly"
+	"github.com/fastly/go-fastly/v9/fastly/objectstorage/accesskeys"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resourceObjectStorageAccessKey() *schema.Resource {
+	return &schema.Resource{
+		CreateContext: resourceObjectStorageAccessKeyCreate,
+		ReadContext:   resourceObjectStorageAccessKeyRead,
+		DeleteContext: resourceObjectStorageAccessKeyDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+		Schema: map[string]*schema.Schema{
+			"access_key_id": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "ID for the object storage access token",
+			},
+			"buckets": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "Optional list of buckets the access key will be associated with.  Example: `[\"bucket1\", \"bucket2\"]`",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+				ForceNew:    true,
+			},
+			"description": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The description of the access key",
+				ForceNew:    true,
+			},
+			"permission": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The permissions of the access key",
+				ForceNew:    true,
+			},
+			"secret_key": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Sensitive:   true,
+				Description: "Secret key for the object storage access token",
+			},
+		},
+	}
+}
+
+func resourceObjectStorageAccessKeyCreate(_ context.Context, resourceData *schema.ResourceData, meta any) diag.Diagnostics {
+	conn := meta.(*APIClient).conn
+
+	opts := accesskeys.CreateInput{
+		Description: gofastly.ToPointer(resourceData.Get("description").(string)),
+		Permission:  gofastly.ToPointer(resourceData.Get("permission").(string)),
+	}
+
+	buckets := []string{}
+	if val, ok := resourceData.GetOk("buckets"); ok {
+		for _, bucket := range val.([]any) {
+			buckets = append(buckets, bucket.(string))
+		}
+		opts.Buckets = gofastly.ToPointer(buckets)
+	}
+	createdAK, err := accesskeys.Create(conn, &opts)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	if createdAK.AccessKeyID == "" {
+		return diag.Errorf("error: accessKey.AccessKeyID is empty")
+	}
+	resourceData.SetId(createdAK.AccessKeyID)
+	resourceData.Set("access_key_id", createdAK.AccessKeyID)
+	if createdAK.SecretKey == "" {
+		return diag.Errorf("error: accessKey.SecretKey is empty")
+	}
+	resourceData.Set("secret_key", createdAK.SecretKey)
+
+	return nil
+}
+
+func resourceObjectStorageAccessKeyRead(_ context.Context, resourceData *schema.ResourceData, meta any) diag.Diagnostics {
+	log.Printf("[DEBUG] Refreshing Object Storage Access Key Configuration for (%s)", resourceData.Get("access_key_id"))
+	conn := meta.(*APIClient).conn
+
+	opts := accesskeys.GetInput{
+		AccessKeyID: gofastly.ToPointer(resourceData.Id()),
+	}
+
+	readAK, err := accesskeys.Get(conn, &opts)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	if readAK.Permission != "" {
+		resourceData.Set("permission", readAK.Permission)
+	}
+	if readAK.Description != "" {
+		resourceData.Set("description", readAK.Description)
+	}
+	if len(readAK.Buckets) != 0 {
+		err = resourceData.Set("buckets", readAK.Buckets)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+	}
+	if readAK.SecretKey != "" {
+		resourceData.Set("secret_key", readAK.SecretKey)
+	}
+	if readAK.AccessKeyID != "" {
+		resourceData.Set("access_key_id", readAK.SecretKey)
+	}
+
+	return nil
+}
+
+func resourceObjectStorageAccessKeyDelete(_ context.Context, resourceData *schema.ResourceData, meta any) diag.Diagnostics {
+	conn := meta.(*APIClient).conn
+
+	opts := accesskeys.DeleteInput{
+		AccessKeyID: gofastly.ToPointer(resourceData.Id()),
+	}
+
+	err := accesskeys.Delete(conn, &opts)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}

fastly/resource_fastly_object_storage_access_key_test.go

@@ -0,0 +1,115 @@
+package fastly
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+	"text/template"
+
+	gofastly "github.com/fastly/go-fastly/v9/fastly"
+	"github.com/fastly/go-fastly/v9/fastly/objectstorage/accesskeys"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+func TestAccFastlyObjectStorageAccessKey_basic(t *testing.T) {
+	resourceName := "fastly_object_storage_access_keys.storage_key1"
+	var accessKey accesskeys.AccessKey
+	description := fmt.Sprintf("this is a test key %s", acctest.RandString(10))
+	permission := "read-write-objects"
+	bucket1 := "bucket1"
+	bucket2 := "bucket2"
+
+	type Config struct {
+		Description string
+		Permission  string
+		Buckets     []string
+	}
+
+	tmplText := `
+resource "fastly_object_storage_access_keys" "storage_key1" {
+    buckets = ["{{ StringsJoin .Buckets "\", \"" }}"]
+    description = "{{ .Description }}"
+    permission = "{{ .Permission }}"
+}`
+	tmpl, err := template.New("test").Funcs(template.FuncMap{"StringsJoin": strings.Join}).Parse(tmplText)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		ProviderFactories: testAccProviders,
+		CheckDestroy:      testAccCheckObjectStorageAccessKeyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: renderTestConfigTemplate(t, tmpl, Config{
+					Description: description,
+					Permission:  permission,
+					Buckets:     []string{bucket1, bucket2},
+				}),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckObjectStorageAccessKeyExists(resourceName, &accessKey),
+					resource.TestCheckResourceAttr(resourceName, "description", description),
+					resource.TestCheckResourceAttr(resourceName, "permission", permission),
+					resource.TestCheckResourceAttr(resourceName, "buckets.#", "2"),
+					resource.TestCheckTypeSetElemAttr(resourceName, "buckets.*", bucket1),
+					resource.TestCheckTypeSetElemAttr(resourceName, "buckets.*", bucket2),
+					resource.TestCheckResourceAttrSet(resourceName, "secret_key"),
+					resource.TestCheckResourceAttrSet(resourceName, "access_key_id"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckObjectStorageAccessKeyExists(n string, accessKey *accesskeys.AccessKey) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("no ObjectStorageAccessKey ID is set")
+		}
+
+		conn := testAccProvider.Meta().(*APIClient).conn
+		opts := accesskeys.GetInput{
+			AccessKeyID: gofastly.ToPointer(rs.Primary.ID),
+		}
+		ak, err := accesskeys.Get(conn, &opts)
+		if err != nil {
+			return err
+		}
+
+		*accessKey = *ak
+
+		return nil
+	}
+}
+
+func testAccCheckObjectStorageAccessKeyDestroy(s *terraform.State) error {
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "fastly_object_storage_access_keys" {
+			continue
+		}
+
+		conn := testAccProvider.Meta().(*APIClient).conn
+		akl, err := accesskeys.ListAccessKeys(conn)
+		if err != nil {
+			return fmt.Errorf("error getting current accessKeys when deleting Fastly Object Storage AccessKey (%s): %s", rs.Primary.ID, err)
+		}
+
+		for _, ak := range akl.Data {
+			if ak.AccessKeyID == rs.Primary.ID {
+				// accessKey still found
+				return fmt.Errorf("tried deleting ObjectStorageAccessKey (%s), but was still found", rs.Primary.ID)
+			}
+		}
+	}
+	return nil
+}