Skip to content

feat(keymanager): add algorithm field to allow custom key algorithms #3403

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Oct 16, 2025
Merged

feat(keymanager): add algorithm field to allow custom key algorithms #3403

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
b9f9c11
feat(keymanager): add algorithm field to allow custom key algorithms
jremy42 Oct 13, 2025
f4084d5
docs(keymanager): document algorithm parameter with examples
jremy42 Oct 13, 2025
44689b7
test(keymanager): add tests and cassettes for algorithm parameter
jremy42 Oct 13, 2025
92ec184
test(keymanager): add cassette for custom algorithm test
jremy42 Oct 13, 2025
68f288e
feat: allow explicit algorithm selection in Key Manager keys
jremy42 Oct 14, 2025
837951b
fix: lint issues in Key Manager implementation
jremy42 Oct 14, 2025
b21dcfa
feat: use SDK enums for Key Manager algorithm validation
jremy42 Oct 14, 2025
209596d
feat: refactor Key Manager to use usage + algorithm (AWS-like approach)
jremy42 Oct 14, 2025
9fbe902
chore: go mod tidy
jremy42 Oct 14, 2025
243eab5
refactor: remove comments from functions
jremy42 Oct 14, 2025
67a19c4
Merge branch 'master' into feat/keymanager-algorithm-selection
jremy42 Oct 14, 2025
8b140db
Merge branch 'master' into feat/keymanager-algorithm-selection
jremy42 Oct 15, 2025
54ab099
Merge branch 'master' into feat/keymanager-algorithm-selection
jremy42 Oct 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 59 additions & 8 deletions internal/services/keymanager/helpers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,21 +13,27 @@ import (
"github.com/scaleway/terraform-provider-scaleway/v2/internal/types"
)

const (
usageSymmetricEncryption = "symmetric_encryption"
usageAsymmetricEncryption = "asymmetric_encryption"
usageAsymmetricSigning = "asymmetric_signing"
)

func UsageToString(u *key_manager.KeyUsage) string {
if u == nil {
return ""
}

if u.SymmetricEncryption != nil {
return "symmetric_encryption"
return usageSymmetricEncryption
}

if u.AsymmetricEncryption != nil {
return "asymmetric_encryption"
return usageAsymmetricEncryption
}

if u.AsymmetricSigning != nil {
return "asymmetric_signing"
return usageAsymmetricSigning
}

return ""
Expand Down Expand Up @@ -55,17 +61,43 @@ func NewKeyManagerAPIWithRegionAndID(m any, id string) (*key_manager.API, scw.Re
return client, region, keyID, nil
}

func ExpandKeyUsage(usage string) *key_manager.KeyUsage {
func ExpandKeyUsageFromFields(d *schema.ResourceData) *key_manager.KeyUsage {
if v, ok := d.GetOk("usage_symmetric_encryption"); ok {
alg := key_manager.KeyAlgorithmSymmetricEncryption(v.(string))

return &key_manager.KeyUsage{SymmetricEncryption: &alg}
}

if v, ok := d.GetOk("usage_asymmetric_encryption"); ok {
alg := key_manager.KeyAlgorithmAsymmetricEncryption(v.(string))

return &key_manager.KeyUsage{AsymmetricEncryption: &alg}
}

if v, ok := d.GetOk("usage_asymmetric_signing"); ok {
alg := key_manager.KeyAlgorithmAsymmetricSigning(v.(string))

return &key_manager.KeyUsage{AsymmetricSigning: &alg}
}

if v, ok := d.GetOk("usage"); ok {
return ExpandKeyUsageLegacy(v.(string))
}

return nil
}

func ExpandKeyUsageLegacy(usage string) *key_manager.KeyUsage {
switch usage {
case "symmetric_encryption":
case usageSymmetricEncryption:
alg := key_manager.KeyAlgorithmSymmetricEncryptionAes256Gcm

return &key_manager.KeyUsage{SymmetricEncryption: &alg}
case "asymmetric_encryption":
case usageAsymmetricEncryption:
alg := key_manager.KeyAlgorithmAsymmetricEncryptionRsaOaep3072Sha256

return &key_manager.KeyUsage{AsymmetricEncryption: &alg}
case "asymmetric_signing":
case usageAsymmetricSigning:
alg := key_manager.KeyAlgorithmAsymmetricSigningEcP256Sha256

return &key_manager.KeyUsage{AsymmetricSigning: &alg}
Expand All @@ -74,6 +106,26 @@ func ExpandKeyUsage(usage string) *key_manager.KeyUsage {
}
}

func AlgorithmFromKeyUsage(u *key_manager.KeyUsage) string {
if u == nil {
return ""
}

if u.SymmetricEncryption != nil {
return string(*u.SymmetricEncryption)
}

if u.AsymmetricEncryption != nil {
return string(*u.AsymmetricEncryption)
}

if u.AsymmetricSigning != nil {
return string(*u.AsymmetricSigning)
}

return ""
}

func ExpandKeyRotationPolicy(v any) (*key_manager.KeyRotationPolicy, error) {
list, ok := v.([]any)
if !ok || len(list) == 0 {
Expand All @@ -99,7 +151,6 @@ func ExpandKeyRotationPolicy(v any) (*key_manager.KeyRotationPolicy, error) {
RotationPeriod: scw.NewDurationFromTimeDuration(period),
}

// Handle next_rotation_at if provided
if nextRotationStr, ok := m["next_rotation_at"].(string); ok && nextRotationStr != "" {
nextRotation, err := time.Parse(time.RFC3339, nextRotationStr)
if err != nil {
Expand Down
80 changes: 77 additions & 3 deletions internal/services/keymanager/key_resource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,19 @@ package keymanager

import (
"context"
"fmt"

"github.com/hashicorp/go-cty/cty"
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
key_manager "github.com/scaleway/scaleway-sdk-go/api/key_manager/v1alpha1"
"github.com/scaleway/terraform-provider-scaleway/v2/internal/dsf"
"github.com/scaleway/terraform-provider-scaleway/v2/internal/locality/regional"
"github.com/scaleway/terraform-provider-scaleway/v2/internal/services/account"
"github.com/scaleway/terraform-provider-scaleway/v2/internal/types"
"github.com/scaleway/terraform-provider-scaleway/v2/internal/verify"
)

func ResourceKeyManagerKey() *schema.Resource {
Expand All @@ -19,6 +23,9 @@ func ResourceKeyManagerKey() *schema.Resource {
ReadContext: resourceKeyManagerKeyRead,
UpdateContext: resourceKeyManagerKeyUpdate,
DeleteContext: resourceKeyManagerKeyDelete,
CustomizeDiff: customdiff.All(
validateUsageAlgorithmCombination(),
),
Schema: map[string]*schema.Schema{
"name": {
Type: schema.TypeString,
Expand All @@ -33,7 +40,32 @@ func ResourceKeyManagerKey() *schema.Resource {
ValidateFunc: validation.StringInSlice([]string{
"symmetric_encryption", "asymmetric_encryption", "asymmetric_signing",
}, false),
Description: "Key usage. Keys with a usage set to 'symmetric_encryption' can encrypt and decrypt data using the AES-256-GCM key algorithm. Possible values: symmetric_encryption, asymmetric_encryption, asymmetric_signing.",
Description: "Key usage type. Possible values: symmetric_encryption, asymmetric_encryption, asymmetric_signing.",
},
"algorithm": {
Type: schema.TypeString,
Required: true,
Description: "Algorithm to use for the key. The valid algorithms depend on the usage type.",
ValidateDiagFunc: func(i any, p cty.Path) diag.Diagnostics {
var allKnownAlgos []string

symAlgos := key_manager.KeyAlgorithmSymmetricEncryption("").Values()
for _, algo := range symAlgos {
allKnownAlgos = append(allKnownAlgos, string(algo))
}

asymEncAlgos := key_manager.KeyAlgorithmAsymmetricEncryption("").Values()
for _, algo := range asymEncAlgos {
allKnownAlgos = append(allKnownAlgos, string(algo))
}

asymSignAlgos := key_manager.KeyAlgorithmAsymmetricSigning("").Values()
for _, algo := range asymSignAlgos {
allKnownAlgos = append(allKnownAlgos, string(algo))
}

return verify.ValidateStringInSliceWithWarning(allKnownAlgos, "algorithm")(i, p)
},
},
"description": {
Type: schema.TypeString,
Expand Down Expand Up @@ -116,7 +148,15 @@ func resourceKeyManagerKeyCreate(ctx context.Context, d *schema.ResourceData, m
createReq.Origin = key_manager.KeyOrigin(v.(string))
}

createReq.Usage = ExpandKeyUsage(d.Get("usage").(string))
usage := d.Get("usage").(string)
algorithm := d.Get("algorithm").(string)

keyUsage, err := expandUsageAlgorithm(usage, algorithm)
if err != nil {
return diag.FromErr(err)
}

createReq.Usage = keyUsage

key, err := api.CreateKey(createReq)
if err != nil {
Expand Down Expand Up @@ -145,7 +185,13 @@ func resourceKeyManagerKeyRead(ctx context.Context, d *schema.ResourceData, m an
_ = d.Set("name", key.Name)
_ = d.Set("project_id", key.ProjectID)
_ = d.Set("region", key.Region.String())
_ = d.Set("usage", UsageToString(key.Usage))

usageType := UsageToString(key.Usage)
algorithm := AlgorithmFromKeyUsage(key.Usage)

_ = d.Set("usage", usageType)
_ = d.Set("algorithm", algorithm)

_ = d.Set("description", key.Description)
_ = d.Set("tags", key.Tags)
_ = d.Set("rotation_count", int(key.RotationCount))
Expand Down Expand Up @@ -222,3 +268,31 @@ func resourceKeyManagerKeyDelete(ctx context.Context, d *schema.ResourceData, m

return nil
}

func validateUsageAlgorithmCombination() schema.CustomizeDiffFunc {
return func(ctx context.Context, diff *schema.ResourceDiff, _ any) error {
return nil
}
}

func expandUsageAlgorithm(usage, algorithm string) (*key_manager.KeyUsage, error) {
switch usage {
case usageSymmetricEncryption:
typedAlgo := key_manager.KeyAlgorithmSymmetricEncryption(algorithm)

return &key_manager.KeyUsage{SymmetricEncryption: &typedAlgo}, nil

case usageAsymmetricEncryption:
typedAlgo := key_manager.KeyAlgorithmAsymmetricEncryption(algorithm)

return &key_manager.KeyUsage{AsymmetricEncryption: &typedAlgo}, nil

case usageAsymmetricSigning:
typedAlgo := key_manager.KeyAlgorithmAsymmetricSigning(algorithm)

return &key_manager.KeyUsage{AsymmetricSigning: &typedAlgo}, nil

default:
return nil, fmt.Errorf("unknown usage type: %s", usage)
}
}
Loading
Loading