feat(iam): datasource to query service-accounts (#1256)

* feat(iam): datasource to query service-accounts

Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>

* feat(iam): added service account id attribute and removed service account token resource

Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>

---------

Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
Co-authored-by: cgoetz-inovex <carlo.goetz@inovex.de>

Author: h3adex

docs/data-sources/service_account.md

@@ -31,3 +31,4 @@ data "stackit_service_account" "sa" {
 
 - `id` (String) Terraform's internal resource ID, structured as "`project_id`,`email`".
 - `name` (String) Name of the service account.
+- `service_account_id` (String) The internal UUID of the service account.

docs/data-sources/service_accounts.md

@@ -0,0 +1,67 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_service_accounts Data Source - stackit"
+subcategory: ""
+description: |-
+  Service accounts plural data source schema. Returns a list of all service accounts in a project, optionally filtered.
+---
+
+# stackit_service_accounts (Data Source)
+
+Service accounts plural data source schema. Returns a list of all service accounts in a project, optionally filtered.
+
+## Example Usage
+
+```terraform
+data "stackit_service_accounts" "all_sas" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+
+data "stackit_service_accounts" "sas_default_suffix" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  email_suffix = "@sa.stackit.cloud"
+}
+
+data "stackit_service_accounts" "sas_default_suffix_sort_asc" {
+  project_id     = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  email_suffix   = "@sa.stackit.cloud"
+  sort_ascending = true
+}
+
+data "stackit_service_accounts" "sas_ske_regex" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  email_regex = ".*@ske\\.sa\\.stackit\\.cloud$"
+}
+
+data "stackit_service_accounts" "sas_ske_suffix" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  email_suffix = "@ske.sa.stackit.cloud"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `project_id` (String) STACKIT project ID.
+
+### Optional
+
+- `email_regex` (String) Optional regular expression to filter service accounts by email.
+- `email_suffix` (String) Optional suffix to filter service accounts by email (e.g.,`@sa.stackit.cloud`, `@ske.sa.stackit.cloud`).
+- `sort_ascending` (Boolean) If set to `true`, service accounts are sorted in ascending lexicographical order by email. Defaults to `false` (descending).
+
+### Read-Only
+
+- `id` (String) Terraform's internal resource ID, structured as "`project_id`".
+- `items` (Attributes List) The list of service accounts matching the provided filters. (see [below for nested schema](#nestedatt--items))
+
+<a id="nestedatt--items"></a>
+### Nested Schema for `items`
+
+Read-Only:
+
+- `email` (String) Email of the service account.
+- `name` (String) Name of the service account.
+- `service_account_id` (String) The internal UUID of the service account.

docs/resources/service_account.md

@@ -37,3 +37,4 @@ import {
 
 - `email` (String) Email of the service account.
 - `id` (String) Terraform's internal resource ID, structured as "`project_id`,`email`".
+- `service_account_id` (String) The internal UUID of the service account.

docs/resources/service_account_access_token.md

@@ -0,0 +1,24 @@
+data "stackit_service_accounts" "all_sas" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+
+data "stackit_service_accounts" "sas_default_suffix" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  email_suffix = "@sa.stackit.cloud"
+}
+
+data "stackit_service_accounts" "sas_default_suffix_sort_asc" {
+  project_id     = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  email_suffix   = "@sa.stackit.cloud"
+  sort_ascending = true
+}
+
+data "stackit_service_accounts" "sas_ske_regex" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  email_regex = ".*@ske\\.sa\\.stackit\\.cloud$"
+}
+
+data "stackit_service_accounts" "sas_ske_suffix" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  email_suffix = "@ske.sa.stackit.cloud"
+}

examples/data-sources/stackit_service_accounts/data-source.tf

@@ -56,15 +56,14 @@ func (r *serviceAccountDataSource) Metadata(_ context.Context, req datasource.Me
 // Schema defines the schema for the service account data source.
 func (r *serviceAccountDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) {
 	descriptions := map[string]string{
-		"id":         "Terraform's internal resource ID, structured as \"`project_id`,`email`\".",
-		"project_id": "STACKIT project ID to which the service account is associated.",
-		"name":       "Name of the service account.",
-		"email":      "Email of the service account.",
+		"id":                 "Terraform's internal resource ID, structured as \"`project_id`,`email`\".",
+		"project_id":         "STACKIT project ID to which the service account is associated.",
+		"service_account_id": "The internal UUID of the service account.",
+		"name":               "Name of the service account.",
+		"email":              "Email of the service account.",
 	}
 
 	// Define the schema with validation rules and descriptions for each attribute.
-	// The datasource schema differs slightly from the resource schema.
-	// In this case, the email attribute is required to read the service account data from the API.
 	resp.Schema = schema.Schema{
 		MarkdownDescription: "Service account data source schema.",
 		Description:         "Service account data source schema.",
@@ -81,6 +80,13 @@ func (r *serviceAccountDataSource) Schema(_ context.Context, _ datasource.Schema
 					validate.NoSeparator(),
 				},
 			},
+			"service_account_id": schema.StringAttribute{
+				Description: descriptions["service_account_id"],
+				Computed:    true,
+				Validators: []validator.String{
+					validate.UUID(),
+				},
+			},
 			"email": schema.StringAttribute{
 				Description: descriptions["email"],
 				Required:    true,
@@ -140,7 +146,7 @@ func (r *serviceAccountDataSource) Read(ctx context.Context, req datasource.Read
 		}
 
 		// Try to parse the name from the provided email address
-		name, err := parseNameFromEmail(model.Email.ValueString())
+		name, err := serviceaccountUtils.ParseNameFromEmail(model.Email.ValueString())
 		if name != "" && err == nil {
 			model.Name = types.StringValue(name)
 		}

stackit/internal/services/serviceaccount/account/datasource.go

@@ -35,10 +35,11 @@ var (
 
 // Model represents the schema for the service account resource.
 type Model struct {
-	Id        types.String `tfsdk:"id"`         // Required by Terraform
-	ProjectId types.String `tfsdk:"project_id"` // ProjectId associated with the service account
-	Name      types.String `tfsdk:"name"`       // Name of the service account
-	Email     types.String `tfsdk:"email"`      // Email linked to the service account
+	Id               types.String `tfsdk:"id"`                 // Required by Terraform
+	ProjectId        types.String `tfsdk:"project_id"`         // ProjectId associated with the service account
+	ServiceAccountId types.String `tfsdk:"service_account_id"` // Internal ID of the service account
+	Name             types.String `tfsdk:"name"`               // Name of the service account
+	Email            types.String `tfsdk:"email"`              // Email linked to the service account
 }
 
 // NewServiceAccountResource is a helper function to create a new service account resource instance.
@@ -74,10 +75,11 @@ func (r *serviceAccountResource) Metadata(_ context.Context, req resource.Metada
 // Schema defines the schema for the resource.
 func (r *serviceAccountResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
 	descriptions := map[string]string{
-		"id":         "Terraform's internal resource ID, structured as \"`project_id`,`email`\".",
-		"project_id": "STACKIT project ID to which the service account is associated.",
-		"name":       "Name of the service account.",
-		"email":      "Email of the service account.",
+		"id":                 "Terraform's internal resource ID, structured as \"`project_id`,`email`\".",
+		"project_id":         "STACKIT project ID to which the service account is associated.",
+		"service_account_id": "The internal UUID of the service account.",
+		"name":               "Name of the service account.",
+		"email":              "Email of the service account.",
 	}
 
 	resp.Schema = schema.Schema{
@@ -99,6 +101,13 @@ func (r *serviceAccountResource) Schema(_ context.Context, _ resource.SchemaRequ
 					stringplanmodifier.RequiresReplace(),
 				},
 			},
+			"service_account_id": schema.StringAttribute{
+				Description: descriptions["service_account_id"],
+				Computed:    true,
+				Validators: []validator.String{
+					validate.UUID(),
+				},
+			},
 			"name": schema.StringAttribute{
 				Description: descriptions["name"],
 				Required:    true,
@@ -221,11 +230,6 @@ func (r *serviceAccountResource) Read(ctx context.Context, req resource.ReadRequ
 }
 
 // Update attempts to update the resource. In this case, service accounts cannot be updated.
-// Note: This method is intentionally left without update logic because changes
-// to 'project_id' or 'name' require the resource to be entirely replaced.
-// As a result, the Update function is redundant since any modifications will
-// automatically trigger a resource recreation through Terraform's built-in
-// lifecycle management.
 func (r *serviceAccountResource) Update(ctx context.Context, _ resource.UpdateRequest, resp *resource.UpdateResponse) { // nolint:gocritic // function signature required by Terraform
 	// Service accounts cannot be updated, so we log an error.
 	core.LogAndAddError(ctx, &resp.Diagnostics, "Error updating service account", "Service accounts can't be updated")
@@ -280,7 +284,7 @@ func (r *serviceAccountResource) ImportState(ctx context.Context, req resource.I
 	email := idParts[1]
 
 	// Attempt to parse the name from the email if valid.
-	name, err := parseNameFromEmail(email)
+	name, err := serviceaccountUtils.ParseNameFromEmail(email)
 	if name != "" && err == nil {
 		resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("name"), name)...)
 	}
@@ -315,26 +319,15 @@ func mapFields(resp *serviceaccount.ServiceAccount, model *Model) error {
 		return fmt.Errorf("service account email not present")
 	}
 
+	if resp.Id == nil {
+		return fmt.Errorf("service account id not present")
+	}
+
 	// Build the ID by combining the project ID and email and assign the model's fields.
 	model.Id = utils.BuildInternalTerraformId(model.ProjectId.ValueString(), *resp.Email)
+	model.ServiceAccountId = types.StringPointerValue(resp.Id)
 	model.Email = types.StringPointerValue(resp.Email)
 	model.ProjectId = types.StringPointerValue(resp.ProjectId)
 
 	return nil
 }
-
-// parseNameFromEmail extracts the name component from an email address.
-// The email format must be `name-<random7characters>@sa.stackit.cloud`.
-func parseNameFromEmail(email string) (string, error) {
-	namePattern := `^([a-z][a-z0-9]*(?:-[a-z0-9]+)*)-\w{7}@sa\.stackit\.cloud$`
-	re := regexp.MustCompile(namePattern)
-	match := re.FindStringSubmatch(email)
-
-	// If a match is found, return the name component
-	if len(match) > 1 {
-		return match[1], nil
-	}
-
-	// If no match is found, return an error
-	return "", fmt.Errorf("unable to parse name from email")
-}