From eebb6c7ed8e190f8c5702f1cfe66f976026e6a32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Le=C3=AFla=20Marabese?= Date: Fri, 12 Dec 2025 15:15:39 +0100 Subject: [PATCH] deprecate function token and document new auth with IAM --- docs/resources/function.md | 60 +++++++++++++++++++++- docs/resources/function_token.md | 3 ++ internal/services/function/token.go | 7 +-- templates/resources/function.md.tmpl | 60 +++++++++++++++++++++- templates/resources/function_token.md.tmpl | 3 ++ 5 files changed, 126 insertions(+), 7 deletions(-) diff --git a/docs/resources/function.md b/docs/resources/function.md index 9d3a3da55c..a7b3bd5c56 100644 --- a/docs/resources/function.md +++ b/docs/resources/function.md @@ -23,7 +23,7 @@ resource "scaleway_function_namespace" "main" { resource "scaleway_function" "main" { namespace_id = scaleway_function_namespace.main.id - runtime = "go118" + runtime = "go124" handler = "Handle" privacy = "private" } @@ -43,7 +43,7 @@ resource "scaleway_function" "main" { namespace_id = scaleway_function_namespace.main.id description = "function with zip file" tags = ["tag1", "tag2"] - runtime = "go118" + runtime = "go124" handler = "Handle" privacy = "private" timeout = 10 @@ -53,6 +53,62 @@ resource "scaleway_function" "main" { } ``` +### Managing authentication of private functions with IAM + +```terraform +# Project to be referenced in the IAM policy +data "scaleway_account_project" "default" { + name = "default" +} + +# IAM resources +resource "scaleway_iam_application" "func_auth" { + name = "function-auth" +} +resource "scaleway_iam_policy" "access_private_funcs" { + application_id = scaleway_iam_application.func_auth.id + rule { + project_ids = [data.scaleway_account_project.default.id] + permission_set_names = ["FunctionsPrivateAccess"] + } +} +resource "scaleway_iam_api_key" "api_key" { + application_id = scaleway_iam_application.func_auth.id +} + +# Function resources +resource "scaleway_function_namespace" "private" { + name = "private-function-namespace" +} +resource "scaleway_function" "private" { + namespace_id = scaleway_function_namespace.private.id + runtime = "go124" + handler = "Handle" + privacy = "private" + zip_file = "function.zip" + zip_hash = filesha256("function.zip") + deploy = true +} + +# Output the secret key and the function's endpoint for the curl command +output "secret_key" { + value = scaleway_iam_api_key.api_key.secret_key + sensitive = true +} +output "function_endpoint" { + value = scaleway_function.private.domain_name +} +``` + +Then you can access your private function using the API key: + +```shell +$ curl -H "X-Auth-Token: $(terraform output -raw secret_key)" \ + "https://$(terraform output -raw function_endpoint)/" +``` + +Keep in mind that you should revoke your legacy JWT tokens to ensure maximum security. + ## Argument Reference The following arguments are supported: diff --git a/docs/resources/function_token.md b/docs/resources/function_token.md index ff3b83560f..afb83a961c 100644 --- a/docs/resources/function_token.md +++ b/docs/resources/function_token.md @@ -5,6 +5,9 @@ page_title: "Scaleway: scaleway_function_token" # Resource: scaleway_function_token +~> **Important:** The resource `scaleway_function_token` has been deprecated and will no longer be supported in v1 of the API. +Please use IAM authentication instead. You will find an implementation example in the [IAM authentication](function.md#managing-authentication-of-private-functions-with-iam) section of the Function documentation. + The `scaleway_function_token` resource allows you to create and manage authentication tokens for Scaleway [Serverless Functions](https://www.scaleway.com/en/docs/serverless/functions/). Refer to the Functions tokens [documentation](https://www.scaleway.com/en/docs/serverless/functions/how-to/create-auth-token-from-console/) and [API documentation](https://www.scaleway.com/en/developers/api/serverless-functions/#path-tokens-list-all-tokens) for more information. diff --git a/internal/services/function/token.go b/internal/services/function/token.go index ec20612e29..9f9cda0e73 100644 --- a/internal/services/function/token.go +++ b/internal/services/function/token.go @@ -20,9 +20,10 @@ import ( func ResourceToken() *schema.Resource { return &schema.Resource{ - CreateContext: ResourceFunctionTokenCreate, - ReadContext: ResourceFunctionTokenRead, - DeleteContext: ResourceFunctionTokenDelete, + CreateContext: ResourceFunctionTokenCreate, + ReadContext: ResourceFunctionTokenRead, + DeleteContext: ResourceFunctionTokenDelete, + DeprecationMessage: "The \"scaleway_function_token\" resource is deprecated in favor of IAM authentication", Importer: &schema.ResourceImporter{ StateContext: schema.ImportStatePassthroughContext, }, diff --git a/templates/resources/function.md.tmpl b/templates/resources/function.md.tmpl index 542ca645f3..120885370f 100644 --- a/templates/resources/function.md.tmpl +++ b/templates/resources/function.md.tmpl @@ -24,7 +24,7 @@ resource "scaleway_function_namespace" "main" { resource "scaleway_function" "main" { namespace_id = scaleway_function_namespace.main.id - runtime = "go118" + runtime = "go124" handler = "Handle" privacy = "private" } @@ -44,7 +44,7 @@ resource "scaleway_function" "main" { namespace_id = scaleway_function_namespace.main.id description = "function with zip file" tags = ["tag1", "tag2"] - runtime = "go118" + runtime = "go124" handler = "Handle" privacy = "private" timeout = 10 @@ -54,6 +54,62 @@ resource "scaleway_function" "main" { } ``` +### Managing authentication of private functions with IAM + +```terraform +# Project to be referenced in the IAM policy +data "scaleway_account_project" "default" { + name = "default" +} + +# IAM resources +resource "scaleway_iam_application" "func_auth" { + name = "function-auth" +} +resource "scaleway_iam_policy" "access_private_funcs" { + application_id = scaleway_iam_application.func_auth.id + rule { + project_ids = [data.scaleway_account_project.default.id] + permission_set_names = ["FunctionsPrivateAccess"] + } +} +resource "scaleway_iam_api_key" "api_key" { + application_id = scaleway_iam_application.func_auth.id +} + +# Function resources +resource "scaleway_function_namespace" "private" { + name = "private-function-namespace" +} +resource "scaleway_function" "private" { + namespace_id = scaleway_function_namespace.private.id + runtime = "go124" + handler = "Handle" + privacy = "private" + zip_file = "function.zip" + zip_hash = filesha256("function.zip") + deploy = true +} + +# Output the secret key and the function's endpoint for the curl command +output "secret_key" { + value = scaleway_iam_api_key.api_key.secret_key + sensitive = true +} +output "function_endpoint" { + value = scaleway_function.private.domain_name +} +``` + +Then you can access your private function using the API key: + +```shell +$ curl -H "X-Auth-Token: $(terraform output -raw secret_key)" \ + "https://$(terraform output -raw function_endpoint)/" +``` + +Keep in mind that you should revoke your legacy JWT tokens to ensure maximum security. + ## Argument Reference The following arguments are supported: diff --git a/templates/resources/function_token.md.tmpl b/templates/resources/function_token.md.tmpl index 5008aec827..fa2fcea0e9 100644 --- a/templates/resources/function_token.md.tmpl +++ b/templates/resources/function_token.md.tmpl @@ -6,6 +6,9 @@ page_title: "Scaleway: scaleway_function_token" # Resource: scaleway_function_token +~> **Important:** The resource `scaleway_function_token` has been deprecated and will no longer be supported in v1 of the API. +Please use IAM authentication instead. You will find an implementation example in the [IAM authentication](function.md#managing-authentication-of-private-functions-with-iam) section of the Function documentation. + The `scaleway_function_token` resource allows you to create and manage authentication tokens for Scaleway [Serverless Functions](https://www.scaleway.com/en/docs/serverless/functions/). Refer to the Functions tokens [documentation](https://www.scaleway.com/en/docs/serverless/functions/how-to/create-auth-token-from-console/) and [API documentation](https://www.scaleway.com/en/developers/api/serverless-functions/#path-tokens-list-all-tokens) for more information.