service-accounts: add jwts, better handling of user id (#26)

Author: calebdoxsey

internal/provider/models.go

@@ -2,10 +2,12 @@ package provider
 
 import (
 	"context"
+	"strings"
 	"time"
 
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/types"
+
 	"github.com/pomerium/enterprise-client-go/pb"
 )
 
@@ -17,31 +19,34 @@ type ServiceAccountModel struct {
 	Description types.String `tfsdk:"description"`
 	UserID      types.String `tfsdk:"user_id"`
 	ExpiresAt   types.String `tfsdk:"expires_at"`
+	JWT         types.String `tfsdk:"jwt"`
 }
 
 func ConvertServiceAccountToPB(_ context.Context, src *ServiceAccountResourceModel) (*pb.PomeriumServiceAccount, diag.Diagnostics) {
-	var diagnostics diag.Diagnostics
+	var diags diag.Diagnostics
 
-	namespaceID := src.NamespaceID.ValueString()
 	pbServiceAccount := &pb.PomeriumServiceAccount{
-		Id:          src.ID.ValueString(),
-		UserId:      src.Name.ValueString(),
-		NamespaceId: &namespaceID,
+		Id:     src.ID.ValueString(),
+		UserId: src.Name.ValueString(),
+	}
+
+	if src.NamespaceID.ValueString() != "" {
+		pbServiceAccount.NamespaceId = src.NamespaceID.ValueStringPointer()
 	}
 
 	if !src.Description.IsNull() {
 		desc := src.Description.ValueString()
 		pbServiceAccount.Description = &desc
 	}
 
-	return pbServiceAccount, diagnostics
+	return pbServiceAccount, diags
 }
 
 func ConvertServiceAccountFromPB(dst *ServiceAccountResourceModel, src *pb.PomeriumServiceAccount) diag.Diagnostics {
 	var diagnostics diag.Diagnostics
 
 	dst.ID = types.StringValue(src.Id)
-	dst.Name = types.StringValue(src.UserId)
+	dst.Name = types.StringValue(strings.TrimSuffix(src.UserId, "@"+src.GetNamespaceId()+".pomerium"))
 	if src.NamespaceId != nil {
 		dst.NamespaceID = types.StringValue(*src.NamespaceId)
 	} else {

internal/provider/service_account.go

@@ -50,24 +50,40 @@ func (r *ServiceAccountResource) Schema(_ context.Context, _ resource.SchemaRequ
 			},
 			"name": schema.StringAttribute{
 				Description: "Name of the service account.",
-				Required:    true,
+				Optional:    true,
+				Computed:    true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
 			},
 			"namespace_id": schema.StringAttribute{
 				Description: "ID of the namespace the service account belongs to.",
-				Required:    true,
+				Optional:    true,
+				Computed:    true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
 			},
 			"description": schema.StringAttribute{
 				Description: "Description of the service account.",
 				Optional:    true,
 			},
 			"user_id": schema.StringAttribute{
-				Computed:    true,
 				Description: "User ID associated with the service account.",
+				Computed:    true,
 			},
 			"expires_at": schema.StringAttribute{
 				Computed:    true,
 				Description: "Timestamp when the service account expires.",
 			},
+			"jwt": schema.StringAttribute{
+				Computed:    true,
+				Sensitive:   true,
+				Description: "The Service Account JWT used for authentication. This is only populated when creating a new service account.",
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+				},
+			},
 		},
 	}
 }
@@ -111,7 +127,13 @@ func (r *ServiceAccountResource) Create(ctx context.Context, req resource.Create
 		return
 	}
 
-	plan.ID = types.StringValue(respServiceAccount.ServiceAccount.Id)
+	diags = ConvertServiceAccountFromPB(&plan, respServiceAccount.ServiceAccount)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	plan.JWT = types.StringValue(respServiceAccount.JWT)
 
 	tflog.Trace(ctx, "Created a service account", map[string]interface{}{
 		"id":   plan.ID.ValueString(),