Request for Resource & Data Source for management of API Tokens

[davidfisher01]

Hey guys,

It would be useful to be able to provision new API tokens through a terraform resource and retrieve them in code. Right now you can only create them manually through the integrations UI.

It would be nice if the tokens had a tag or name that can be referenced instead of just having a description.

Thanks!

[rocktavious]

Hey @davidfisher01 thanks for the suggestion. I do have a few questions for you.

1.) Would you expect to beable to provision the API token without first having an API token set in your terraform provider?
1a.) What user should the API token be associated with once its created?
2.) What is the actual concrete usecase you have for needing to provision new API tokens programmatically?
3.) What would you expect the datasource to return - the actual API token of an existing one created in your account?
4.) How do you intend to securely store these API tokens?

I look forward to your answers.

[davidfisher01]

Our specific use case stems from managing a significant amount of these integrations with an API token per github organization roughly, so there are a ton of these tokens that we would rather automate and incorporate into our infrastructure. I would expect the user to be able to provision a new token without one existing already in its place via a new resource. The created by user can be attributed to either the admin team or just referencing "Terraform" and there can be certain values set on the resource that can define that as well. I would expect the datasource to return the token based off of a tag that the datasource is keying off from. All of the tokens we have are additionally placed in Vault for storage and access control purposes.

[rocktavious]

@davidfisher01
I would expect the user to be able to provision a new token without one existing already in its place via a new resource. our API doesn't know who you are unless you send along an API token with the request (because the API serves a multi-tenant SAAS application). So if getting a token from an un-authed context is your need then we simply cannot achieve this with our API architecture today (and honestly being able to arbitrarily provision API tokens without being auth'd is a massive security hole).

If you are ok with having to provision at least 1 API token manually and hand that to the terraform provider so that it can make additional API tokens then that is something we can get behind (though it gets complicated with RBAC scopes). Unfortunately i have no idea when our API team would beable to get to that though.

[davidfisher01]

Sorry, that is exactly what I meant. "f you are ok with having to provision at least 1 API token manually and hand that to the terraform provider so that it can make additional API tokens".

[rocktavious]

Ok @davidfisher01 - Thanks for all the info i've taken this back to our API product manager as a feature request.