deprecate container token and document new auth with IAM

Author: Mia-Cross

docs/resources/container.md

@@ -48,6 +48,60 @@ resource "scaleway_container" "main" {
 }
 ```
 
+### Managing authentication of private containers with IAM
+
+```terraform
+# Project to be referenced in the IAM policy
+data "scaleway_account_project" "default" {
+  name = "default"
+}
+
+# IAM resources
+resource "scaleway_iam_application" "container_auth" {
+  name = "container-auth"
+}
+resource "scaleway_iam_policy" "access_private_containers" {
+  application_id = scaleway_iam_application.container_auth.id
+  rule {
+    project_ids          = [data.scaleway_account_project.default.id]
+    permission_set_names = ["ContainersPrivateAccess"]
+  }
+}
+resource "scaleway_iam_api_key" "api_key" {
+  application_id = scaleway_iam_application.container_auth.id
+}
+
+# Container resources
+resource "scaleway_container_namespace" "private" {
+  name = "private-container-namespace"
+}
+resource "scaleway_container" "private" {
+  namespace_id   = scaleway_container_namespace.private.id
+  registry_image = "rg.fr-par.scw.cloud/my-registry-ns/my-image:latest"
+  privacy        = "private"
+  deploy         = true
+}
+
+# Output the secret key and the container's endpoint for the curl command
+output "secret_key" {
+  value     = scaleway_iam_api_key.api_key.secret_key
+  sensitive = true
+}
+output "container_endpoint" {
+  value = scaleway_container.private.domain_name
+}
+
+```
+
+Then you can access your private container using the API key:
+
+```shell
+$ curl -H "X-Auth-Token: $(terraform output -raw secret_key)" \
+  "https://$(terraform output -raw container_endpoint)/"
+```
+
+Keep in mind that you should revoke your legacy JWT tokens to ensure maximum security.
+
 ## Argument Reference
 
 The following arguments are supported:

docs/resources/container_token.md

@@ -5,6 +5,9 @@ page_title: "Scaleway: scaleway_container_token"
 
 # Resource: scaleway_container_token
 
+> **Important:** The resource `scaleway_container_token` has been deprecated and will no longer be supported in v1 of the API.
+Please use IAM authentication instead. You will find an implementation example in the [IAM authentication](container.md#managing-authentication-of-private-containers-with-iam) section of the Container documentation.
+
 The `scaleway_container_token` resource allows you to create and manage authentication tokens for Scaleway [Serverless Containers](https://www.scaleway.com/en/docs/serverless/containers/).
 
 Refer to the Containers tokens [documentation](https://www.scaleway.com/en/docs/serverless/containers/how-to/create-auth-token-from-console/) and [API documentation](https://www.scaleway.com/en/developers/api/serverless-containers/#path-tokens-list-all-tokens) for more information.

internal/services/container/token.go

@@ -18,9 +18,10 @@ import (
 
 func ResourceToken() *schema.Resource {
 	return &schema.Resource{
-		CreateContext: ResourceContainerTokenCreate,
-		ReadContext:   ResourceContainerTokenRead,
-		DeleteContext: ResourceContainerTokenDelete,
+		CreateContext:      ResourceContainerTokenCreate,
+		ReadContext:        ResourceContainerTokenRead,
+		DeleteContext:      ResourceContainerTokenDelete,
+		DeprecationMessage: "The \"scaleway_container_token\" resource is deprecated in favor of IAM authentication",
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
 		},

templates/resources/container.md.tmpl

@@ -49,6 +49,60 @@ resource "scaleway_container" "main" {
 }
 ```
 
+### Managing authentication of private containers with IAM
+
+```terraform
+# Project to be referenced in the IAM policy
+data "scaleway_account_project" "default" {
+  name = "default"
+}
+
+# IAM resources
+resource "scaleway_iam_application" "container_auth" {
+  name = "container-auth"
+}
+resource "scaleway_iam_policy" "access_private_containers" {
+  application_id = scaleway_iam_application.container_auth.id
+  rule {
+    project_ids          = [data.scaleway_account_project.default.id]
+    permission_set_names = ["ContainersPrivateAccess"]
+  }
+}
+resource "scaleway_iam_api_key" "api_key" {
+  application_id = scaleway_iam_application.container_auth.id
+}
+
+# Container resources
+resource "scaleway_container_namespace" "private" {
+  name = "private-container-namespace"
+}
+resource "scaleway_container" "private" {
+  namespace_id   = scaleway_container_namespace.private.id
+  registry_image = "rg.fr-par.scw.cloud/my-registry-ns/my-image:latest"
+  privacy        = "private"
+  deploy         = true
+}
+
+# Output the secret key and the container's endpoint for the curl command
+output "secret_key" {
+  value     = scaleway_iam_api_key.api_key.secret_key
+  sensitive = true
+}
+output "container_endpoint" {
+  value = scaleway_container.private.domain_name
+}
+
+```
+
+Then you can access your private container using the API key:
+
+```shell
+$ curl -H "X-Auth-Token: $(terraform output -raw secret_key)" \
+  "https://$(terraform output -raw container_endpoint)/"
+```
+
+Keep in mind that you should revoke your legacy JWT tokens to ensure maximum security.
+
 ## Argument Reference
 
 The following arguments are supported:

templates/resources/container_token.md.tmpl

@@ -6,6 +6,9 @@ page_title: "Scaleway: scaleway_container_token"
 
 # Resource: scaleway_container_token
 
+> **Important:** The resource `scaleway_container_token` has been deprecated and will no longer be supported in v1 of the API.
+Please use IAM authentication instead. You will find an implementation example in the [IAM authentication](container.md#managing-authentication-of-private-containers-with-iam) section of the Container documentation.
+
 The `scaleway_container_token` resource allows you to create and manage authentication tokens for Scaleway [Serverless Containers](https://www.scaleway.com/en/docs/serverless/containers/).
 
 Refer to the Containers tokens [documentation](https://www.scaleway.com/en/docs/serverless/containers/how-to/create-auth-token-from-console/) and [API documentation](https://www.scaleway.com/en/developers/api/serverless-containers/#path-tokens-list-all-tokens) for more information.