Currently the fusionauth terraform provider fusionauth_api_key definition is only able to be scoped to a tenant_id, not to any lambdas.
Solution
Ideally I'd like for the fusionauth_api_key definition to be extended so that in addition to having a tenant_id that the key is scoped to, we can scope it to a set of lambda_ids, e.g. with this syntax:
resource "fusionauth_api_key" "group_endpoint" {
tenant_id = fusionauth_tenant.main.id
lambda_ids = [fusionauth_lambda.gmd_jwt_populate.id]
description = "FusionAuth API Key to be used for lambdas associated with this tenant"
permissions_endpoints {
endpoint = "/api/group"
get = true
delete = true
patch = true
post = true
put = true
}
}
Then this API key would only be used for a specific tenant and for specific lambdas, and the key would be available in the environment configuration for the lambda itself.
Alternatives/workarounds
Alternatively to the approach above, it might be better to only allow one resource per API key, but the following would be a breaking change, since resource_type would be required (defaults to Tenant, but would allow Lambda) and resource_id would hold the id.
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
Allow fusionauth_api_key to be scoped to lambdas
Problem
Currently the fusionauth terraform provider
fusionauth_api_keydefinition is only able to be scoped to atenant_id, not to any lambdas.Solution
Ideally I'd like for the
fusionauth_api_keydefinition to be extended so that in addition to having atenant_idthat the key is scoped to, we can scope it to a set oflambda_ids, e.g. with this syntax:Then this API key would only be used for a specific tenant and for specific lambdas, and the key would be available in the environment configuration for the lambda itself.
Alternatives/workarounds
Alternatively to the approach above, it might be better to only allow one resource per API key, but the following would be a breaking change, since
resource_typewould be required (defaults toTenant, but would allowLambda) andresource_idwould hold the id.or:
Additional context
We are using the fusionauth terraform provider, so that's why the examples above are referring to that. Repo: https://github.com/FusionAuth/terraform-provider-fusionauth Docs: https://registry.terraform.io/providers/fusionauth/fusionauth/latest/docs/resources/api_key
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.