Enable service account authentication

[adezxc]

Original issue: #995

Depends on: vmware/go-vcloud-director#562

This PR adds a service_account field to the provider schema that allows providing a file containing a Service Account API token as described in the blog post.

For now it only supports using Service Accounts in Active Stage and the overall implementation is not set in stone, as maybe there are better solutions.

[adezxc]

Reminder to not forget about changelog entry, either in v3.9.0 or v3.10.0

[lvirbalas]

Unless, I missed it, we need more docs :)

[Didainius]

It might be convenient to provide a similar script (https://registry.terraform.io/providers/vmware/vcd/latest/docs#shell-script-to-obtain-a-bearer-token) to get the Service Account active.

I also have a consideration that maybe it would be less friction to accept initial token as an attribute in provider section and do token rotation in file further.

[adezxc]

It might be convenient to provide a similar script (https://registry.terraform.io/providers/vmware/vcd/latest/docs#shell-script-to-obtain-a-bearer-token) to get the Service Account active.

I created the script create_service_account.sh which goes from creation to active stage, but it's a 100 lines, so it's probably sub optimal to put it in the documentation and a link to the file could be given instead?

I also have a consideration that maybe it would be less friction to accept initial token as an attribute in provider section and do token rotation in file further.

I agree that it's less friction for the user, but is there a nice way of making it work? How would the provider know about the file the next time it is run? Also I feel like having files as the default just provides more flexibility to the user as to how they would want to make use multiple service account tokens

[Didainius]

I created the script create_service_account.sh which goes from creation to active stage, but it's a 100 lines, so it's probably sub optimal to put it in the documentation and a link to the file could be given instead?

Yes. It could probably live in examples subdirectory. We may think of a guide page in future how to use service accounts, but this is good for now.

The script itself is great - thanks. IMO this makes it so much easier to start with service accounts for those who don't have any infrastructure around them. My only wish (up to discussion) is probably to add -s to curl commands so that it doesn't spit out these:

nter VCD Role in URN format (e.g. urn:vcloud:role:System%20Administrator):
urn:vcloud:role:System%20Administrator
Enter software version (optional):
1
Enter client URI (optional):

Creating service account...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   483    0   313  100   170    345    187 --:--:-- --:--:-- --:--:--   536

I agree that it's less friction for the user, but is there a nice way of making it work? How would the provider know about the file the next time it is run? Also I feel like having files as the default just provides more flexibility to the user as to how they would want to make use multiple service account tokens

Agreed. Can live like that and then see if there is any demand to shape it in future

[adambarreiro]

Nice work!

[Didainius]

Token rotation and script to get service account worked in my testing.
Good to approve without an actual test because we do not have Go code to handle service account creation at the moment