Description
The stackit_telemetry_router_access_token data source does not expose the actual access token value.
This makes the data source difficult to use in practice, because the main downstream resource that needs the token is the Telemetry Link. The Telemetry Link resource has an access_token argument, but the access token data source only returns metadata such as creator_id, description, display_name, expiration_time, id, and status.
As a result, the token cannot be referenced directly from Terraform and must be stored separately, for example in a vault or secret manager, even though a dedicated data source for the access token exists.
Steps to reproduce
data "stackit_telemetry_router_access_token" "example" {
project_id = var.project_id
region = var.region
telemetry_router_id = stackit_telemetry_router.example.id
access_token_id = var.access_token_id
}
resource "stackit_telemetry_link" "example" {
display_name = "example-telemetry-link"
resource_id = var.project_id
resource_type = "project"
telemetry_router_id = stackit_telemetry_router.example.id
access_token = data.stackit_telemetry_router_access_token.example.access_token
}
- Create or import a Telemetry Router access token.
- Try to read the token through the
stackit_telemetry_router_access_token data source.
- Try to use the returned token value in
stackit_telemetry_link.access_token.
Actual behavior
The stackit_telemetry_router_access_token data source returns only metadata fields:
creator_id
description
display_name
expiration_time
id
status
The actual token value is not exposed.
Because of that, the following reference is not possible:
access_token = data.stackit_telemetry_router_access_token.example.access_token
This means the data source cannot be used to provide the token to the Telemetry Link resource.
Additionally, the access_token argument on the Telemetry Link resource is documented as optional. It is unclear why this is optional, because the Telemetry Link appears to require an access token to authenticate against the Telemetry Router.
Expected behavior
The access token data source should expose the actual token value as a sensitive attribute, for example:
access_token = data.stackit_telemetry_router_access_token.example.access_token
The attribute should be marked as sensitive.
Expected schema example:
access_token = sensitive(string)
This would allow the Telemetry Link resource to consume the token directly without requiring external secret storage only to work around the missing attribute.
The Telemetry Link documentation should also clarify whether access_token is truly optional. If the token is required for a working Telemetry Link, the argument should either be marked as required or the documentation should explain in which cases it can be omitted.
Environment
- OS: Windows / Linux
- Terraform version: latest
- Version of the STACKIT Terraform provider: latest
Additional information
The current behavior forces users to store the access token separately in an external secret store, even though the provider already contains a dedicated access token data source.
This makes the workflow more complex than necessary and reduces the practical value of the data source.
Main clarification points:
- Why does the access token data source not expose the actual token value as a sensitive attribute?
- Is
access_token on the Telemetry Link resource really optional?
- If it is optional, in which scenario can a Telemetry Link be created without providing an access token?
Description
The
stackit_telemetry_router_access_tokendata source does not expose the actual access token value.This makes the data source difficult to use in practice, because the main downstream resource that needs the token is the Telemetry Link. The Telemetry Link resource has an
access_tokenargument, but the access token data source only returns metadata such ascreator_id,description,display_name,expiration_time,id, andstatus.As a result, the token cannot be referenced directly from Terraform and must be stored separately, for example in a vault or secret manager, even though a dedicated data source for the access token exists.
Steps to reproduce
stackit_telemetry_router_access_tokendata source.stackit_telemetry_link.access_token.Actual behavior
The
stackit_telemetry_router_access_tokendata source returns only metadata fields:creator_iddescriptiondisplay_nameexpiration_timeidstatusThe actual token value is not exposed.
Because of that, the following reference is not possible:
This means the data source cannot be used to provide the token to the Telemetry Link resource.
Additionally, the
access_tokenargument on the Telemetry Link resource is documented as optional. It is unclear why this is optional, because the Telemetry Link appears to require an access token to authenticate against the Telemetry Router.Expected behavior
The access token data source should expose the actual token value as a sensitive attribute, for example:
The attribute should be marked as sensitive.
Expected schema example:
This would allow the Telemetry Link resource to consume the token directly without requiring external secret storage only to work around the missing attribute.
The Telemetry Link documentation should also clarify whether
access_tokenis truly optional. If the token is required for a working Telemetry Link, the argument should either be marked as required or the documentation should explain in which cases it can be omitted.Environment
Additional information
The current behavior forces users to store the access token separately in an external secret store, even though the provider already contains a dedicated access token data source.
This makes the workflow more complex than necessary and reduces the practical value of the data source.
Main clarification points:
access_tokenon the Telemetry Link resource really optional?