deprecate function token and document new auth with IAM (#3534)

Mia-Cross · web-flow · commit 53d28055649c · 2025-12-15T16:49:53.000Z
diff --git a/docs/resources/function.md b/docs/resources/function.md
@@ -23,7 +23,7 @@ resource "scaleway_function_namespace" "main" {
 
 resource "scaleway_function" "main" {
   namespace_id = scaleway_function_namespace.main.id
-  runtime      = "go118"
+  runtime      = "go124"
   handler      = "Handle"
   privacy      = "private"
 }
@@ -43,7 +43,7 @@ resource "scaleway_function" "main" {
   namespace_id = scaleway_function_namespace.main.id
   description  = "function with zip file"
   tags         = ["tag1", "tag2"]
-  runtime      = "go118"
+  runtime      = "go124"
   handler      = "Handle"
   privacy      = "private"
   timeout      = 10
@@ -53,6 +53,62 @@ resource "scaleway_function" "main" {
 }
 ```
 
+### Managing authentication of private functions with IAM
+
+```terraform
+# Project to be referenced in the IAM policy
+data "scaleway_account_project" "default" {
+  name = "default"
+}
+
+# IAM resources
+resource "scaleway_iam_application" "func_auth" {
+  name = "function-auth"
+}
+resource "scaleway_iam_policy" "access_private_funcs" {
+  application_id = scaleway_iam_application.func_auth.id
+  rule {
+    project_ids = [data.scaleway_account_project.default.id]
+    permission_set_names = ["FunctionsPrivateAccess"]
+  }
+}
+resource "scaleway_iam_api_key" "api_key" {
+  application_id = scaleway_iam_application.func_auth.id
+}
+
+# Function resources
+resource "scaleway_function_namespace" "private" {
+  name        = "private-function-namespace"
+}
+resource "scaleway_function" "private" {
+  namespace_id = scaleway_function_namespace.private.id
+  runtime      = "go124"
+  handler      = "Handle"
+  privacy      = "private"
+  zip_file     = "function.zip"
+  zip_hash     = filesha256("function.zip")
+  deploy       = true
+}
+
+# Output the secret key and the function's endpoint for the curl command
+output "secret_key" {
+  value = scaleway_iam_api_key.api_key.secret_key
+  sensitive = true
+}
+output "function_endpoint" {
+  value = scaleway_function.private.domain_name
+}
+```
+
+Then you can access your private function using the API key:
+
+```shell
+$ curl -H "X-Auth-Token: $(terraform output -raw secret_key)" \
+  "https://$(terraform output -raw function_endpoint)/"
+```
+
+Keep in mind that you should revoke your legacy JWT tokens to ensure maximum security.
+
 ## Argument Reference
 
 The following arguments are supported:
diff --git a/docs/resources/function_token.md b/docs/resources/function_token.md
@@ -5,6 +5,9 @@ page_title: "Scaleway: scaleway_function_token"
 
 # Resource: scaleway_function_token
 
+~> **Important:** The resource `scaleway_function_token` has been deprecated and will no longer be supported in v1 of the API.
+Please use IAM authentication instead. You will find an implementation example in the [IAM authentication](function.md#managing-authentication-of-private-functions-with-iam) section of the Function documentation.
+
 The `scaleway_function_token` resource allows you to create and manage authentication tokens for Scaleway [Serverless Functions](https://www.scaleway.com/en/docs/serverless/functions/).
 
 Refer to the Functions tokens [documentation](https://www.scaleway.com/en/docs/serverless/functions/how-to/create-auth-token-from-console/) and [API documentation](https://www.scaleway.com/en/developers/api/serverless-functions/#path-tokens-list-all-tokens) for more information.
diff --git a/internal/services/function/token.go b/internal/services/function/token.go
@@ -20,9 +20,10 @@ import (
 
 func ResourceToken() *schema.Resource {
 	return &schema.Resource{
-		CreateContext: ResourceFunctionTokenCreate,
-		ReadContext:   ResourceFunctionTokenRead,
-		DeleteContext: ResourceFunctionTokenDelete,
+		CreateContext:      ResourceFunctionTokenCreate,
+		ReadContext:        ResourceFunctionTokenRead,
+		DeleteContext:      ResourceFunctionTokenDelete,
+		DeprecationMessage: "The \"scaleway_function_token\" resource is deprecated in favor of IAM authentication",
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
 		},
diff --git a/templates/resources/function.md.tmpl b/templates/resources/function.md.tmpl
@@ -24,7 +24,7 @@ resource "scaleway_function_namespace" "main" {
 
 resource "scaleway_function" "main" {
   namespace_id = scaleway_function_namespace.main.id
-  runtime      = "go118"
+  runtime      = "go124"
   handler      = "Handle"
   privacy      = "private"
 }
@@ -44,7 +44,7 @@ resource "scaleway_function" "main" {
   namespace_id = scaleway_function_namespace.main.id
   description  = "function with zip file"
   tags         = ["tag1", "tag2"]
-  runtime      = "go118"
+  runtime      = "go124"
   handler      = "Handle"
   privacy      = "private"
   timeout      = 10
@@ -54,6 +54,62 @@ resource "scaleway_function" "main" {
 }
 ```
 
+### Managing authentication of private functions with IAM
+
+```terraform
+# Project to be referenced in the IAM policy
+data "scaleway_account_project" "default" {
+  name = "default"
+}
+
+# IAM resources
+resource "scaleway_iam_application" "func_auth" {
+  name = "function-auth"
+}
+resource "scaleway_iam_policy" "access_private_funcs" {
+  application_id = scaleway_iam_application.func_auth.id
+  rule {
+    project_ids = [data.scaleway_account_project.default.id]
+    permission_set_names = ["FunctionsPrivateAccess"]
+  }
+}
+resource "scaleway_iam_api_key" "api_key" {
+  application_id = scaleway_iam_application.func_auth.id
+}
+
+# Function resources
+resource "scaleway_function_namespace" "private" {
+  name        = "private-function-namespace"
+}
+resource "scaleway_function" "private" {
+  namespace_id = scaleway_function_namespace.private.id
+  runtime      = "go124"
+  handler      = "Handle"
+  privacy      = "private"
+  zip_file     = "function.zip"
+  zip_hash     = filesha256("function.zip")
+  deploy       = true
+}
+
+# Output the secret key and the function's endpoint for the curl command
+output "secret_key" {
+  value = scaleway_iam_api_key.api_key.secret_key
+  sensitive = true
+}
+output "function_endpoint" {
+  value = scaleway_function.private.domain_name
+}
+```
+
+Then you can access your private function using the API key:
+
+```shell
+$ curl -H "X-Auth-Token: $(terraform output -raw secret_key)" \
+  "https://$(terraform output -raw function_endpoint)/"
+```
+
+Keep in mind that you should revoke your legacy JWT tokens to ensure maximum security.
+
 ## Argument Reference
 
 The following arguments are supported:
diff --git a/templates/resources/function_token.md.tmpl b/templates/resources/function_token.md.tmpl
@@ -6,6 +6,9 @@ page_title: "Scaleway: scaleway_function_token"
 
 # Resource: scaleway_function_token
 
+~> **Important:** The resource `scaleway_function_token` has been deprecated and will no longer be supported in v1 of the API.
+Please use IAM authentication instead. You will find an implementation example in the [IAM authentication](function.md#managing-authentication-of-private-functions-with-iam) section of the Function documentation.
+
 The `scaleway_function_token` resource allows you to create and manage authentication tokens for Scaleway [Serverless Functions](https://www.scaleway.com/en/docs/serverless/functions/).
 
 Refer to the Functions tokens [documentation](https://www.scaleway.com/en/docs/serverless/functions/how-to/create-auth-token-from-console/) and [API documentation](https://www.scaleway.com/en/developers/api/serverless-functions/#path-tokens-list-all-tokens) for more information.
