Update condition if token is closed to expiry will create new one

README.md

@@ -1 +0,0 @@
-# terraform-provider-bitbucket

go.mod

@@ -0,0 +1,30 @@
+module terraform-provider-bitbucket-token
+
+go 1.24.0
+
+require github.com/hashicorp/terraform-plugin-framework v1.16.1
+
+require (
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/hashicorp/go-hclog v1.6.3 // indirect
+	github.com/hashicorp/go-plugin v1.7.0 // indirect
+	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/hashicorp/terraform-plugin-go v0.29.0 // indirect
+	github.com/hashicorp/terraform-plugin-log v0.9.0 // indirect
+	github.com/hashicorp/terraform-registry-address v0.4.0 // indirect
+	github.com/hashicorp/terraform-svchost v0.1.1 // indirect
+	github.com/hashicorp/yamux v0.1.2 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
+	github.com/oklog/run v1.2.0 // indirect
+	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
+	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
+	golang.org/x/net v0.46.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.30.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101 // indirect
+	google.golang.org/grpc v1.76.0 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
+)

go.sum

@@ -0,0 +1,97 @@
+github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw=
+github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-plugin v1.7.0 h1:YghfQH/0QmPNc/AZMTFE3ac8fipZyZECHdDPshfk+mA=
+github.com/hashicorp/go-plugin v1.7.0/go.mod h1:BExt6KEaIYx804z8k4gRzRLEvxKVb+kn0NMcihqOqb8=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/terraform-plugin-framework v1.16.1 h1:1+zwFm3MEqd/0K3YBB2v9u9DtyYHyEuhVOfeIXbteWA=
+github.com/hashicorp/terraform-plugin-framework v1.16.1/go.mod h1:0xFOxLy5lRzDTayc4dzK/FakIgBhNf/lC4499R9cV4Y=
+github.com/hashicorp/terraform-plugin-go v0.29.0 h1:1nXKl/nSpaYIUBU1IG/EsDOX0vv+9JxAltQyDMpq5mU=
+github.com/hashicorp/terraform-plugin-go v0.29.0/go.mod h1:vYZbIyvxyy0FWSmDHChCqKvI40cFTDGSb3D8D70i9GM=
+github.com/hashicorp/terraform-plugin-log v0.9.0 h1:i7hOA+vdAItN1/7UrfBqBwvYPQ9TFvymaRGZED3FCV0=
+github.com/hashicorp/terraform-plugin-log v0.9.0/go.mod h1:rKL8egZQ/eXSyDqzLUuwUYLVdlYeamldAHSxjUFADow=
+github.com/hashicorp/terraform-registry-address v0.4.0 h1:S1yCGomj30Sao4l5BMPjTGZmCNzuv7/GDTDX99E9gTk=
+github.com/hashicorp/terraform-registry-address v0.4.0/go.mod h1:LRS1Ay0+mAiRkUyltGT+UHWkIqTFvigGn/LbMshfflE=
+github.com/hashicorp/terraform-svchost v0.1.1 h1:EZZimZ1GxdqFRinZ1tpJwVxxt49xc/S52uzrw4x0jKQ=
+github.com/hashicorp/terraform-svchost v0.1.1/go.mod h1:mNsjQfZyf/Jhz35v6/0LWcv26+X7JPS+buii2c9/ctc=
+github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
+github.com/hashicorp/yamux v0.1.2/go.mod h1:C+zze2n6e/7wshOZep2A70/aQU6QBRWJO/G6FT1wIns=
+github.com/jhump/protoreflect v1.17.0 h1:qOEr613fac2lOuTgWN4tPAtLL7fUSbuJL5X5XumQh94=
+github.com/jhump/protoreflect v1.17.0/go.mod h1:h9+vUUL38jiBzck8ck+6G/aeMX8Z4QUY/NiJPwPNi+8=
+github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
+github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
+github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
+github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
+github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
+github.com/oklog/run v1.2.0 h1:O8x3yXwah4A73hJdlrwo/2X6J62gE5qTMusH0dvz60E=
+github.com/oklog/run v1.2.0/go.mod h1:mgDbKRSwPhJfesJ4PntqFUbKQRZ50NgmZTSPlFA0YFk=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8=
+github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
+github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
+github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
+go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
+go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
+go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
+go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
+go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
+go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
+go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
+go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
+go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
+golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
+golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101 h1:tRPGkdGHuewF4UisLzzHHr1spKw92qLM98nIzxbC0wY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
+google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

main.go

@@ -0,0 +1,13 @@
+package main
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-framework/providerserver"
+)
+
+func main() {
+	providerserver.Serve(context.Background(), NewProvider, providerserver.ServeOpts{
+		Address: "registry.terraform.io/ysoftdevs/bitbucket",
+	})
+}

provider.go

@@ -0,0 +1,91 @@
+package main
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-framework/datasource"
+	"github.com/hashicorp/terraform-plugin-framework/provider"
+	"github.com/hashicorp/terraform-plugin-framework/provider/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+func NewProvider() provider.Provider {
+	return &bitbucketTokenProvider{}
+}
+
+type bitbucketTokenProvider struct{}
+
+type bitbucketTokenProviderModel struct {
+	AuthHeader    types.String `tfsdk:"auth_header"`
+	ServerURL     types.String `tfsdk:"server_url"`
+	TLSSkipVerify types.Bool   `tfsdk:"tls_skip_verify"`
+}
+
+func (p *bitbucketTokenProvider) Metadata(_ context.Context, _ provider.MetadataRequest, resp *provider.MetadataResponse) {
+	resp.TypeName = "bitbucket"
+}
+
+func (p *bitbucketTokenProvider) Schema(_ context.Context, _ provider.SchemaRequest, resp *provider.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		Description: "Custom provider for Bitbucket token management.",
+		Attributes: map[string]schema.Attribute{
+			"auth_header": schema.StringAttribute{
+				Description: "Base64 encoded Basic Auth header or personal access token.",
+				Required:    true,
+				Sensitive:   true,
+			},
+			"server_url": schema.StringAttribute{
+				Description: "Base URL of the Bitbucket server (e.g. https://stash.example.com). Must not end with a slash.",
+				Required:    true,
+			},
+			"tls_skip_verify": schema.BoolAttribute{
+				Description: "If true, disables TLS certificate verification. Use only for testing or internal servers.",
+				Optional:    true,
+			},
+		},
+	}
+}
+
+func (p *bitbucketTokenProvider) Configure(ctx context.Context, req provider.ConfigureRequest, resp *provider.ConfigureResponse) {
+	var config bitbucketTokenProviderModel
+	resp.Diagnostics.Append(req.Config.Get(ctx, &config)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if config.ServerURL.IsNull() || config.ServerURL.ValueString() == "" {
+		resp.Diagnostics.AddError(
+			"Missing server URL",
+			"The provider requires a 'server_url' to be specified.",
+		)
+		return
+	}
+
+	if config.AuthHeader.IsNull() || config.AuthHeader.ValueString() == "" {
+		resp.Diagnostics.AddError(
+			"Missing authentication header",
+			"The provider requires an 'auth_header' to be specified.",
+		)
+		return
+	}
+
+	providerData := &ProviderData{
+		AuthHeader:    config.AuthHeader.ValueString(),
+		ServerURL:     config.ServerURL.ValueString(),
+		TLSSkipVerify: config.TLSSkipVerify.ValueBool(), // <-- passes TLS flag through
+	}
+
+	resp.DataSourceData = providerData
+	resp.ResourceData = providerData
+}
+
+func (p *bitbucketTokenProvider) DataSources(_ context.Context) []func() datasource.DataSource {
+	return nil
+}
+
+func (p *bitbucketTokenProvider) Resources(_ context.Context) []func() resource.Resource {
+	return []func() resource.Resource{
+		NewBitbucketTokenResource,
+	}
+}

resource_token.go

@@ -0,0 +1,427 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+// ProviderData contains configuration passed from the provider to the resource.
+type ProviderData struct {
+	AuthHeader    string
+	ServerURL     string
+	TLSSkipVerify bool
+}
+
+// BitbucketTokenResource manages Bitbucket repository access tokens.
+type BitbucketTokenResource struct {
+	authHeader    string
+	serverURL     string
+	tlsSkipVerify bool
+}
+
+func NewBitbucketTokenResource() resource.Resource {
+	return &BitbucketTokenResource{}
+}
+
+// BitbucketTokenResourceModel maps Terraform schema attributes to Go fields.
+type BitbucketTokenResourceModel struct {
+	ID                 types.String `tfsdk:"id"`
+	TokenName          types.String `tfsdk:"token_name"` // prefix provided by user
+	ProjectName        types.String `tfsdk:"project_name"`
+	RepositoryName     types.String `tfsdk:"repository_name"`
+	Token              types.String `tfsdk:"token"`                // secret; returned only on creation; preserved from state
+	CurrentTokenName   types.String `tfsdk:"current_token_name"`   // actual token identifier (prefix-epoch)
+	CurrentTokenExpiry types.Int64  `tfsdk:"current_token_expiry"` // ms since epoch
+}
+
+// Metadata defines the Terraform resource type name.
+func (r *BitbucketTokenResource) Metadata(_ context.Context, _ resource.MetadataRequest, resp *resource.MetadataResponse) {
+	resp.TypeName = "bitbucket_token"
+}
+
+// Schema defines the Terraform resource schema.
+func (r *BitbucketTokenResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		Description: "Manages Bitbucket access tokens for a repository. The token secret is only returned when created and is preserved in state for reuse while valid.",
+		Attributes: map[string]schema.Attribute{
+			"id": schema.StringAttribute{
+				Computed: true,
+			},
+			"token_name": schema.StringAttribute{
+				Description: "Name prefix for the Bitbucket access token. Actual token will be created as '<prefix>-<epoch_ms>'.",
+				Required:    true,
+			},
+			"project_name": schema.StringAttribute{
+				Description: "Name/key of the Bitbucket project.",
+				Required:    true,
+			},
+			"repository_name": schema.StringAttribute{
+				Description: "Slug/name of the Bitbucket repository.",
+				Required:    true,
+			},
+			"token": schema.StringAttribute{
+				Description: "Bitbucket access token secret (only returned on creation; preserved from state if still valid).",
+				Computed:    true,
+				Sensitive:   true,
+			},
+			"current_token_name": schema.StringAttribute{
+				Description: "Identifier of the currently managed token (e.g., '<prefix>-<epoch_ms>').",
+				Computed:    true,
+			},
+			"current_token_expiry": schema.Int64Attribute{
+				Description: "Expiry of the current token in milliseconds since epoch.",
+				Computed:    true,
+			},
+		},
+	}
+}
+
+// Configure sets up provider-level data for the resource.
+func (r *BitbucketTokenResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
+	if req.ProviderData == nil {
+		return
+	}
+
+	providerData, ok := req.ProviderData.(*ProviderData)
+	if !ok {
+		resp.Diagnostics.AddError(
+			"Unexpected Provider Data Type",
+			fmt.Sprintf("Expected *ProviderData, got: %T", req.ProviderData),
+		)
+		return
+	}
+
+	if providerData.ServerURL == "" {
+		resp.Diagnostics.AddError(
+			"Invalid Provider Configuration",
+			"The 'server_url' cannot be empty.",
+		)
+		return
+	}
+
+	r.authHeader = providerData.AuthHeader
+	r.serverURL = providerData.ServerURL
+	r.tlsSkipVerify = providerData.TLSSkipVerify
+}
+
+// httpClient creates a custom HTTP client with optional TLS skip verification.
+func (r *BitbucketTokenResource) httpClient() *http.Client {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: r.tlsSkipVerify}, // #nosec G402 - intentional per user config
+	}
+	return &http.Client{
+		Timeout:   20 * time.Second,
+		Transport: tr,
+	}
+}
+
+// tokenInfo describes an access token returned by listing API.
+type tokenInfo struct {
+	Name        string
+	ExpiryMs    int64
+	Permissions []string
+}
+
+// listTokens lists all tokens for a repo and filters by prefix; returns all matches.
+func (r *BitbucketTokenResource) listTokens(auth, baseURL, project, repo, prefix string) ([]tokenInfo, error) {
+	apiURL := fmt.Sprintf("%s/rest/access-tokens/latest/projects/%s/repos/%s?limit=10000", baseURL, project, repo)
+	client := r.httpClient()
+
+	req, _ := http.NewRequest("GET", apiURL, nil)
+	req.Header.Add("Authorization", "Basic "+auth)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return nil, fmt.Errorf("Bitbucket API returned %d: %s", resp.StatusCode, string(body))
+	}
+
+	body, _ := io.ReadAll(resp.Body)
+	var jsonResp map[string]interface{}
+	_ = json.Unmarshal(body, &jsonResp)
+
+	values, _ := jsonResp["values"].([]interface{})
+	var out []tokenInfo
+	for _, v := range values {
+		obj, ok := v.(map[string]interface{})
+		if !ok {
+			continue
+		}
+		name, _ := obj["name"].(string)
+		if len(name) < len(prefix) || name[:len(prefix)] != prefix {
+			continue
+		}
+		exp, _ := obj["expiryDate"].(float64) // ms since epoch
+		expMs := int64(exp)
+
+		var perms []string
+		if ps, ok := obj["permissions"].([]interface{}); ok {
+			for _, p := range ps {
+				if s, ok := p.(string); ok {
+					perms = append(perms, s)
+				}
+			}
+		}
+		out = append(out, tokenInfo{
+			Name:        name,
+			ExpiryMs:    expMs,
+			Permissions: perms,
+		})
+	}
+	return out, nil
+}
+
+// getTokenByName searches list results for an exact name.
+func getTokenByName(tokens []tokenInfo, name string) *tokenInfo {
+	for i := range tokens {
+		if tokens[i].Name == name {
+			return &tokens[i]
+		}
+	}
+	return nil
+}
+
+// createToken creates a new access token and returns (secret, name, expiryMs).
+func (r *BitbucketTokenResource) createToken(auth, baseURL, project, repo, prefix string) (string, string, int64, error) {
+	putURL := fmt.Sprintf("%s/rest/access-tokens/latest/projects/%s/repos/%s", baseURL, project, repo)
+	payload := map[string]interface{}{
+		"expiryDays":  90,
+		"name":        fmt.Sprintf("%s-%d", prefix, time.Now().UnixMilli()),
+		"permissions": []string{"REPO_READ"},
+	}
+	bodyBytes, _ := json.Marshal(payload)
+
+	client := r.httpClient()
+	req, _ := http.NewRequest("PUT", putURL, bytes.NewReader(bodyBytes))
+	req.Header.Add("Authorization", "Basic "+auth)
+	req.Header.Add("Content-Type", "application/json")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", "", 0, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {
+		body, _ := io.ReadAll(resp.Body)
+		return "", "", 0, fmt.Errorf("Bitbucket API returned %d: %s", resp.StatusCode, string(body))
+	}
+
+	body, _ := io.ReadAll(resp.Body)
+	var jsonResp map[string]interface{}
+	_ = json.Unmarshal(body, &jsonResp)
+
+	secret, _ := jsonResp["token"].(string)
+	name, _ := jsonResp["name"].(string)
+	exp, _ := jsonResp["expiryDate"].(float64)
+	expMs := int64(exp)
+
+	if secret == "" || name == "" || expMs == 0 {
+		return "", "", 0, fmt.Errorf("API response missing fields (token/name/expiryDate): %s", string(body))
+	}
+
+	return secret, name, expMs, nil
+}
+
+// deleteToken removes a token by name.
+func (r *BitbucketTokenResource) deleteToken(auth, baseURL, project, repo, name string) error {
+	client := r.httpClient()
+	delURL := fmt.Sprintf("%s/rest/access-tokens/latest/projects/%s/repos/%s/%s", baseURL, project, repo, name)
+
+	req, _ := http.NewRequest("DELETE", delURL, nil)
+	req.Header.Add("Authorization", "Basic "+auth)
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode >= 400 {
+		body, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("Bitbucket returned %d: %s", resp.StatusCode, string(body))
+	}
+	return nil
+}
+
+// ensureToken ensures we end with a valid token secret in state.
+// If state has a valid token → keep its secret.
+// If missing/expired → delete expired (if any) and create a fresh one.
+func (r *BitbucketTokenResource) ensureToken(data *BitbucketTokenResourceModel) (*BitbucketTokenResourceModel, error) {
+	project := data.ProjectName.ValueString()
+	repo := data.RepositoryName.ValueString()
+	prefix := data.TokenName.ValueString()
+
+	tokens, err := r.listTokens(r.authHeader, r.serverURL, project, repo, prefix)
+	if err != nil {
+		return nil, err
+	}
+
+	nowMs := time.Now().UnixMilli()
+	thresholdMs := int64(30 * 24 * time.Hour / time.Millisecond)
+
+	stateName := data.CurrentTokenName.ValueString()
+	stateSecret := data.Token.ValueString()
+
+	if stateName != "" && stateSecret != "" {
+		if t := getTokenByName(tokens, stateName); t != nil {
+			timeLeft := t.ExpiryMs - nowMs
+			if timeLeft > thresholdMs {
+				data.Token = types.StringValue(stateSecret)
+				data.CurrentTokenName = types.StringValue(t.Name)
+				data.CurrentTokenExpiry = types.Int64Value(t.ExpiryMs)
+				return data, nil
+			}
+			_ = r.deleteToken(r.authHeader, r.serverURL, project, repo, stateName)
+		}
+	}
+
+	for _, t := range tokens {
+		if t.ExpiryMs <= nowMs {
+			_ = r.deleteToken(r.authHeader, r.serverURL, project, repo, t.Name)
+		}
+	}
+
+	secret, newName, expiry, err := r.createToken(r.authHeader, r.serverURL, project, repo, prefix)
+	if err != nil {
+		return nil, err
+	}
+
+	data.Token = types.StringValue(secret)
+	data.CurrentTokenName = types.StringValue(newName)
+	data.CurrentTokenExpiry = types.Int64Value(expiry)
+
+	return data, nil
+}
+
+// Create — always produces a token value. Since no prior state exists,
+// we create a fresh token (after cleaning up any expired ones for the prefix).
+func (r *BitbucketTokenResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	var data BitbucketTokenResourceModel
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	out, err := r.ensureToken(&data)
+	if err != nil {
+		resp.Diagnostics.AddError("Error ensuring token", err.Error())
+		return
+	}
+
+	out.ID = types.StringValue(fmt.Sprintf("%s/%s/%s", out.ProjectName.ValueString(), out.RepositoryName.ValueString(), out.TokenName.ValueString()))
+	resp.Diagnostics.Append(resp.State.Set(ctx, out)...)
+}
+
+// Read — does not create new tokens (to keep Read side-effect free).
+// If the tracked token is missing or expired, remove from state so the next Apply will recreate it.
+func (r *BitbucketTokenResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+	var data BitbucketTokenResourceModel
+	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	project := data.ProjectName.ValueString()
+	repo := data.RepositoryName.ValueString()
+	prefix := data.TokenName.ValueString()
+
+	tokens, err := r.listTokens(r.authHeader, r.serverURL, project, repo, prefix)
+	if err != nil {
+		resp.Diagnostics.AddError("Error listing tokens", err.Error())
+		return
+	}
+
+	nowMs := time.Now().UnixMilli()
+	thresholdMs := int64(30 * 24 * time.Hour / time.Millisecond)
+
+	stateName := data.CurrentTokenName.ValueString()
+	var valid bool
+
+	if stateName != "" {
+		if t := getTokenByName(tokens, stateName); t != nil {
+			timeLeft := t.ExpiryMs - nowMs
+			if timeLeft > thresholdMs {
+				data.CurrentTokenExpiry = types.Int64Value(t.ExpiryMs)
+				valid = true
+			}
+		}
+	}
+
+	if !valid {
+		// Not present or expired -> remove from state; next Apply will create a new one in Create/Update paths.
+		resp.State.RemoveResource(ctx)
+		return
+	}
+
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+}
+
+// Update — same semantics as Create: ensure we output a valid token value.
+// If state has a valid token, reuse its secret; otherwise delete expired and create new.
+func (r *BitbucketTokenResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
+	var plan BitbucketTokenResourceModel
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// Carry over prior state (for secret) if present.
+	var state BitbucketTokenResourceModel
+	_ = req.State.Get(ctx, &state)
+
+	// Start from plan but keep any state-held secret/name/expiry for reuse.
+	if !state.Token.IsNull() && !state.Token.IsUnknown() {
+		plan.Token = state.Token
+	}
+	if !state.CurrentTokenName.IsNull() && !state.CurrentTokenName.IsUnknown() {
+		plan.CurrentTokenName = state.CurrentTokenName
+	}
+	if !state.CurrentTokenExpiry.IsNull() && !state.CurrentTokenExpiry.IsUnknown() {
+		plan.CurrentTokenExpiry = state.CurrentTokenExpiry
+	}
+
+	out, err := r.ensureToken(&plan)
+	if err != nil {
+		resp.Diagnostics.AddError("Error ensuring token on update", err.Error())
+		return
+	}
+
+	out.ID = types.StringValue(fmt.Sprintf("%s/%s/%s", out.ProjectName.ValueString(), out.RepositoryName.ValueString(), out.TokenName.ValueString()))
+	resp.Diagnostics.Append(resp.State.Set(ctx, out)...)
+}
+
+// Delete removes the tracked token if it still exists.
+func (r *BitbucketTokenResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
+	var data BitbucketTokenResourceModel
+	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	project := data.ProjectName.ValueString()
+	repo := data.RepositoryName.ValueString()
+	name := data.CurrentTokenName.ValueString()
+
+	if name != "" {
+		if err := r.deleteToken(r.authHeader, r.serverURL, project, repo, name); err != nil {
+			resp.Diagnostics.AddWarning("Error deleting token", err.Error())
+		}
+	}
+
+	resp.State.RemoveResource(ctx)
+}

terraform-registry-manifest.json

@@ -0,0 +1,6 @@
+{
+  "version": 1,
+  "metadata": {
+    "protocol_versions": ["6.0"]
+  }
+}