feat: Add kms key options to secrets manager instance commands

[s-inter]

Description

This PR implements KMS key options for secrets manager instance commands (create, update, describe).

Changes

• Added --kms-key-id, --kms-keyring-id, --kms-key-version, and --kms-service-account-email flags to stackit secrets-manager instance create and stackit secrets-manager instance update commands.
• Added KMS key output fields to stackit secrets-manager instance describe command.
• Added unit tests for input parsing, request building, and KMS-related functionality.
• Generated updated command documentation.

Testing Instructions

Prerequisite: Run make build (if needed)

---

1. instance create (with KMS options)

bin/stackit secrets-manager instance create \
  --project-id <PROJECT_ID> \
  --name my-instance \
  --kms-key-id key-id \
  --kms-keyring-id keyring-id \
  --kms-key-version 1 \
  --kms-service-account-email my-service-account@sa.stackit.cloud

• Expected: Prints instance ID and creation details. Internal API payload includes KmsKey properties.
• Verify: Run describe command. Outputs should include KMS KEY ID, KMS KEYRING ID, KMS KEY VERSION, and KMS SERVICE ACCOUNT EMAIL.

bin/stackit secrets-manager instance describe <INSTANCE_ID> --project-id <PROJECT_ID>

---

2. instance update

Update Name Only

bin/stackit secrets-manager instance update <INSTANCE_ID> --project-id <PROJECT_ID> --name my-new-name

• Expected: describe reflects the new name.

Update Name & ACLs Together

bin/stackit secrets-manager instance update <INSTANCE_ID> --project-id <PROJECT_ID> --name my-new-name --acl 1.2.3.0/24

• Expected: describe reflects both changes.

Update KMS Options (requires --name)

bin/stackit secrets-manager instance update <INSTANCE_ID> \
  --project-id <PROJECT_ID> \
  --name my-instance \
  --kms-key-id new-key \
  --kms-keyring-id new-keyring \
  --kms-key-version 2 \
  --kms-service-account-email new-sa@sa.stackit.cloud

• Expected: describe reflects the new KMS values.

---

3. Edge Cases & Negative Tests

1. Use KMS flags without --name: Error "--name is required when using KMS flags"

   bin/stackit secrets-manager instance update <INSTANCE_ID> --project-id <PROJECT_ID> --kms-key-id key-id --kms-keyring-id keyring-id --kms-key-version 1 --kms-service-account-email sa@sa.stackit.cloud

2. Use partial KMS flags (missing others): Error about all KMS flags needing to be provided together.

   bin/stackit secrets-manager instance update <INSTANCE_ID> --project-id <PROJECT_ID> --name my-instance --kms-key-id key-id

3. No --name or --acl provided: Error about missing required fields.

   bin/stackit secrets-manager instance update <INSTANCE_ID> --project-id <PROJECT_ID>

---

Notes for Reviewers

• Behavior Changes:
  • update now supports updating instance name, ACLs, and KMS settings (separately or together).
  • --name is required when using any KMS flags.
  • At least one of --name or --acl must be provided.
• API Details:
  • Name/KMS updates use UpdateInstance; ACLs use UpdateACLs.
  • When updating both, separate calls occur. If UpdateInstance succeeds but UpdateACLs fails, the user gets a helpful error indicating partial success.

relates to STACKITCLI-338

Checklist

• Issue was linked above
• Code format was applied: make fmt
• Examples were added / adjusted
• Docs are up-to-date: make generate-docs
• Unit tests got implemented or updated
• Unit tests are passing: make test
• No linter issues: make lint

[rubenhoenle]

@s-inter

Please include the test setup next time in your testing instructions.

Could have been e.g.

resource "stackit_kms_keyring" "example" {
  project_id   = var.project_id
  display_name = "example-name"
  description  = "example description"
}

resource "stackit_kms_key" "key" {
  project_id   = var.project_id
  keyring_id   = stackit_kms_keyring.example.keyring_id
  display_name = "key-01"
  protection   = "software"
  algorithm    = "aes_256_gcm"
  purpose      = "symmetric_encrypt_decrypt"
}

output "env" {
  value       = "export KEYRING_ID=${stackit_kms_keyring.example.keyring_id} && export KEY_ID=${stackit_kms_key.key.key_id} && KEY_SA_EMAIL=${var.service_account_email}"
}

Testing instructions:

• Apply terraform config
• Set the env variables by running the command from the terraform output
• Run the following command: stackit secrets-manager instance create ---kms-keyring-id $KEYRING_ID --kms-key-id $KEY_ID

Edit: Testing instructions should also include the teardown of the test setup

[github-actions]

Merging this branch will increase overall coverage

Impacted Packages	Coverage Δ	🤖
github.com/stackitcloud/stackit-cli/internal/cmd/secrets-manager/instance/create	57.38% (+6.43%)	👍
github.com/stackitcloud/stackit-cli/internal/cmd/secrets-manager/instance/describe	66.67% (+3.51%)	👍
github.com/stackitcloud/stackit-cli/internal/cmd/secrets-manager/instance/update	50.82% (+2.04%)	👍

---

Coverage by file

Changed files (no unit tests)

Changed File	Coverage Δ	Total	Covered	Missed	🤖
github.com/stackitcloud/stackit-cli/internal/cmd/secrets-manager/instance/create/create.go	57.38% (+6.43%)	61 (+8)	35 (+8)	26	👍
github.com/stackitcloud/stackit-cli/internal/cmd/secrets-manager/instance/describe/describe.go	66.67% (+3.51%)	69 (+12)	46 (+10)	23 (+2)	👍
github.com/stackitcloud/stackit-cli/internal/cmd/secrets-manager/instance/update/update.go	50.82% (+2.04%)	61 (+20)	31 (+11)	30 (+9)	👍

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

Changed unit test files

• github.com/stackitcloud/stackit-cli/internal/cmd/secrets-manager/instance/create/create_test.go
• github.com/stackitcloud/stackit-cli/internal/cmd/secrets-manager/instance/describe/describe_test.go
• github.com/stackitcloud/stackit-cli/internal/cmd/secrets-manager/instance/update/update_test.go