From d20df2a00e4f087312dcc14b5c332bff059fe162 Mon Sep 17 00:00:00 2001
From: Florian Heuer <florian.heuer@mail.schwarz>
Date: Fri, 8 Aug 2025 18:00:08 +0200
Subject: [PATCH] feature(iac): add service-account module

---
 service-account/README.md          | 26 +++++++++++++++
 service-account/outputs.tf         | 20 ++++++++++++
 service-account/providers.tf       |  8 +++++
 service-account/service-account.tf | 22 +++++++++++++
 service-account/variables.tf       | 52 ++++++++++++++++++++++++++++++
 5 files changed, 128 insertions(+)
 create mode 100644 service-account/README.md
 create mode 100644 service-account/outputs.tf
 create mode 100644 service-account/providers.tf
 create mode 100644 service-account/service-account.tf
 create mode 100644 service-account/variables.tf

diff --git a/service-account/README.md b/service-account/README.md
new file mode 100644
index 0000000..d26d450
--- /dev/null
+++ b/service-account/README.md
@@ -0,0 +1,26 @@
+# Terraform module to create STACKIT Service Account
+
+## Example for main.tf
+
+# Service Account Terraform Module
+
+This module creates a STACKIT service account, optionally creates a key, and optionally attaches it to a server.
+
+## Usage
+
+```hcl
+module "service_account" {
+  source     = "git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public//terraform-modules/service-account"
+  name       = "my-service-account"
+  project_id = "your-project-id"
+
+  create_key         = true
+  ttl_days           = 90
+  rotate_when_changed = {
+    rotated_at = timestamp()
+  }
+
+  attach_to_server = true
+  server_id        = "your-server-id"
+}
+```
diff --git a/service-account/outputs.tf b/service-account/outputs.tf
new file mode 100644
index 0000000..3587015
--- /dev/null
+++ b/service-account/outputs.tf
@@ -0,0 +1,20 @@
+output "service_account_email" {
+  description = "The email of the service account"
+  value       = stackit_service_account.this.email
+}
+
+output "service_account_id" {
+  description = "Internal ID of the service account"
+  value       = stackit_service_account.this.id
+}
+
+output "service_account_key_id" {
+  description = "ID of the created key"
+  value       = try(stackit_service_account_key.this[0].key_id, null)
+}
+
+output "service_account_key_json" {
+  description = "Sensitive JSON key output"
+  value       = try(stackit_service_account_key.this[0].json, null)
+  sensitive   = true
+}
diff --git a/service-account/providers.tf b/service-account/providers.tf
new file mode 100644
index 0000000..28dfab1
--- /dev/null
+++ b/service-account/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = "~> 0.59.0"
+    }
+  }
+}
diff --git a/service-account/service-account.tf b/service-account/service-account.tf
new file mode 100644
index 0000000..c7fdbeb
--- /dev/null
+++ b/service-account/service-account.tf
@@ -0,0 +1,22 @@
+resource "stackit_service_account" "this" {
+  name       = var.service_account_name
+  project_id = var.stackit_project_id
+}
+
+resource "stackit_service_account_key" "this" {
+  count = var.service_account_create_key ? 1 : 0
+
+  project_id            = var.stackit_project_id
+  service_account_email = stackit_service_account.this.email
+  public_key            = var.service_account_public_key
+  rotate_when_changed   = var.service_account_rotate_when_changed
+  ttl_days              = var.service_account_ttl_days
+}
+
+resource "stackit_service_account_attachment" "this" {
+  count = var.attach_to_server ? 1 : 0
+
+  project_id            = var.stackit_project_id
+  server_id             = var.server_id
+  service_account_email = stackit_service_account.this.email
+}
diff --git a/service-account/variables.tf b/service-account/variables.tf
new file mode 100644
index 0000000..1ff754c
--- /dev/null
+++ b/service-account/variables.tf
@@ -0,0 +1,52 @@
+variable "stackit_project_id" {
+  description = "STACKIT project ID"
+  type        = string
+}
+
+# === Service Account variables ===
+
+
+variable "service_account_name" {
+  description = "Name of the service account"
+  type        = string
+}
+
+# === Service Account Key variables ===
+
+variable "service_account_create_key" {
+  description = "Whether to create a service account key"
+  type        = bool
+  default     = false
+}
+
+variable "service_account_public_key" {
+  description = "Optional: Specifies the public_key (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a private_key."
+  type        = string
+  default     = null
+}
+
+variable "service_account_rotate_when_changed" {
+  description = "Map to force key rotation when changed"
+  type        = map(string)
+  default     = {}
+}
+
+variable "service_account_ttl_days" {
+  description = "Key validity duration in days. Defaults to 90"
+  type        = number
+  default     = 90
+}
+
+# === Server Service Account Attach variables ===
+
+variable "attach_to_server" {
+  description = "Whether to attach the service account to a server"
+  type        = bool
+  default     = false
+}
+
+variable "server_id" {
+  description = "Server ID for attachment"
+  type        = string
+  default     = ""
+}