add edits to notification policy

Reviewed-on: #9
Reviewed-by: Stanislav_Kopp <stanislav.kopp@mail.schwarz>

dns/README.md

@@ -0,0 +1,160 @@
+# Terraform STACKIT DNS Zone and Record Set Module
+
+This module allows you to declaratively manage DNS zones and their associated record sets in STACKIT.
+
+It supports:
+
+- Creating one or more new DNS zones.
+- Using pre-existing DNS zones by providing a `zone_id`.
+- Creating one or more record sets within any managed zone.
+
+## Usage Example
+
+Here is an example of how to use the module to create one or many new zones and use another pre-existing one.
+
+```terraform
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = "~> 0.59.0"
+    }
+  }
+  backend "s3" {
+    endpoints = {
+      s3 = "https://object.storage.eu01.onstackit.cloud"
+    }
+    bucket                      = "test-bucket"
+    key                         = "state/test/dns"
+    region                      = "eu01"
+    skip_region_validation      = true
+    skip_metadata_api_check     = true
+    skip_credentials_validation = true
+    skip_requesting_account_id  = true
+    skip_s3_checksum            = true
+    use_path_style              = true
+  }
+}
+
+provider "stackit" {
+  # Configure your provider credentials, i.e.:
+  default_region           = local.region
+  enable_beta_resources    = true
+  service_account_key_path = "sa_key.json"
+}
+
+module "dns" {
+  source     = "./path/to/your/module" # Or a Git URL git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public//terraform-modules/dns
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+
+  zones = {
+    # EXAMPLE 1: Create multiple zones with multiple A records
+    "primary_domain" = {
+      name     = "first domain"
+      dns_name = "test-b.stackit.rocks"
+      record_sets = {
+        "qa-test" = {
+          name    = "qa-test"
+          type    = "A"
+          ttl     = 3600
+          records = ["192.0.1.1", "192.0.1.2"]
+        }
+        "beta-test" = {
+          name    = "beta-test"
+          type    = "A"
+          ttl     = 3600
+          records = ["192.0.2.10", "192.0.2.20", "192.0.2.30"]
+        }
+      }
+    },
+    "secondary_domain" = {
+      name     = "second domain"
+      dns_name = "test-a.stackit.rocks"
+      record_sets = {
+        "alpha-records" = {
+          name    = "alpha-test"
+          type    = "A"
+          ttl     = 3600
+          records = ["192.10.2.10", "192.10.2.20", "192.10.2.30"]
+        }
+      }
+    },
+
+    # EXAMPLE 2: Use a pre-existing zone and add a new TXT and A record to it
+    "existing_domain" = {
+      zone_id = "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz"
+      record_sets = {
+        "spf_txt" = {
+          name    = "@"
+          type    = "TXT"
+          records = ["v=spf1 mx -all"]
+          ttl     = 7200
+          comment = "this is a test txt record"
+        },
+        "spf_cname" = {
+          name    = "exampledomain"
+          type    = "A"
+          ttl     = 3600
+          records = ["192.0.29.1"]
+        }
+      }
+    },
+
+    # EXAMPLE 3: Create a new zone with no initial records
+    "empty_domain" = {
+      name     = "My Empty Domain"
+      dns_name = "empty-example.com"
+    }
+  }
+}
+```
+
+## Inputs
+
+| Variable Name | Description                                                                                                                                          | Type     | Required |
+| ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- |
+| `project_id`  | STACKIT project ID to which the DNS resources are associated.                                                                                        | `string` | Yes      |
+| `zones`       | A map of DNS zones to be created or managed. Each zone contains a `name`, `dns_name`, and `record_sets` map.                                         | `map`    | Yes      |
+| `record_sets` | A map of DNS record sets to create within this zone. Each record set contains a `name`, `type`, `records`, `ttl`, `comment`, and `active` attribute. | `map`    | Optional |
+
+### Values for zones
+
+| Key               | Description                                                                                                                                | Type           | Required                            |
+| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | -------------- | ----------------------------------- |
+| `zone_id`         | The ID of an existing DNS zone to manage. If provided, the module will use the existing zone. If not provided, a new zone will be created. | `string`       | Optional                            |
+| `name`            | The descriptive name of the DNS zone.                                                                                                      | `string`       | Optional                            |
+| `dns_name`        | The DNS name of the DNS zone.                                                                                                              | `string`       | Optional                            |
+| `contact_email`   | The contact email for the DNS zone.                                                                                                        | `string`       | Optional                            |
+| `description`     | A description of the DNS zone.                                                                                                             | `string`       | Optional                            |
+| `acl`             | The Access Control List (ACL) for the DNS zone.                                                                                            | `string`       | Optional                            |
+| `active`          | Whether the DNS zone is active or not.                                                                                                     | `bool`         | Optional (currently non-functional) |
+| `default_ttl`     | The default Time-to-Live (TTL) for records in the DNS zone.                                                                                | `number`       | Optional                            |
+| `expire_time`     | The expiration time for the DNS zone.                                                                                                      | `number`       | Optional                            |
+| `is_reverse_zone` | Whether the DNS zone is a reverse zone or not.                                                                                             | `bool`         | Optional                            |
+| `negative_cache`  | The negative cache duration for the DNS zone.                                                                                              | `number`       | Optional                            |
+| `primaries`       | A list of primary name servers for the DNS zone.                                                                                           | `list(string)` | Optional                            |
+| `refresh_time`    | The refresh time for the DNS zone.                                                                                                         | `number`       | Optional                            |
+| `retry_time`      | The retry time for the DNS zone.                                                                                                           | `number`       | Optional                            |
+| `type`            | The type of the DNS zone. Defaults to "primary" if not provided.                                                                           | `string`       | Optional                            |
+
+### Values for record_sets
+
+| Key       | Description                                                   | Type           | Required                            |
+| --------- | ------------------------------------------------------------- | -------------- | ----------------------------------- |
+| `name`    | The name of the DNS record set.                               | `string`       | Yes                                 |
+| `type`    | The type of the DNS record set.                               | `string`       | Yes                                 |
+| `records` | A list of DNS records for the record set.                     | `list(string)` | Yes                                 |
+| `ttl`     | The Time-to-Live (TTL) for the DNS records in the record set. | `number`       | Optional                            |
+| `comment` | A comment for the DNS record set.                             | `string`       | Optional                            |
+| `active`  | Whether the DNS record set is active or not.                  | `bool`         | Optional (currently non-functional) |
+
+## Outputs
+
+| Name          | Description                                                                                |
+| ------------- | ------------------------------------------------------------------------------------------ |
+| `zones`       | A map of all managed DNS zone objects, including those created and those referenced by ID. |
+| `record_sets` | A map of all created DNS record set objects.                                               |
+
+## Notes
+
+Setting a zone or record to inactive by using `active = false` is currently not possible due to a bug in the provider. It is active by default.

dns/dns.tf

@@ -0,0 +1,94 @@
+# main.tf
+
+# --------------------------------------------------------------------------------------------------
+# LOCAL VARIABLES
+# --------------------------------------------------------------------------------------------------
+
+locals {
+  # Create a map of zones to be created (where zone_id is not specified)
+  zones_to_create = { for k, v in var.zones : k => v if try(v.zone_id, null) == null }
+
+  # Create a map of zones to be referenced via data source (where zone_id is specified)
+  zones_to_read = { for k, v in var.zones : k => v if try(v.zone_id, null) != null }
+
+  # Merge the created resources and data sources into a single, unified map.
+  # This allows record sets to reference a zone regardless of whether it was created or read.
+  all_zones = merge(
+    {
+      for k, zone in stackit_dns_zone.this : k => zone
+    },
+    {
+      for k, zone in data.stackit_dns_zone.this : k => zone
+    }
+  )
+
+  # Flatten the nested record_sets structure into a single list, making it easy to iterate with for_each.
+  # Each item in the list retains a reference to its parent zone key.
+  flat_record_sets = flatten([
+    for zone_key, zone_config in var.zones : [
+      for record_key, record_config in try(zone_config.record_sets, {}) : {
+        zone_key   = zone_key
+        record_key = record_key
+        name       = record_config.name
+        type       = record_config.type
+        records    = record_config.records
+        ttl        = try(record_config.ttl, null)
+        comment    = try(record_config.comment, null)
+        active     = try(record_config.active, null)
+      }
+    ]
+  ])
+}
+
+# --------------------------------------------------------------------------------------------------
+# DNS ZONE RESOURCES (CREATE OR READ)
+# --------------------------------------------------------------------------------------------------
+
+# Create new DNS zones for configurations that do not have a zone_id
+resource "stackit_dns_zone" "this" {
+  for_each = local.zones_to_create
+
+  project_id      = var.project_id
+  name            = each.value.name
+  dns_name        = each.value.dns_name
+  contact_email   = try(each.value.contact_email, null)
+  description     = try(each.value.description, null)
+  acl             = try(each.value.acl, null)
+  active          = try(each.value.active, null)
+  default_ttl     = try(each.value.default_ttl, null)
+  expire_time     = try(each.value.expire_time, null)
+  is_reverse_zone = try(each.value.is_reverse_zone, null)
+  negative_cache  = try(each.value.negative_cache, null)
+  primaries       = try(each.value.primaries, null)
+  refresh_time    = try(each.value.refresh_time, null)
+  retry_time      = try(each.value.retry_time, null)
+  type            = try(each.value.type, "primary")
+}
+
+# Read existing DNS zones for configurations that provide a zone_id
+data "stackit_dns_zone" "this" {
+  for_each = local.zones_to_read
+
+  project_id = var.project_id
+  zone_id    = each.value.zone_id
+}
+
+# --------------------------------------------------------------------------------------------------
+# DNS RECORD SET RESOURCES
+# --------------------------------------------------------------------------------------------------
+
+resource "stackit_dns_record_set" "this" {
+  # The key is a unique combination of the zone and record keys for a stable address.
+  for_each = { for record in local.flat_record_sets : "${record.zone_key}.${record.record_key}" => record }
+
+  project_id = var.project_id
+  # Look up the correct zone_id from the unified 'all_zones' map
+  zone_id = local.all_zones[each.value.zone_key].zone_id
+
+  name    = each.value.name
+  type    = each.value.type
+  records = each.value.records
+  ttl     = each.value.ttl
+  comment = each.value.comment
+  active  = each.value.active
+}

dns/outputs.tf

@@ -0,0 +1,11 @@
+# outputs.tf
+
+output "zones" {
+  description = "A map of all managed DNS zone objects, including those created and those referenced by ID."
+  value       = local.all_zones
+}
+
+output "record_sets" {
+  description = "A map of all created DNS record set objects."
+  value       = stackit_dns_record_set.this
+}

dns/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = "~> 0.68.0"
+    }
+  }
+}

dns/variables.tf

@@ -0,0 +1,48 @@
+# variables.tf
+
+variable "project_id" {
+  type        = string
+  description = "STACKIT project ID to which the DNS resources are associated."
+}
+
+variable "zones" {
+  type = map(object({
+    # If zone_id is provided, the module will use the existing zone.
+    # Otherwise, a new zone will be created using the attributes below.
+    zone_id = optional(string)
+
+    # Required attributes for new zones
+    name     = optional(string)
+    dns_name = optional(string)
+
+    # Optional attributes for new zones
+    contact_email   = optional(string)
+    description     = optional(string)
+    acl             = optional(string)
+    active          = optional(bool)
+    default_ttl     = optional(number)
+    expire_time     = optional(number)
+    is_reverse_zone = optional(bool)
+    negative_cache  = optional(number)
+    primaries       = optional(list(string))
+    refresh_time    = optional(number)
+    retry_time      = optional(number)
+    type            = optional(string, "primary")
+
+    # A map of DNS record sets to create within this zone.
+    # The key is a logical name for the record set (e.g., "www", "mx_record").
+    record_sets = optional(map(object({
+      # Required record set attributes
+      name    = string
+      type    = string
+      records = list(string)
+
+      # Optional record set attributes
+      ttl     = optional(number)
+      comment = optional(string)
+      active  = optional(bool, true)
+    })), {})
+  }))
+  description = "A map of DNS zones to manage. The key is a logical name for the zone."
+  default     = {}
+}

grafana/README.md

@@ -83,17 +83,17 @@ module "datasource" {
 
   datasources = {
     Thanos-Common-Infra-PRD = {
-      type       = "prometheus"
+      type                  = "prometheus"
-      url_key    = "thanos_coin_prd"
+      url_key               = "thanos_coin_prd"
-      user_key   = "thanos_coin_prd"
+      basic_auth_user_key   = "thanos_coin_prd"
-      pass_key   = "thanos_coin_prd"
+      pass_key              = "thanos_coin_prd"
-      is_default = true
+      is_default            = true
     }
     Loki-Common-Infra-PRD = {
-      type     = "loki"
+      type                = "loki"
-      url_key  = "loki_coin_prd"
+      url_key             = "loki_coin_prd"
-      user_key = "loki_coin_prd"
+      basic_auth_user_key = "loki_coin_prd"
-      pass_key = "loki_coin_prd"
+      pass_key            = "loki_coin_prd"
     }
   }
 

grafana/Untitled111.md

@@ -1 +0,0 @@
-

grafana/contact-point-gchat/main.tf

@@ -1,5 +1,6 @@
 resource "grafana_contact_point" "this" {
   name = var.contact_point_name
+  disable_provenance = true
 
   googlechat {
     url     = var.gchat_url

grafana/datasource/datasource.tf

@@ -1,3 +1,4 @@
+# Create the basic "shell" of each datasource.
 resource "grafana_data_source" "this" {
   for_each = var.datasources
 
@@ -6,12 +7,108 @@ resource "grafana_data_source" "this" {
   url        = var.datasource_urls[each.value.url_key]
   is_default = coalesce(each.value.is_default, false)
 
-  basic_auth_enabled  = true
+  # For HTTP Basic Auth (Loki, Prometheus, etc.)
-  basic_auth_username = var.datasource_users[each.value.user_key]
+  basic_auth_enabled  = each.value.basic_auth_user_key != null
+  basic_auth_username = each.value.basic_auth_user_key != null ? var.datasource_users[each.value.basic_auth_user_key] : null
 
-  secure_json_data_encoded = jsonencode({
+  # For database usernames (like Postgres)
-    basicAuthPassword = var.datasource_passwords[each.value.pass_key]
+  # This sets the username initially.
+  username = each.value.db_user_key != null ? var.datasource_users[each.value.db_user_key] : null
+
+  # This resource must ignore attributes that are
+  # managed by the other 'config' resources below.
+  lifecycle {
+    ignore_changes = [
+      json_data_encoded,
+      secure_json_data_encoded,
+      # Also ignore username, as it can be managed/reported back differently by the API.
+      username,
+    ]
+  }
+}
+
+# Apply the main json_data for datasources like PostgreSQL.
+resource "grafana_data_source_config" "json_data_main" {
+  for_each = {
+    for k, v in var.datasources : k => v
+    if v.json_data != null && v.derived_fields == null && v.traces_to_logs == null
+  }
+
+  uid = grafana_data_source.this[each.key].uid
+
+  json_data_encoded = jsonencode(each.value.json_data)
+
+  # This config must ignore the password, which is managed by the 'passwords' resource.
+  lifecycle {
+    ignore_changes = [secure_json_data_encoded]
+  }
+}
+
+# Apply passwords to all datasources that require one.
+resource "grafana_data_source_config" "passwords" {
+  for_each = {
+    for k, v in var.datasources : k => v if v.pass_key != null
+  }
+
+  uid = grafana_data_source.this[each.key].uid
+
+  secure_json_data_encoded = jsonencode(
+    each.value.type == "grafana-postgresql-datasource" ? {
+      password = var.datasource_passwords[each.value.pass_key]
+      } : {
+      basicAuthPassword = var.datasource_passwords[each.value.pass_key]
+    }
+  )
+
+  # This config must ignore the main json_data, which is managed elsewhere.
+  lifecycle {
+    ignore_changes = [json_data_encoded]
+  }
+}
+
+# Apply Loki-specific 'derivedFields' configuration.
+resource "grafana_data_source_config" "loki_derived_fields" {
+  for_each = {
+    for k, v in var.datasources : k => v if v.type == "loki" && v.derived_fields != null
+  }
+  uid = grafana_data_source.this[each.key].uid
+  json_data_encoded = jsonencode({
+    derivedFields = [
+      for field in each.value.derived_fields : {
+        datasourceUid = grafana_data_source.this[field.target_datasource_name].uid
+        matcherRegex  = field.matcher_regex
+        name          = field.name
+        url           = field.url
+      }
+    ]
   })
 
-  json_data_encoded = each.value.json_data != null ? jsonencode(each.value.json_data) : null
+  # This config must ignore the password, which is managed elsewhere.
+  lifecycle {
+    ignore_changes = [secure_json_data_encoded]
+  }
 }
+
+# Apply Tempo-specific 'tracesToLogsV2' configuration.
+resource "grafana_data_source_config" "tempo_traces_to_logs" {
+  for_each = {
+    for k, v in var.datasources : k => v if v.type == "tempo" && v.traces_to_logs != null
+  }
+  uid = grafana_data_source.this[each.key].uid
+  json_data_encoded = jsonencode({
+    tracesToLogsV2 = {
+      datasourceUid      = grafana_data_source.this[each.value.traces_to_logs.target_datasource_name].uid
+      query              = each.value.traces_to_logs.query
+      customQuery        = coalesce(each.value.traces_to_logs.custom_query, true)
+      filterBySpanID     = coalesce(each.value.traces_to_logs.filter_by_span_id, false)
+      filterByTraceID    = coalesce(each.value.traces_to_logs.filter_by_trace_id, false)
+      spanStartTimeShift = each.value.traces_to_logs.span_start_time_shift
+      spanEndTimeShift   = each.value.traces_to_logs.span_end_time_shift
+    }
+  })
+
+  # This config must ignore the password, which is managed elsewhere.
+  lifecycle {
+    ignore_changes = [secure_json_data_encoded]
+  }
+}

grafana/datasource/variables.tf

@@ -1,21 +1,42 @@
-# Define datasources (non-sensitive metadata only)
 variable "datasources" {
   description = <<EOT
 Map of datasources to create. Keys are datasource names.
-Each datasource specifies type (prometheus/loki), keys to lookup URL/user/password,
+Each datasource specifies type, keys to lookup URL/user/password,
-and optional is_default (true/false).
+and optional configurations for linking data sources.
 EOT
   type = map(object({
-    type       = string           # e.g., prometheus, loki
+    type       = string
-    url_key    = string           # key for URL lookup in datasource_urls map
+    url_key    = string
-    user_key   = string           # key for username lookup in datasource_users map
+    pass_key   = optional(string)
-    pass_key   = string           # key for password lookup in datasource_passwords map
+    is_default = optional(bool)
-    is_default = optional(bool)   # true if this datasource should be Grafana default
+
-    json_data  = optional(map(any))
+    # Key to look up a database username
+    db_user_key = optional(string)
+    # Key to look up a basic auth username
+    basic_auth_user_key = optional(string)
+
+    # Non-sensitive JSON data for Postgres, etc.
+    json_data = optional(map(any))
+
+    # Linking Attributes (for Loki/Tempo)
+    derived_fields = optional(list(object({
+      target_datasource_name = string
+      matcher_regex          = string
+      name                   = string
+      url                    = string
+    })))
+    traces_to_logs = optional(object({
+      target_datasource_name = string
+      query                  = string
+      custom_query           = optional(bool)
+      filter_by_span_id      = optional(bool)
+      filter_by_trace_id     = optional(bool)
+      span_start_time_shift  = optional(string)
+      span_end_time_shift    = optional(string)
+    }))
   }))
 }
 
-# Sensitive maps for URLs, usernames, passwords
 variable "datasource_urls" {
   description = "Map of datasource URLs, keyed by url_key"
   type        = map(string)
@@ -23,7 +44,7 @@ variable "datasource_urls" {
 }
 
 variable "datasource_users" {
-  description = "Map of datasource usernames, keyed by user_key"
+  description = "Map of datasource usernames, keyed by db_user_key or basic_auth_user_key"
   type        = map(string)
   sensitive   = true
 }
@@ -32,4 +53,4 @@ variable "datasource_passwords" {
   description = "Map of datasource passwords, keyed by pass_key"
   type        = map(string)
   sensitive   = true
-}
+}

grafana/notification-policy/main.tf

@@ -1,6 +1,7 @@
 resource "grafana_notification_policy" "this" {
   contact_point = var.default_contact_point_uid
   group_by      = var.group_by
+  disable_provenance = true
 
   dynamic "policy" {
     for_each = var.folder_policies          

mongodb/mongodb.tf

@@ -19,30 +19,3 @@ resource "stackit_mongodbflex_user" "this" {
   roles       = var.mongodb_user_roles
   database    = var.mongodb_user_database
 }
-
-# // Configure Secret Manager Provider
-# provider "vault" {
-#   address          = "https://prod.sm.eu01.stackit.cloud"
-#   skip_child_token = true
-#   auth_login_userpass {
-#     username = var.secret_manager_username
-#     password = var.secret_manager_password
-#   }
-# }
-
-# // Store MongoDB Credentials in Secret Manager
-# resource "vault_kv_secret_v2" "mongodb_cred_save" {
-#   mount               = var.secret_manager_instance_id
-#   name                = var.mongodb_secrets_path
-#   cas                 = 1
-#   delete_all_versions = true
-#   data_json = jsonencode(
-#     {
-#       username = stackit_mongodbflex_user.mongodb_user.username,
-#       password = stackit_mongodbflex_user.mongodb_user.password,
-#       host     = stackit_mongodbflex_user.mongodb_user.host,
-#       port     = stackit_mongodbflex_user.mongodb_user.port,
-#       uri      = stackit_mongodbflex_user.mongodb_user.uri
-#     }
-#   )
-# }

mongodb/providers.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     stackit = {
       source  = "stackitcloud/stackit"
-      version = "~> 0.50.0"
+      version = "~> 0.68.0"
     }
   }
 }

mongodb/variables.tf

@@ -30,7 +30,9 @@ variable "mongodb_instance_flavor" {
 variable "mongodb_instance_options" {
   description = "options for mongodb"
   type = object({
-    type = string
+    type                       = string
+    snapshot_retention_days    = number
+    point_in_time_window_hours = number
   })
 }
 

objectstorage/providers.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     stackit = {
       source  = "stackitcloud/stackit"
-      version = "~> 0.50.0"
+      version = "~> 0.68.0"
     }
   }
 }

observability/providers.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     stackit = {
       source  = "stackitcloud/stackit"
-      version = "~> 0.50.0"
+      version = "~> 0.68.0"
     }
     grafana = {
       source = "grafana/grafana"

postgres/outputs.tf

@@ -2,40 +2,19 @@
 output "postgres_instance_id" {
   value = stackit_postgresflex_instance.this.instance_id
 }
- 
- # Postgres Database Output
- output "postgres_database_id" {
-   value = stackit_postgresflex_database.this.database_id
- }
 
-# Postgres User Output
+# Postgres Credential Output
-output "postgres_host" {
+output "postgres_credentials" {
-  value = stackit_postgresflex_user.this.host
+  value = {
-}
+    for k, u in stackit_postgresflex_user.this :
-
+    k => {
-output "postgres_password" {
+      host     = u.host
-  value     = stackit_postgresflex_user.this.password
+      username = u.username
+      password = u.password
+      port     = u.port
+      db_name  = stackit_postgresflex_database.this[u.username].name
+      uri      = u.uri
+    }
+  }
   sensitive = true
-}
+}
-
-output "postgres_user" {
-  value = stackit_postgresflex_user.this.username
-}
-
-output "postgres_port" {
-  value = stackit_postgresflex_user.this.port
-}
-
-output "postgres_db_name" {
-  value = stackit_postgresflex_database.this.name
-}
-
-output "postgres_uri" {
-  value     = stackit_postgresflex_user.this.uri
-  sensitive = true
-}
-
-output "postgres_user_id" {
-  value = stackit_postgresflex_user.this.user_id
-}
-

postgres/postgres.tf

@@ -12,18 +12,24 @@ resource "stackit_postgresflex_instance" "this" {
 
 // Postgres User 
 resource "stackit_postgresflex_user" "this" {
+  for_each = {
+    for db in var.postgres_databases : db.user_name => db
+  }
   depends_on = [ stackit_postgresflex_instance.this ]
   project_id  = var.stackit_project_id
   instance_id = stackit_postgresflex_instance.this.instance_id
-  username    = var.postgres_db_user_name
+  username    = each.value.user_name
-  roles       = var.postgres_db_user_roles
+  roles       = each.value.user_roles
 }
 
 // Postgres Database
 resource "stackit_postgresflex_database" "this" {
-  depends_on = [ stackit_postgresflex_user.this ]
+  for_each = {
+    for db in var.postgres_databases : db.db_name => db
+  }
+  depends_on = [stackit_postgresflex_user.this]
   project_id  = var.stackit_project_id
   instance_id = stackit_postgresflex_instance.this.instance_id
-  name        = var.postgres_db_name
+  name        = each.value.db_name
-  owner       = var.postgres_db_user_name
+  owner       = each.value.user_name
-}
+}

postgres/providers.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     stackit = {
       source  = "stackitcloud/stackit"
-      version = "~> 0.50.0"
+      version = "~> 0.68.0"
     }
   }
 }

postgres/readme.md

@@ -0,0 +1,67 @@
+# Module for creating Postgres Flex Instance with Databases and Users
+
+## Example
+
+```main.tf
+
+# Postgres Flex Instance
+module "postgres-flex" {
+  source                                = "git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public/terraform-modules//postgres?ref=main
+  stackit_project_id                    = local.stackit_project_id
+  postgres_instance_name                = "example-db"
+  postgres_instance_replicas            = 1
+  postgres_instance_storage             = {
+    class = "premium-perf2-stackit"
+    size = 5
+  }
+
+  postgres_instance_flavor              = {
+    cpu = 2
+    ram = 4
+  }
+
+  postgres_instance_acl                 = [
+    "193.148.160.0/19",
+    "45.129.40.0/21"
+  ]
+
+  postgres_instance_backup_schedule     = "00 02 * * *"
+  postgres_instance_version             = "17"
+  postgres_instance_region              = "eu01"
+
+  postgres_databases = [
+  {
+    db_name  = "database-a"
+    user_name  = "user-a"
+    user_roles = ["createdb", "login"]
+  },
+  {
+    db_name  = "database-b"
+    user_name  = "user-b"
+    user_roles = ["createdb", "login"]
+  },
+  ]
+}
+
+# safe credentials 
+module "postgres-credentials-sm-a" {
+  source                     = "git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public/terraform-modules//create-secret?ref=main"
+  secret_manager_instance_id = local.secret_manager_instance_id
+  secret_manager_username    = var.secret_manager_username
+  secret_manager_password    = var.secret_manager_password
+
+  secrets_path = "service-a/postgres"
+  secret_data  = module.postgres-flex.postgres_credentials["user-a"]
+}
+
+module "postgres-credentials-sm-b" {
+  source                     = "git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public/terraform-modules//create-secret?ref=main"
+  secret_manager_instance_id = local.secret_manager_instance_id
+  secret_manager_username    = var.secret_manager_username
+  secret_manager_password    = var.secret_manager_password
+
+  secrets_path = "service-b/postgres"
+  secret_data  = module.postgres-flex.postgres_credentials["user-b"]
+}
+
+```

postgres/variables.tf

@@ -10,11 +10,6 @@ variable "postgres_instance_name" {
   type        = string
 }
 
-# variable "postegres_instance_id" {
-#   description = "postgres instance id"
-#   type = string  
-# }
-
 variable "postgres_instance_replicas" {
   description = "number of replicas for postgres instance"
   type        = number
@@ -58,19 +53,12 @@ variable "postgres_instance_region" {
   type        = string
 }
 
-# Postgres User Configs
+# Postgres User and DB Configs
-variable "postgres_db_user_name" {
+variable "postgres_databases" {
-  description = "username and owner for postgres db"
+  description   = "list of users and databases"
-  type        = string
+  type          = list(object({
-}
+    db_name     = string       # db name inside the instance
-
+    user_name   = string       # username and owner for postgres db
-variable "postgres_db_user_roles" {
+    user_roles  = list(string) # List of database access levels for the user. Supported values are: login, createdb.
-  description = "List of database access levels for the user. Supported values are: login, createdb."
+  }))
-  type        = list(string)
-}
-
-# Postgres Database Configs
-variable "postgres_db_name" {
-  description = "db name inside the instance"
-  type        = string
 }

rabbitmq/providers.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     stackit = {
       source  = "stackitcloud/stackit"
-      version = "~> 0.50.0"
+      version = "~> 0.68.0"
     }
   }
 }

redis/providers.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     stackit = {
       source  = "stackitcloud/stackit"
-      version = "~> 0.50.0"
+      version = "~> 0.68.0"
 
     }
   }

service-account/README.md

@@ -0,0 +1,59 @@
+# Terraform Module: STACKIT Service Account
+
+This module is designed to create a STACKIT service account, optionally generate a key, and optionally attach it to a server. It is useful for managing service accounts and their associated keys in a secure and repeatable manner.
+
+The purpose of this module is to simplify the creation and management of service accounts in STACKIT, while providing flexibility to generate keys and attach them to servers. It also allows for secure storage of keys using a secrets manager.
+
+## Example Usage
+
+```terraform
+module "service-account" {
+  source                     = "./service-account" # Or a Git URL "git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public//terraform-modules/service-account"
+  stackit_project_id         = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  service_account_name       = "my-service-account"
+  service_account_create_key = true
+}
+
+# Save json created to secrets manager
+variable "secret_manager_username" {
+  description = "username of the secrets manger to store credentials"
+  type        = string
+  sensitive   = true
+}
+
+variable "secret_manager_password" {
+  description = "password of the secrets manger to store credentials"
+  type        = string
+  sensitive   = true
+}
+
+module "service_account_key" {
+  source                     = "./create-secret" # Or a Git URL "git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public//terraform-modules/create-secret"
+  secret_manager_instance_id = local.secret_manager_instance_id
+  secret_manager_username    = var.secret_manager_username
+  secret_manager_password    = var.secret_manager_password
+  secrets_path               = "service-accounts/${module.service-account.service_account_name}"
+  secret_data = {
+    key_json = module.service-account.service_account_key_json
+  }
+}
+```
+
+## Inputs
+
+| Key                                   | Description                                                                                                                                | Type          | Required | Default |
+| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------- | -------- | ------- |
+| `service_account_name`                | Name of the service account                                                                                                                | `string`      | yes      |
+| `service_account_create_key`          | Whether to create a service account key                                                                                                    | `bool`        | no       | `false` |
+| `service_account_public_key`          | Optional: Specifies the public_key (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a private_key. | `string`      | no       | `null`  |
+| `service_account_rotate_when_changed` | Map to force key rotation when changed                                                                                                     | `map(string)` | no       | `{}`    |
+| `service_account_ttl_days`            | Key validity duration in days. Defaults to 90                                                                                              | `number`      | no       | `90`    |
+| `attach_to_server`                    | Whether to attach the service account to a server                                                                                          | `bool`        | no       | `false` |
+| `server_id`                           | Server ID for attachment                                                                                                                   | `string`      | no       | `""`    |
+
+## Notes
+
+- When creating a key, it is recommended to save it securely using a secrets manager. In the example usage we illustrated how to do that using the `create-secret` module.
+- The module does not handle key rotation automatically. You can use the service_account_rotate_when_changed input to force key rotation when certain attributes change.
+- The module does not handle server attachment automatically. You can use the attach_to_server and server_id inputs to attach the service account to a server.
+- The module does not handle deletion of service accounts or keys. It is recommended to manage these resources using appropriate Terraform lifecycle configurations or external tools.

service-account/outputs.tf

@@ -0,0 +1,25 @@
+output "service_account_name" {
+  description = "The name of the service account"
+  value       = var.service_account_name
+}
+
+output "service_account_email" {
+  description = "The email of the service account"
+  value       = stackit_service_account.this.email
+}
+
+output "service_account_id" {
+  description = "Internal ID of the service account"
+  value       = stackit_service_account.this.id
+}
+
+output "service_account_key_id" {
+  description = "ID of the created key"
+  value       = try(stackit_service_account_key.this[0].key_id, null)
+}
+
+output "service_account_key_json" {
+  description = "Sensitive JSON key output"
+  value       = try(stackit_service_account_key.this[0].json, null)
+  sensitive   = true
+}

service-account/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = "~> 0.59.0"
+    }
+  }
+}

service-account/service-account.tf

@@ -0,0 +1,26 @@
+resource "stackit_service_account" "this" {
+  name       = var.service_account_name
+  project_id = var.stackit_project_id
+}
+
+resource "time_rotating" "this" {
+  rotation_days = 3
+}
+
+resource "stackit_service_account_key" "this" {
+  count = var.service_account_create_key ? 1 : 0
+
+  project_id            = var.stackit_project_id
+  service_account_email = stackit_service_account.this.email
+  public_key            = var.service_account_public_key
+  rotate_when_changed   = var.service_account_rotate_when_changed
+  ttl_days              = var.service_account_ttl_days
+}
+
+resource "stackit_server_service_account_attach" "this" {
+  count = var.attach_to_server ? 1 : 0
+
+  project_id            = var.stackit_project_id
+  server_id             = var.server_id
+  service_account_email = stackit_service_account.this.email
+}

service-account/variables.tf

@@ -0,0 +1,52 @@
+variable "stackit_project_id" {
+  description = "STACKIT project ID"
+  type        = string
+}
+
+# === Service Account variables ===
+
+
+variable "service_account_name" {
+  description = "Name of the service account"
+  type        = string
+}
+
+# === Service Account Key variables ===
+
+variable "service_account_create_key" {
+  description = "Whether to create a service account key"
+  type        = bool
+  default     = false
+}
+
+variable "service_account_public_key" {
+  description = "Optional: Specifies the public_key (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a private_key."
+  type        = string
+  default     = null
+}
+
+variable "service_account_rotate_when_changed" {
+  description = "Map to force key rotation when changed"
+  type        = map(string)
+  default     = {}
+}
+
+variable "service_account_ttl_days" {
+  description = "Key validity duration in days. Defaults to 90"
+  type        = number
+  default     = 90
+}
+
+# === Server Service Account Attach variables ===
+
+variable "attach_to_server" {
+  description = "Whether to attach the service account to a server"
+  type        = bool
+  default     = false
+}
+
+variable "server_id" {
+  description = "Server ID for attachment"
+  type        = string
+  default     = ""
+}

ske-cluster/README.md

@@ -9,12 +9,14 @@ module "ske-cluster" {
   source                      = "git::https://stackit-hackathon-2025.git.qa.onstackit.cloud/commerce-platform/hackdays-common-infra-poc//terraform/modules/ske-cluster"
   stackit_project_id          = local.stackit_project_id
   ske_cluster_name            = "example-cluster"
+  ske_k8s_version_min         = "1.32.7"
   ske_node_pools = [  
       {
       name               = "example-pool"
       machine_type       = "c1.2"
       minimum            = "2"
       maximum            = "3"
+      os_version_min     = "4230.2.0"
       availability_zones = ["eu01-3"]
     }
   ]

ske-cluster/providers.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     stackit = {
       source  = "stackitcloud/stackit"
-      version = ">= 0.50.0"
+      version = "~> 0.68.0"
     }
   }
 }

ske-cluster/ske-cluster.tf

@@ -4,13 +4,7 @@ resource "stackit_ske_cluster" "this" {
   name                    = var.ske_cluster_name
   maintenance             = var.ske_maintenance
   node_pools              = var.ske_node_pools
-  #]
+  kubernetes_version_min  = var.ske_k8s_version_min
-  #extensions = {
-  #  argus = {
-  #    enabled           = true
-   #   argus_instance_id = var.observability-instance-id
-  #  }
-  #}
 }
 
 // Kubeconfig

ske-cluster/variables.tf

@@ -15,6 +15,7 @@ variable "ske_node_pools" {
     machine_type       = string
     minimum            = number
     maximum            = number
+    os_version_min     = string
     availability_zones = list(string)
   }))
 }
@@ -29,8 +30,7 @@ variable "ske_maintenance" {
   })
 }
 
-#variable "observability-instance-id" {
+variable "ske_k8s_version_min" {
-#  description = "instance id of the observability instance for cluster monitoring"
+  description = "minimum Kubernetes version"
-#  type        = string
+  type        = string
-#  
+}
-#}