commerce-platform-public/terraform-modules
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: commerce-platform-public:main
Branches Tags
commerce-platform-public:main
commerce-platform-public:multiple_dbs_per_psql_instance
commerce-platform-public:add-node-version
commerce-platform-public:add-k8s-version
commerce-platform-public:alert-annotations
commerce-platform-public:2025.08.1901
commerce-platform-public:v25.7.3001
..
compare: commerce-platform-public:2025.08.1901
Branches Tags
commerce-platform-public:main
commerce-platform-public:multiple_dbs_per_psql_instance
commerce-platform-public:add-node-version
commerce-platform-public:add-k8s-version
commerce-platform-public:alert-annotations
commerce-platform-public:2025.08.1901
commerce-platform-public:v25.7.3001

No commits in common. "main" and "2025.08.1901" have entirely different histories.
main ... 2025.08.19

32 changed files with 135 additions and 756 deletions
Show stats Expand all files Collapse all files

160
dns/README.md
View file

@ -1,160 +0,0 @@
# Terraform STACKIT DNS Zone and Record Set Module
This module allows you to declaratively manage DNS zones and their associated record sets in STACKIT.
It supports:
- Creating one or more new DNS zones.
- Using pre-existing DNS zones by providing a `zone_id`.
- Creating one or more record sets within any managed zone.
## Usage Example
Here is an example of how to use the module to create one or many new zones and use another pre-existing one.
```terraform
terraform {
required_providers {
stackit = {
source = "stackitcloud/stackit"
version = "~> 0.59.0"
}
}
backend "s3" {
endpoints = {
s3 = "https://object.storage.eu01.onstackit.cloud"
}
bucket = "test-bucket"
key = "state/test/dns"
region = "eu01"
skip_region_validation = true
skip_metadata_api_check = true
skip_credentials_validation = true
skip_requesting_account_id = true
skip_s3_checksum = true
use_path_style = true
}
}
provider "stackit" {
# Configure your provider credentials, i.e.:
default_region = local.region
enable_beta_resources = true
service_account_key_path = "sa_key.json"
}
module "dns" {
source = "./path/to/your/module" # Or a Git URL git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public//terraform-modules/dns
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
zones = {
# EXAMPLE 1: Create multiple zones with multiple A records
"primary_domain" = {
name = "first domain"
dns_name = "test-b.stackit.rocks"
record_sets = {
"qa-test" = {
name = "qa-test"
type = "A"
ttl = 3600
records = ["192.0.1.1", "192.0.1.2"]
}
"beta-test" = {
name = "beta-test"
type = "A"
ttl = 3600
records = ["192.0.2.10", "192.0.2.20", "192.0.2.30"]
}
}
},
"secondary_domain" = {
name = "second domain"
dns_name = "test-a.stackit.rocks"
record_sets = {
"alpha-records" = {
name = "alpha-test"
type = "A"
ttl = 3600
records = ["192.10.2.10", "192.10.2.20", "192.10.2.30"]
}
}
},
# EXAMPLE 2: Use a pre-existing zone and add a new TXT and A record to it
"existing_domain" = {
zone_id = "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz"
record_sets = {
"spf_txt" = {
name = "@"
type = "TXT"
records = ["v=spf1 mx -all"]
ttl = 7200
comment = "this is a test txt record"
},
"spf_cname" = {
name = "exampledomain"
type = "A"
ttl = 3600
records = ["192.0.29.1"]
}
}
},
# EXAMPLE 3: Create a new zone with no initial records
"empty_domain" = {
name = "My Empty Domain"
dns_name = "empty-example.com"
}
}
}
```
## Inputs
| Variable Name | Description | Type | Required |
| ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- |
| `project_id` | STACKIT project ID to which the DNS resources are associated. | `string` | Yes |
| `zones` | A map of DNS zones to be created or managed. Each zone contains a `name`, `dns_name`, and `record_sets` map. | `map` | Yes |
| `record_sets` | A map of DNS record sets to create within this zone. Each record set contains a `name`, `type`, `records`, `ttl`, `comment`, and `active` attribute. | `map` | Optional |
### Values for zones
| Key | Description | Type | Required |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | -------------- | ----------------------------------- |
| `zone_id` | The ID of an existing DNS zone to manage. If provided, the module will use the existing zone. If not provided, a new zone will be created. | `string` | Optional |
| `name` | The descriptive name of the DNS zone. | `string` | Optional |
| `dns_name` | The DNS name of the DNS zone. | `string` | Optional |
| `contact_email` | The contact email for the DNS zone. | `string` | Optional |
| `description` | A description of the DNS zone. | `string` | Optional |
| `acl` | The Access Control List (ACL) for the DNS zone. | `string` | Optional |
| `active` | Whether the DNS zone is active or not. | `bool` | Optional (currently non-functional) |
| `default_ttl` | The default Time-to-Live (TTL) for records in the DNS zone. | `number` | Optional |
| `expire_time` | The expiration time for the DNS zone. | `number` | Optional |
| `is_reverse_zone` | Whether the DNS zone is a reverse zone or not. | `bool` | Optional |
| `negative_cache` | The negative cache duration for the DNS zone. | `number` | Optional |
| `primaries` | A list of primary name servers for the DNS zone. | `list(string)` | Optional |
| `refresh_time` | The refresh time for the DNS zone. | `number` | Optional |
| `retry_time` | The retry time for the DNS zone. | `number` | Optional |
| `type` | The type of the DNS zone. Defaults to "primary" if not provided. | `string` | Optional |
### Values for record_sets
| Key | Description | Type | Required |
| --------- | ------------------------------------------------------------- | -------------- | ----------------------------------- |
| `name` | The name of the DNS record set. | `string` | Yes |
| `type` | The type of the DNS record set. | `string` | Yes |
| `records` | A list of DNS records for the record set. | `list(string)` | Yes |
| `ttl` | The Time-to-Live (TTL) for the DNS records in the record set. | `number` | Optional |
| `comment` | A comment for the DNS record set. | `string` | Optional |
| `active` | Whether the DNS record set is active or not. | `bool` | Optional (currently non-functional) |
## Outputs
| Name | Description |
| ------------- | ------------------------------------------------------------------------------------------ |
| `zones` | A map of all managed DNS zone objects, including those created and those referenced by ID. |
| `record_sets` | A map of all created DNS record set objects. |
## Notes
Setting a zone or record to inactive by using `active = false` is currently not possible due to a bug in the provider. It is active by default.

94
dns/dns.tf
View file

@ -1,94 +0,0 @@
# main.tf
# --------------------------------------------------------------------------------------------------
# LOCAL VARIABLES
# --------------------------------------------------------------------------------------------------
locals {
# Create a map of zones to be created (where zone_id is not specified)
zones_to_create = { for k, v in var.zones : k => v if try(v.zone_id, null) == null }
# Create a map of zones to be referenced via data source (where zone_id is specified)
zones_to_read = { for k, v in var.zones : k => v if try(v.zone_id, null) != null }
# Merge the created resources and data sources into a single, unified map.
# This allows record sets to reference a zone regardless of whether it was created or read.
all_zones = merge(
{
for k, zone in stackit_dns_zone.this : k => zone
},
{
for k, zone in data.stackit_dns_zone.this : k => zone
}
)
# Flatten the nested record_sets structure into a single list, making it easy to iterate with for_each.
# Each item in the list retains a reference to its parent zone key.
flat_record_sets = flatten([
for zone_key, zone_config in var.zones : [
for record_key, record_config in try(zone_config.record_sets, {}) : {
zone_key = zone_key
record_key = record_key
name = record_config.name
type = record_config.type
records = record_config.records
ttl = try(record_config.ttl, null)
comment = try(record_config.comment, null)
active = try(record_config.active, null)
}
]
])
}
# --------------------------------------------------------------------------------------------------
# DNS ZONE RESOURCES (CREATE OR READ)
# --------------------------------------------------------------------------------------------------
# Create new DNS zones for configurations that do not have a zone_id
resource "stackit_dns_zone" "this" {
for_each = local.zones_to_create
project_id = var.project_id
name = each.value.name
dns_name = each.value.dns_name
contact_email = try(each.value.contact_email, null)
description = try(each.value.description, null)
acl = try(each.value.acl, null)
active = try(each.value.active, null)
default_ttl = try(each.value.default_ttl, null)
expire_time = try(each.value.expire_time, null)
is_reverse_zone = try(each.value.is_reverse_zone, null)
negative_cache = try(each.value.negative_cache, null)
primaries = try(each.value.primaries, null)
refresh_time = try(each.value.refresh_time, null)
retry_time = try(each.value.retry_time, null)
type = try(each.value.type, "primary")
}
# Read existing DNS zones for configurations that provide a zone_id
data "stackit_dns_zone" "this" {
for_each = local.zones_to_read
project_id = var.project_id
zone_id = each.value.zone_id
}
# --------------------------------------------------------------------------------------------------
# DNS RECORD SET RESOURCES
# --------------------------------------------------------------------------------------------------
resource "stackit_dns_record_set" "this" {
# The key is a unique combination of the zone and record keys for a stable address.
for_each = { for record in local.flat_record_sets : "${record.zone_key}.${record.record_key}" => record }
project_id = var.project_id
# Look up the correct zone_id from the unified 'all_zones' map
zone_id = local.all_zones[each.value.zone_key].zone_id
name = each.value.name
type = each.value.type
records = each.value.records
ttl = each.value.ttl
comment = each.value.comment
active = each.value.active
}

11
dns/outputs.tf
View file

@ -1,11 +0,0 @@
# outputs.tf
output "zones" {
description = "A map of all managed DNS zone objects, including those created and those referenced by ID."
value = local.all_zones
}
output "record_sets" {
description = "A map of all created DNS record set objects."
value = stackit_dns_record_set.this
}

8
dns/providers.tf
View file

@ -1,8 +0,0 @@
terraform {
required_providers {
stackit = {
source = "stackitcloud/stackit"
version = "~> 0.68.0"
}
}
}

48
dns/variables.tf
View file

@ -1,48 +0,0 @@
# variables.tf
variable "project_id" {
type = string
description = "STACKIT project ID to which the DNS resources are associated."
}
variable "zones" {
type = map(object({
# If zone_id is provided, the module will use the existing zone.
# Otherwise, a new zone will be created using the attributes below.
zone_id = optional(string)
# Required attributes for new zones
name = optional(string)
dns_name = optional(string)
# Optional attributes for new zones
contact_email = optional(string)
description = optional(string)
acl = optional(string)
active = optional(bool)
default_ttl = optional(number)
expire_time = optional(number)
is_reverse_zone = optional(bool)
negative_cache = optional(number)
primaries = optional(list(string))
refresh_time = optional(number)
retry_time = optional(number)
type = optional(string, "primary")
# A map of DNS record sets to create within this zone.
# The key is a logical name for the record set (e.g., "www", "mx_record").
record_sets = optional(map(object({
# Required record set attributes
name = string
type = string
records = list(string)
# Optional record set attributes
ttl = optional(number)
comment = optional(string)
active = optional(bool, true)
})), {})
}))
description = "A map of DNS zones to manage. The key is a logical name for the zone."
default = {}
}

18
grafana/README.md
View file

@ -83,17 +83,17 @@ module "datasource" {
datasources = {
Thanos-Common-Infra-PRD = {
type = "prometheus"
url_key = "thanos_coin_prd"
basic_auth_user_key = "thanos_coin_prd"
pass_key = "thanos_coin_prd"
is_default = true
type = "prometheus"
url_key = "thanos_coin_prd"
user_key = "thanos_coin_prd"
pass_key = "thanos_coin_prd"
is_default = true
}
Loki-Common-Infra-PRD = {
type = "loki"
url_key = "loki_coin_prd"
basic_auth_user_key = "loki_coin_prd"
pass_key = "loki_coin_prd"
type = "loki"
url_key = "loki_coin_prd"
user_key = "loki_coin_prd"
pass_key = "loki_coin_prd"
}
}

1
grafana/Untitled111.md Normal file
View file

@ -0,0 +1 @@

1
grafana/contact-point-gchat/main.tf
View file

@ -1,6 +1,5 @@
resource "grafana_contact_point" "this" {
name = var.contact_point_name
disable_provenance = true
googlechat {
url = var.gchat_url

107
grafana/datasource/datasource.tf
View file

@ -1,4 +1,3 @@
# Create the basic "shell" of each datasource.
resource "grafana_data_source" "this" {
for_each = var.datasources
@ -7,108 +6,12 @@ resource "grafana_data_source" "this" {
url = var.datasource_urls[each.value.url_key]
is_default = coalesce(each.value.is_default, false)
# For HTTP Basic Auth (Loki, Prometheus, etc.)
basic_auth_enabled = each.value.basic_auth_user_key != null
basic_auth_username = each.value.basic_auth_user_key != null ? var.datasource_users[each.value.basic_auth_user_key] : null
basic_auth_enabled = true
basic_auth_username = var.datasource_users[each.value.user_key]
# For database usernames (like Postgres)
# This sets the username initially.
username = each.value.db_user_key != null ? var.datasource_users[each.value.db_user_key] : null
# This resource must ignore attributes that are
# managed by the other 'config' resources below.
lifecycle {
ignore_changes = [
json_data_encoded,
secure_json_data_encoded,
# Also ignore username, as it can be managed/reported back differently by the API.
username,
]
}
}
# Apply the main json_data for datasources like PostgreSQL.
resource "grafana_data_source_config" "json_data_main" {
for_each = {
for k, v in var.datasources : k => v
if v.json_data != null && v.derived_fields == null && v.traces_to_logs == null
}
uid = grafana_data_source.this[each.key].uid
json_data_encoded = jsonencode(each.value.json_data)
# This config must ignore the password, which is managed by the 'passwords' resource.
lifecycle {
ignore_changes = [secure_json_data_encoded]
}
}
# Apply passwords to all datasources that require one.
resource "grafana_data_source_config" "passwords" {
for_each = {
for k, v in var.datasources : k => v if v.pass_key != null
}
uid = grafana_data_source.this[each.key].uid
secure_json_data_encoded = jsonencode(
each.value.type == "grafana-postgresql-datasource" ? {
password = var.datasource_passwords[each.value.pass_key]
} : {
basicAuthPassword = var.datasource_passwords[each.value.pass_key]
}
)
# This config must ignore the main json_data, which is managed elsewhere.
lifecycle {
ignore_changes = [json_data_encoded]
}
}
# Apply Loki-specific 'derivedFields' configuration.
resource "grafana_data_source_config" "loki_derived_fields" {
for_each = {
for k, v in var.datasources : k => v if v.type == "loki" && v.derived_fields != null
}
uid = grafana_data_source.this[each.key].uid
json_data_encoded = jsonencode({
derivedFields = [
for field in each.value.derived_fields : {
datasourceUid = grafana_data_source.this[field.target_datasource_name].uid
matcherRegex = field.matcher_regex
name = field.name
url = field.url
}
]
secure_json_data_encoded = jsonencode({
basicAuthPassword = var.datasource_passwords[each.value.pass_key]
})
# This config must ignore the password, which is managed elsewhere.
lifecycle {
ignore_changes = [secure_json_data_encoded]
}
json_data_encoded = each.value.json_data != null ? jsonencode(each.value.json_data) : null
}
# Apply Tempo-specific 'tracesToLogsV2' configuration.
resource "grafana_data_source_config" "tempo_traces_to_logs" {
for_each = {
for k, v in var.datasources : k => v if v.type == "tempo" && v.traces_to_logs != null
}
uid = grafana_data_source.this[each.key].uid
json_data_encoded = jsonencode({
tracesToLogsV2 = {
datasourceUid = grafana_data_source.this[each.value.traces_to_logs.target_datasource_name].uid
query = each.value.traces_to_logs.query
customQuery = coalesce(each.value.traces_to_logs.custom_query, true)
filterBySpanID = coalesce(each.value.traces_to_logs.filter_by_span_id, false)
filterByTraceID = coalesce(each.value.traces_to_logs.filter_by_trace_id, false)
spanStartTimeShift = each.value.traces_to_logs.span_start_time_shift
spanEndTimeShift = each.value.traces_to_logs.span_end_time_shift
}
})
# This config must ignore the password, which is managed elsewhere.
lifecycle {
ignore_changes = [secure_json_data_encoded]
}
}

45
grafana/datasource/variables.tf
View file

@ -1,42 +1,21 @@
# Define datasources (non-sensitive metadata only)
variable "datasources" {
description = <<EOT
Map of datasources to create. Keys are datasource names.
Each datasource specifies type, keys to lookup URL/user/password,
and optional configurations for linking data sources.
Each datasource specifies type (prometheus/loki), keys to lookup URL/user/password,
and optional is_default (true/false).
EOT
type = map(object({
type = string
url_key = string
pass_key = optional(string)
is_default = optional(bool)
# Key to look up a database username
db_user_key = optional(string)
# Key to look up a basic auth username
basic_auth_user_key = optional(string)
# Non-sensitive JSON data for Postgres, etc.
json_data = optional(map(any))
# Linking Attributes (for Loki/Tempo)
derived_fields = optional(list(object({
target_datasource_name = string
matcher_regex = string
name = string
url = string
})))
traces_to_logs = optional(object({
target_datasource_name = string
query = string
custom_query = optional(bool)
filter_by_span_id = optional(bool)
filter_by_trace_id = optional(bool)
span_start_time_shift = optional(string)
span_end_time_shift = optional(string)
}))
type = string # e.g., prometheus, loki
url_key = string # key for URL lookup in datasource_urls map
user_key = string # key for username lookup in datasource_users map
pass_key = string # key for password lookup in datasource_passwords map
is_default = optional(bool) # true if this datasource should be Grafana default
json_data = optional(map(any))
}))
}
# Sensitive maps for URLs, usernames, passwords
variable "datasource_urls" {
description = "Map of datasource URLs, keyed by url_key"
type = map(string)
@ -44,7 +23,7 @@ variable "datasource_urls" {
}
variable "datasource_users" {
description = "Map of datasource usernames, keyed by db_user_key or basic_auth_user_key"
description = "Map of datasource usernames, keyed by user_key"
type = map(string)
sensitive = true
}
@ -53,4 +32,4 @@ variable "datasource_passwords" {
description = "Map of datasource passwords, keyed by pass_key"
type = map(string)
sensitive = true
}
}

1
grafana/notification-policy/main.tf
View file

@ -1,7 +1,6 @@
resource "grafana_notification_policy" "this" {
contact_point = var.default_contact_point_uid
group_by = var.group_by
disable_provenance = true
dynamic "policy" {
for_each = var.folder_policies

27
mongodb/mongodb.tf
View file

@ -19,3 +19,30 @@ resource "stackit_mongodbflex_user" "this" {
roles = var.mongodb_user_roles
database = var.mongodb_user_database
}
# // Configure Secret Manager Provider
# provider "vault" {
# address = "https://prod.sm.eu01.stackit.cloud"
# skip_child_token = true
# auth_login_userpass {
# username = var.secret_manager_username
# password = var.secret_manager_password
# }
# }
# // Store MongoDB Credentials in Secret Manager
# resource "vault_kv_secret_v2" "mongodb_cred_save" {
# mount = var.secret_manager_instance_id
# name = var.mongodb_secrets_path
# cas = 1
# delete_all_versions = true
# data_json = jsonencode(
# {
# username = stackit_mongodbflex_user.mongodb_user.username,
# password = stackit_mongodbflex_user.mongodb_user.password,
# host = stackit_mongodbflex_user.mongodb_user.host,
# port = stackit_mongodbflex_user.mongodb_user.port,
# uri = stackit_mongodbflex_user.mongodb_user.uri
# }
# )
# }

2
mongodb/providers.tf
View file

@ -2,7 +2,7 @@ terraform {
required_providers {
stackit = {
source = "stackitcloud/stackit"
version = "~> 0.68.0"
version = "~> 0.50.0"
}
}
}

4
mongodb/variables.tf
View file

@ -30,9 +30,7 @@ variable "mongodb_instance_flavor" {
variable "mongodb_instance_options" {
description = "options for mongodb"
type = object({
type = string
snapshot_retention_days = number
point_in_time_window_hours = number
type = string
})
}

2
objectstorage/providers.tf
View file

@ -2,7 +2,7 @@ terraform {
required_providers {
stackit = {
source = "stackitcloud/stackit"
version = "~> 0.68.0"
version = "~> 0.50.0"
}
}
}

2
observability/providers.tf
View file

@ -2,7 +2,7 @@ terraform {
required_providers {
stackit = {
source = "stackitcloud/stackit"
version = "~> 0.68.0"
version = "~> 0.50.0"
}
grafana = {
source = "grafana/grafana"

49
postgres/outputs.tf
View file

@ -2,19 +2,40 @@
output "postgres_instance_id" {
value = stackit_postgresflex_instance.this.instance_id
}
# Postgres Database Output
output "postgres_database_id" {
value = stackit_postgresflex_database.this.database_id
}
# Postgres Credential Output
output "postgres_credentials" {
value = {
for k, u in stackit_postgresflex_user.this :
k => {
host = u.host
username = u.username
password = u.password
port = u.port
db_name = stackit_postgresflex_database.this[u.username].name
uri = u.uri
}
}
# Postgres User Output
output "postgres_host" {
value = stackit_postgresflex_user.this.host
}
output "postgres_password" {
value = stackit_postgresflex_user.this.password
sensitive = true
}
}
output "postgres_user" {
value = stackit_postgresflex_user.this.username
}
output "postgres_port" {
value = stackit_postgresflex_user.this.port
}
output "postgres_db_name" {
value = stackit_postgresflex_database.this.name
}
output "postgres_uri" {
value = stackit_postgresflex_user.this.uri
sensitive = true
}
output "postgres_user_id" {
value = stackit_postgresflex_user.this.user_id
}

18
postgres/postgres.tf
View file

@ -12,24 +12,18 @@ resource "stackit_postgresflex_instance" "this" {
// Postgres User
resource "stackit_postgresflex_user" "this" {
for_each = {
for db in var.postgres_databases : db.user_name => db
}
depends_on = [ stackit_postgresflex_instance.this ]
project_id = var.stackit_project_id
instance_id = stackit_postgresflex_instance.this.instance_id
username = each.value.user_name
roles = each.value.user_roles
username = var.postgres_db_user_name
roles = var.postgres_db_user_roles
}
// Postgres Database
resource "stackit_postgresflex_database" "this" {
for_each = {
for db in var.postgres_databases : db.db_name => db
}
depends_on = [stackit_postgresflex_user.this]
depends_on = [ stackit_postgresflex_user.this ]
project_id = var.stackit_project_id
instance_id = stackit_postgresflex_instance.this.instance_id
name = each.value.db_name
owner = each.value.user_name
}
name = var.postgres_db_name
owner = var.postgres_db_user_name
}

2
postgres/providers.tf
View file

@ -2,7 +2,7 @@ terraform {
required_providers {
stackit = {
source = "stackitcloud/stackit"
version = "~> 0.68.0"
version = "~> 0.50.0"
}
}
}

67
postgres/readme.md
View file

@ -1,67 +0,0 @@
# Module for creating Postgres Flex Instance with Databases and Users
## Example
```main.tf
# Postgres Flex Instance
module "postgres-flex" {
source = "git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public/terraform-modules//postgres?ref=main
stackit_project_id = local.stackit_project_id
postgres_instance_name = "example-db"
postgres_instance_replicas = 1
postgres_instance_storage = {
class = "premium-perf2-stackit"
size = 5
}
postgres_instance_flavor = {
cpu = 2
ram = 4
}
postgres_instance_acl = [
"193.148.160.0/19",
"45.129.40.0/21"
]
postgres_instance_backup_schedule = "00 02 * * *"
postgres_instance_version = "17"
postgres_instance_region = "eu01"
postgres_databases = [
{
db_name = "database-a"
user_name = "user-a"
user_roles = ["createdb", "login"]
},
{
db_name = "database-b"
user_name = "user-b"
user_roles = ["createdb", "login"]
},
]
}
# safe credentials
module "postgres-credentials-sm-a" {
source = "git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public/terraform-modules//create-secret?ref=main"
secret_manager_instance_id = local.secret_manager_instance_id
secret_manager_username = var.secret_manager_username
secret_manager_password = var.secret_manager_password
secrets_path = "service-a/postgres"
secret_data = module.postgres-flex.postgres_credentials["user-a"]
}
module "postgres-credentials-sm-b" {
source = "git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public/terraform-modules//create-secret?ref=main"
secret_manager_instance_id = local.secret_manager_instance_id
secret_manager_username = var.secret_manager_username
secret_manager_password = var.secret_manager_password
secrets_path = "service-b/postgres"
secret_data = module.postgres-flex.postgres_credentials["user-b"]
}
```

28
postgres/variables.tf
View file

@ -10,6 +10,11 @@ variable "postgres_instance_name" {
type = string
}
# variable "postegres_instance_id" {
# description = "postgres instance id"
# type = string
# }
variable "postgres_instance_replicas" {
description = "number of replicas for postgres instance"
type = number
@ -53,12 +58,19 @@ variable "postgres_instance_region" {
type = string
}
# Postgres User and DB Configs
variable "postgres_databases" {
description = "list of users and databases"
type = list(object({
db_name = string # db name inside the instance
user_name = string # username and owner for postgres db
user_roles = list(string) # List of database access levels for the user. Supported values are: login, createdb.
}))
# Postgres User Configs
variable "postgres_db_user_name" {
description = "username and owner for postgres db"
type = string
}
variable "postgres_db_user_roles" {
description = "List of database access levels for the user. Supported values are: login, createdb."
type = list(string)
}
# Postgres Database Configs
variable "postgres_db_name" {
description = "db name inside the instance"
type = string
}

2
rabbitmq/providers.tf
View file

@ -2,7 +2,7 @@ terraform {
required_providers {
stackit = {
source = "stackitcloud/stackit"
version = "~> 0.68.0"
version = "~> 0.50.0"
}
}
}

2
redis/providers.tf
View file

@ -2,7 +2,7 @@ terraform {
required_providers {
stackit = {
source = "stackitcloud/stackit"
version = "~> 0.68.0"
version = "~> 0.50.0"
}
}

59
service-account/README.md
View file

@ -1,59 +0,0 @@
# Terraform Module: STACKIT Service Account
This module is designed to create a STACKIT service account, optionally generate a key, and optionally attach it to a server. It is useful for managing service accounts and their associated keys in a secure and repeatable manner.
The purpose of this module is to simplify the creation and management of service accounts in STACKIT, while providing flexibility to generate keys and attach them to servers. It also allows for secure storage of keys using a secrets manager.
## Example Usage
```terraform
module "service-account" {
source = "./service-account" # Or a Git URL "git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public//terraform-modules/service-account"
stackit_project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
service_account_name = "my-service-account"
service_account_create_key = true
}
# Save json created to secrets manager
variable "secret_manager_username" {
description = "username of the secrets manger to store credentials"
type = string
sensitive = true
}
variable "secret_manager_password" {
description = "password of the secrets manger to store credentials"
type = string
sensitive = true
}
module "service_account_key" {
source = "./create-secret" # Or a Git URL "git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public//terraform-modules/create-secret"
secret_manager_instance_id = local.secret_manager_instance_id
secret_manager_username = var.secret_manager_username
secret_manager_password = var.secret_manager_password
secrets_path = "service-accounts/${module.service-account.service_account_name}"
secret_data = {
key_json = module.service-account.service_account_key_json
}
}
```
## Inputs
| Key | Description | Type | Required | Default |
| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------- | -------- | ------- |
| `service_account_name` | Name of the service account | `string` | yes |
| `service_account_create_key` | Whether to create a service account key | `bool` | no | `false` |
| `service_account_public_key` | Optional: Specifies the public_key (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a private_key. | `string` | no | `null` |
| `service_account_rotate_when_changed` | Map to force key rotation when changed | `map(string)` | no | `{}` |
| `service_account_ttl_days` | Key validity duration in days. Defaults to 90 | `number` | no | `90` |
| `attach_to_server` | Whether to attach the service account to a server | `bool` | no | `false` |
| `server_id` | Server ID for attachment | `string` | no | `""` |
## Notes
- When creating a key, it is recommended to save it securely using a secrets manager. In the example usage we illustrated how to do that using the `create-secret` module.
- The module does not handle key rotation automatically. You can use the service_account_rotate_when_changed input to force key rotation when certain attributes change.
- The module does not handle server attachment automatically. You can use the attach_to_server and server_id inputs to attach the service account to a server.
- The module does not handle deletion of service accounts or keys. It is recommended to manage these resources using appropriate Terraform lifecycle configurations or external tools.

25
service-account/outputs.tf
View file

@ -1,25 +0,0 @@
output "service_account_name" {
description = "The name of the service account"
value = var.service_account_name
}
output "service_account_email" {
description = "The email of the service account"
value = stackit_service_account.this.email
}
output "service_account_id" {
description = "Internal ID of the service account"
value = stackit_service_account.this.id
}
output "service_account_key_id" {
description = "ID of the created key"
value = try(stackit_service_account_key.this[0].key_id, null)
}
output "service_account_key_json" {
description = "Sensitive JSON key output"
value = try(stackit_service_account_key.this[0].json, null)
sensitive = true
}

8
service-account/providers.tf
View file

@ -1,8 +0,0 @@
terraform {
required_providers {
stackit = {
source = "stackitcloud/stackit"
version = "~> 0.59.0"
}
}
}

26
service-account/service-account.tf
View file

@ -1,26 +0,0 @@
resource "stackit_service_account" "this" {
name = var.service_account_name
project_id = var.stackit_project_id
}
resource "time_rotating" "this" {
rotation_days = 3
}
resource "stackit_service_account_key" "this" {
count = var.service_account_create_key ? 1 : 0
project_id = var.stackit_project_id
service_account_email = stackit_service_account.this.email
public_key = var.service_account_public_key
rotate_when_changed = var.service_account_rotate_when_changed
ttl_days = var.service_account_ttl_days
}
resource "stackit_server_service_account_attach" "this" {
count = var.attach_to_server ? 1 : 0
project_id = var.stackit_project_id
server_id = var.server_id
service_account_email = stackit_service_account.this.email
}

52
service-account/variables.tf
View file

@ -1,52 +0,0 @@
variable "stackit_project_id" {
description = "STACKIT project ID"
type = string
}
# === Service Account variables ===
variable "service_account_name" {
description = "Name of the service account"
type = string
}
# === Service Account Key variables ===
variable "service_account_create_key" {
description = "Whether to create a service account key"
type = bool
default = false
}
variable "service_account_public_key" {
description = "Optional: Specifies the public_key (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a private_key."
type = string
default = null
}
variable "service_account_rotate_when_changed" {
description = "Map to force key rotation when changed"
type = map(string)
default = {}
}
variable "service_account_ttl_days" {
description = "Key validity duration in days. Defaults to 90"
type = number
default = 90
}
# === Server Service Account Attach variables ===
variable "attach_to_server" {
description = "Whether to attach the service account to a server"
type = bool
default = false
}
variable "server_id" {
description = "Server ID for attachment"
type = string
default = ""
}

2
ske-cluster/README.md
View file

@ -9,14 +9,12 @@ module "ske-cluster" {
source = "git::https://stackit-hackathon-2025.git.qa.onstackit.cloud/commerce-platform/hackdays-common-infra-poc//terraform/modules/ske-cluster"
stackit_project_id = local.stackit_project_id
ske_cluster_name = "example-cluster"
ske_k8s_version_min = "1.32.7"
ske_node_pools = [
{
name = "example-pool"
machine_type = "c1.2"
minimum = "2"
maximum = "3"
os_version_min = "4230.2.0"
availability_zones = ["eu01-3"]
}
]

2
ske-cluster/providers.tf
View file

@ -2,7 +2,7 @@ terraform {
required_providers {
stackit = {
source = "stackitcloud/stackit"
version = "~> 0.68.0"
version = ">= 0.50.0"
}
}
}

8
ske-cluster/ske-cluster.tf
View file

@ -4,7 +4,13 @@ resource "stackit_ske_cluster" "this" {
name = var.ske_cluster_name
maintenance = var.ske_maintenance
node_pools = var.ske_node_pools
kubernetes_version_min = var.ske_k8s_version_min
#]
#extensions = {
# argus = {
# enabled = true
# argus_instance_id = var.observability-instance-id
# }
#}
}
// Kubeconfig

10
ske-cluster/variables.tf
View file

@ -15,7 +15,6 @@ variable "ske_node_pools" {
machine_type = string
minimum = number
maximum = number
os_version_min = string
availability_zones = list(string)
}))
}
@ -30,7 +29,8 @@ variable "ske_maintenance" {
})
}
variable "ske_k8s_version_min" {
description = "minimum Kubernetes version"
type = string
}
#variable "observability-instance-id" {
# description = "instance id of the observability instance for cluster monitoring"
# type = string
#
#}