Alpha (#4)

* chore: initial push to be able to work together

* chore: add missing wait folder

* chore: add missing folders

* chore: cleanup alpha branch

* feat: mssql alpha instance (#2)

* fix: remove unused attribute types and functions from backup models

* fix: update API client references to use sqlserverflexalpha package

* fix: update package references to use sqlserverflexalpha and modify user data source model

* fix: add sqlserverflexalpha user data source to provider

* fix: add sqlserverflexalpha user resource and update related functionality

* chore: add stackit_sqlserverflexalpha_user resource and instance_id variable

* fix: refactor sqlserverflexalpha user resource and enhance schema with status and default_database

---------

Co-authored-by: Andre Harms <andre.harms@stackit.cloud>
Co-authored-by: Marcel S. Henselin <marcel.henselin@stackit.cloud>

* feat: add sqlserver instance

* chore: fixing tests

* chore: update docs

---------

Co-authored-by: Marcel S. Henselin <marcel.henselin@stackit.cloud>
Co-authored-by: Andre Harms <andre.harms@stackit.cloud>

stackit/internal/services/sqlserverflexalpha/user/datasource.go

@@ -0,0 +1,274 @@
+// Copyright (c) STACKIT
+
+package sqlserverflexalpha
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strconv"
+
+	"github.com/hashicorp/terraform-plugin-framework-validators/int64validator"
+	"github.com/hashicorp/terraform-plugin-framework/attr"
+	"github.com/stackitcloud/terraform-provider-stackit/pkg/sqlserverflexalpha"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/conversion"
+	sqlserverflexUtils "github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/sqlserverflexalpha/utils"
+
+	"github.com/hashicorp/terraform-plugin-framework/datasource"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/core"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/utils"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/validate"
+
+	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+// Ensure the implementation satisfies the expected interfaces.
+var (
+	_ datasource.DataSource = &userDataSource{}
+)
+
+type DataSourceModel struct {
+	Id              types.String `tfsdk:"id"` // needed by TF
+	UserId          types.Int64  `tfsdk:"user_id"`
+	InstanceId      types.String `tfsdk:"instance_id"`
+	ProjectId       types.String `tfsdk:"project_id"`
+	Username        types.String `tfsdk:"username"`
+	Roles           types.Set    `tfsdk:"roles"`
+	Host            types.String `tfsdk:"host"`
+	Port            types.Int64  `tfsdk:"port"`
+	Region          types.String `tfsdk:"region"`
+	Status          types.String `tfsdk:"status"`
+	DefaultDatabase types.String `tfsdk:"default_database"`
+}
+
+// NewUserDataSource is a helper function to simplify the provider implementation.
+func NewUserDataSource() datasource.DataSource {
+	return &userDataSource{}
+}
+
+// userDataSource is the data source implementation.
+type userDataSource struct {
+	client       *sqlserverflexalpha.APIClient
+	providerData core.ProviderData
+}
+
+// Metadata returns the data source type name.
+func (r *userDataSource) Metadata(
+	_ context.Context,
+	req datasource.MetadataRequest,
+	resp *datasource.MetadataResponse,
+) {
+	resp.TypeName = req.ProviderTypeName + "_sqlserverflexalpha_user"
+}
+
+// Configure adds the provider configured client to the data source.
+func (r *userDataSource) Configure(
+	ctx context.Context,
+	req datasource.ConfigureRequest,
+	resp *datasource.ConfigureResponse,
+) {
+	var ok bool
+	r.providerData, ok = conversion.ParseProviderData(ctx, req.ProviderData, &resp.Diagnostics)
+	if !ok {
+		return
+	}
+
+	apiClient := sqlserverflexUtils.ConfigureClient(ctx, &r.providerData, &resp.Diagnostics)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	r.client = apiClient
+	tflog.Info(ctx, "SQLServer Flex user client configured")
+}
+
+// Schema defines the schema for the data source.
+func (r *userDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) {
+	descriptions := map[string]string{
+		"main":             "SQLServer Flex user data source schema. Must have a `region` specified in the provider configuration.",
+		"id":               "Terraform's internal data source. ID. It is structured as \"`project_id`,`region`,`instance_id`,`user_id`\".",
+		"user_id":          "User ID.",
+		"instance_id":      "ID of the SQLServer Flex instance.",
+		"project_id":       "STACKIT project ID to which the instance is associated.",
+		"username":         "Username of the SQLServer Flex instance.",
+		"roles":            "Database access levels for the user.",
+		"password":         "Password of the user account.",
+		"region":           "The resource region. If not defined, the provider region is used.",
+		"status":           "Status of the user.",
+		"default_database": "Default database of the user.",
+	}
+
+	resp.Schema = schema.Schema{
+		Description: descriptions["main"],
+		Attributes: map[string]schema.Attribute{
+			"id": schema.StringAttribute{
+				Description: descriptions["id"],
+				Computed:    true,
+			},
+			"user_id": schema.Int64Attribute{
+				Description: descriptions["user_id"],
+				Required:    true,
+				Validators: []validator.Int64{
+					int64validator.AtLeast(1),
+				},
+			},
+			"instance_id": schema.StringAttribute{
+				Description: descriptions["instance_id"],
+				Required:    true,
+				Validators: []validator.String{
+					validate.UUID(),
+					validate.NoSeparator(),
+				},
+			},
+			"project_id": schema.StringAttribute{
+				Description: descriptions["project_id"],
+				Required:    true,
+				Validators: []validator.String{
+					validate.UUID(),
+					validate.NoSeparator(),
+				},
+			},
+			"username": schema.StringAttribute{
+				Description: descriptions["username"],
+				Computed:    true,
+			},
+			"roles": schema.SetAttribute{
+				Description: descriptions["roles"],
+				ElementType: types.StringType,
+				Computed:    true,
+			},
+			"host": schema.StringAttribute{
+				Computed: true,
+			},
+			"port": schema.Int64Attribute{
+				Computed: true,
+			},
+			"region": schema.StringAttribute{
+				// the region cannot be found automatically, so it has to be passed
+				Optional:    true,
+				Description: descriptions["region"],
+			},
+			"status": schema.StringAttribute{
+				Computed: true,
+			},
+			"default_database": schema.StringAttribute{
+				Computed: true,
+			},
+		},
+	}
+}
+
+// Read refreshes the Terraform state with the latest data.
+func (r *userDataSource) Read(
+	ctx context.Context,
+	req datasource.ReadRequest,
+	resp *datasource.ReadResponse,
+) { // nolint:gocritic // function signature required by Terraform
+	var model DataSourceModel
+	diags := req.Config.Get(ctx, &model)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	ctx = core.InitProviderContext(ctx)
+
+	projectId := model.ProjectId.ValueString()
+	instanceId := model.InstanceId.ValueString()
+	userId := model.UserId.ValueInt64()
+	region := r.providerData.GetRegionWithOverride(model.Region)
+	ctx = tflog.SetField(ctx, "project_id", projectId)
+	ctx = tflog.SetField(ctx, "instance_id", instanceId)
+	ctx = tflog.SetField(ctx, "user_id", userId)
+	ctx = tflog.SetField(ctx, "region", region)
+
+	recordSetResp, err := r.client.GetUserRequest(ctx, projectId, region, instanceId, userId).Execute()
+	if err != nil {
+		utils.LogError(
+			ctx,
+			&resp.Diagnostics,
+			err,
+			"Reading user",
+			fmt.Sprintf(
+				"User with ID %q or instance with ID %q does not exist in project %q.",
+				userId,
+				instanceId,
+				projectId,
+			),
+			map[int]string{
+				http.StatusForbidden: fmt.Sprintf("Project with ID %q not found or forbidden access", projectId),
+			},
+		)
+		resp.State.RemoveResource(ctx)
+		return
+	}
+
+	ctx = core.LogResponse(ctx)
+
+	// Map response body to schema and populate Computed attribute values
+	err = mapDataSourceFields(recordSetResp, &model, region)
+	if err != nil {
+		core.LogAndAddError(
+			ctx,
+			&resp.Diagnostics,
+			"Error reading user",
+			fmt.Sprintf("Processing API payload: %v", err),
+		)
+		return
+	}
+
+	// Set refreshed state
+	diags = resp.State.Set(ctx, model)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	tflog.Info(ctx, "SQLServer Flex instance read")
+}
+
+func mapDataSourceFields(userResp *sqlserverflexalpha.GetUserResponse, model *DataSourceModel, region string) error {
+	if userResp == nil {
+		return fmt.Errorf("response is nil")
+	}
+	if model == nil {
+		return fmt.Errorf("model input is nil")
+	}
+	user := userResp
+
+	var userId int64
+	if model.UserId.ValueInt64() != 0 {
+		userId = model.UserId.ValueInt64()
+	} else if user.Id != nil {
+		userId = *user.Id
+	} else {
+		return fmt.Errorf("user id not present")
+	}
+	model.Id = utils.BuildInternalTerraformId(
+		model.ProjectId.ValueString(), region, model.InstanceId.ValueString(), strconv.FormatInt(userId, 10),
+	)
+	model.UserId = types.Int64Value(userId)
+	model.Username = types.StringPointerValue(user.Username)
+
+	if user.Roles == nil {
+		model.Roles = types.SetNull(types.StringType)
+	} else {
+		var roles []attr.Value
+		for _, role := range *user.Roles {
+			roles = append(roles, types.StringValue(string(role)))
+		}
+		rolesSet, diags := types.SetValue(types.StringType, roles)
+		if diags.HasError() {
+			return fmt.Errorf("failed to map roles: %w", core.DiagsToError(diags))
+		}
+		model.Roles = rolesSet
+	}
+	model.Host = types.StringPointerValue(user.Host)
+	model.Port = types.Int64PointerValue(user.Port)
+	model.Region = types.StringValue(region)
+	model.Status = types.StringPointerValue(user.Status)
+	model.DefaultDatabase = types.StringPointerValue(user.DefaultDatabase)
+
+	return nil
+}

stackit/internal/services/sqlserverflexalpha/user/datasource_test.go

@@ -0,0 +1,149 @@
+// Copyright (c) STACKIT
+
+package sqlserverflexalpha
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/hashicorp/terraform-plugin-framework/attr"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/stackitcloud/stackit-sdk-go/core/utils"
+	"github.com/stackitcloud/terraform-provider-stackit/pkg/sqlserverflexalpha"
+)
+
+func TestMapDataSourceFields(t *testing.T) {
+	const testRegion = "region"
+	tests := []struct {
+		description string
+		input       *sqlserverflexalpha.GetUserResponse
+		region      string
+		expected    DataSourceModel
+		isValid     bool
+	}{
+		{
+			"default_values",
+			&sqlserverflexalpha.GetUserResponse{},
+			testRegion,
+			DataSourceModel{
+				Id:              types.StringValue("pid,region,iid,1"),
+				UserId:          types.Int64Value(1),
+				InstanceId:      types.StringValue("iid"),
+				ProjectId:       types.StringValue("pid"),
+				Username:        types.StringNull(),
+				Roles:           types.SetNull(types.StringType),
+				Host:            types.StringNull(),
+				Port:            types.Int64Null(),
+				Region:          types.StringValue(testRegion),
+				Status:          types.StringNull(),
+				DefaultDatabase: types.StringNull(),
+			},
+			true,
+		},
+		{
+			"simple_values",
+			&sqlserverflexalpha.GetUserResponse{
+
+				Roles: &[]sqlserverflexalpha.UserRole{
+					"role_1",
+					"role_2",
+					"",
+				},
+				Username:        utils.Ptr("username"),
+				Host:            utils.Ptr("host"),
+				Port:            utils.Ptr(int64(1234)),
+				Status:          utils.Ptr("active"),
+				DefaultDatabase: utils.Ptr("default_db"),
+			},
+			testRegion,
+			DataSourceModel{
+				Id:         types.StringValue("pid,region,iid,1"),
+				UserId:     types.Int64Value(1),
+				InstanceId: types.StringValue("iid"),
+				ProjectId:  types.StringValue("pid"),
+				Username:   types.StringValue("username"),
+				Roles: types.SetValueMust(
+					types.StringType, []attr.Value{
+						types.StringValue("role_1"),
+						types.StringValue("role_2"),
+						types.StringValue(""),
+					},
+				),
+				Host:            types.StringValue("host"),
+				Port:            types.Int64Value(1234),
+				Region:          types.StringValue(testRegion),
+				Status:          types.StringValue("active"),
+				DefaultDatabase: types.StringValue("default_db"),
+			},
+			true,
+		},
+		{
+			"null_fields_and_int_conversions",
+			&sqlserverflexalpha.GetUserResponse{
+				Id:       utils.Ptr(int64(1)),
+				Roles:    &[]sqlserverflexalpha.UserRole{},
+				Username: nil,
+				Host:     nil,
+				Port:     utils.Ptr(int64(2123456789)),
+			},
+			testRegion,
+			DataSourceModel{
+				Id:         types.StringValue("pid,region,iid,1"),
+				UserId:     types.Int64Value(1),
+				InstanceId: types.StringValue("iid"),
+				ProjectId:  types.StringValue("pid"),
+				Username:   types.StringNull(),
+				Roles:      types.SetValueMust(types.StringType, []attr.Value{}),
+				Host:       types.StringNull(),
+				Port:       types.Int64Value(2123456789),
+				Region:     types.StringValue(testRegion),
+			},
+			true,
+		},
+		{
+			"nil_response",
+			nil,
+			testRegion,
+			DataSourceModel{},
+			false,
+		},
+		{
+			"nil_response_2",
+			&sqlserverflexalpha.GetUserResponse{},
+			testRegion,
+			DataSourceModel{},
+			false,
+		},
+		{
+			"no_resource_id",
+			&sqlserverflexalpha.GetUserResponse{},
+			testRegion,
+			DataSourceModel{},
+			false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(
+			tt.description, func(t *testing.T) {
+				state := &DataSourceModel{
+					ProjectId:  tt.expected.ProjectId,
+					InstanceId: tt.expected.InstanceId,
+					UserId:     tt.expected.UserId,
+				}
+				err := mapDataSourceFields(tt.input, state, tt.region)
+				if !tt.isValid && err == nil {
+					t.Fatalf("Should have failed")
+				}
+				if tt.isValid && err != nil {
+					t.Fatalf("Should not have failed: %v", err)
+				}
+				if tt.isValid {
+					diff := cmp.Diff(state, &tt.expected)
+					if diff != "" {
+						t.Fatalf("Data does not match: %s", diff)
+					}
+				}
+			},
+		)
+	}
+}

stackit/internal/services/sqlserverflexalpha/user/resource.go

@@ -0,0 +1,568 @@
+// Copyright (c) STACKIT
+
+package sqlserverflexalpha
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/stackitcloud/terraform-provider-stackit/pkg/sqlserverflexalpha"
+	sqlserverflexalphaUtils "github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/sqlserverflexalpha/utils"
+
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/conversion"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/core"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/utils"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/validate"
+
+	"github.com/hashicorp/terraform-plugin-framework/attr"
+	"github.com/hashicorp/terraform-plugin-framework/path"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/setplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/stackitcloud/stackit-sdk-go/core/oapierror"
+)
+
+// Ensure the implementation satisfies the expected interfaces.
+var (
+	_ resource.Resource                = &userResource{}
+	_ resource.ResourceWithConfigure   = &userResource{}
+	_ resource.ResourceWithImportState = &userResource{}
+	_ resource.ResourceWithModifyPlan  = &userResource{}
+)
+
+type Model struct {
+	Id              types.String `tfsdk:"id"` // needed by TF
+	UserId          types.Int64  `tfsdk:"user_id"`
+	InstanceId      types.String `tfsdk:"instance_id"`
+	ProjectId       types.String `tfsdk:"project_id"`
+	Username        types.String `tfsdk:"username"`
+	Roles           types.Set    `tfsdk:"roles"`
+	Password        types.String `tfsdk:"password"`
+	Host            types.String `tfsdk:"host"`
+	Port            types.Int64  `tfsdk:"port"`
+	Region          types.String `tfsdk:"region"`
+	Status          types.String `tfsdk:"status"`
+	DefaultDatabase types.String `tfsdk:"default_database"`
+}
+
+// NewUserResource is a helper function to simplify the provider implementation.
+func NewUserResource() resource.Resource {
+	return &userResource{}
+}
+
+// userResource is the resource implementation.
+type userResource struct {
+	client       *sqlserverflexalpha.APIClient
+	providerData core.ProviderData
+}
+
+// Metadata returns the resource type name.
+func (r *userResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_sqlserverflexalpha_user"
+}
+
+// Configure adds the provider configured client to the resource.
+func (r *userResource) Configure(ctx context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
+	var ok bool
+	r.providerData, ok = conversion.ParseProviderData(ctx, req.ProviderData, &resp.Diagnostics)
+	if !ok {
+		return
+	}
+
+	apiClient := sqlserverflexalphaUtils.ConfigureClient(ctx, &r.providerData, &resp.Diagnostics)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	r.client = apiClient
+	tflog.Info(ctx, "SQLServer Alpha Flex user client configured")
+}
+
+// ModifyPlan implements resource.ResourceWithModifyPlan.
+// Use the modifier to set the effective region in the current plan.
+func (r *userResource) ModifyPlan(
+	ctx context.Context,
+	req resource.ModifyPlanRequest,
+	resp *resource.ModifyPlanResponse,
+) { // nolint:gocritic // function signature required by Terraform
+	var configModel Model
+	// skip initial empty configuration to avoid follow-up errors
+	if req.Config.Raw.IsNull() {
+		return
+	}
+	resp.Diagnostics.Append(req.Config.Get(ctx, &configModel)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	var planModel Model
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &planModel)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	utils.AdaptRegion(ctx, configModel.Region, &planModel.Region, r.providerData.GetRegion(), resp)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	resp.Diagnostics.Append(resp.Plan.Set(ctx, planModel)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+}
+
+// Schema defines the schema for the resource.
+func (r *userResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
+	descriptions := map[string]string{
+		"main":             "SQLServer Flex user resource schema. Must have a `region` specified in the provider configuration.",
+		"id":               "Terraform's internal resource ID. It is structured as \"`project_id`,`region`,`instance_id`,`user_id`\".",
+		"user_id":          "User ID.",
+		"instance_id":      "ID of the SQLServer Flex instance.",
+		"project_id":       "STACKIT project ID to which the instance is associated.",
+		"username":         "Username of the SQLServer Flex instance.",
+		"roles":            "Database access levels for the user. The values for the default roles are: `##STACKIT_DatabaseManager##`, `##STACKIT_LoginManager##`, `##STACKIT_ProcessManager##`, `##STACKIT_ServerManager##`, `##STACKIT_SQLAgentManager##`, `##STACKIT_SQLAgentUser##`",
+		"password":         "Password of the user account.",
+		"status":           "Status of the user.",
+		"default_database": "Default database of the user.",
+	}
+
+	resp.Schema = schema.Schema{
+		Description: descriptions["main"],
+		Attributes: map[string]schema.Attribute{
+			"id": schema.StringAttribute{
+				Description: descriptions["id"],
+				Computed:    true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+				},
+			},
+			"user_id": schema.StringAttribute{
+				Description: descriptions["user_id"],
+				Computed:    true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+				},
+				Validators: []validator.String{
+					validate.NoSeparator(),
+				},
+			},
+			"instance_id": schema.StringAttribute{
+				Description: descriptions["instance_id"],
+				Required:    true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+					stringplanmodifier.UseStateForUnknown(),
+				},
+				Validators: []validator.String{
+					validate.UUID(),
+					validate.NoSeparator(),
+				},
+			},
+			"project_id": schema.StringAttribute{
+				Description: descriptions["project_id"],
+				Required:    true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+					stringplanmodifier.UseStateForUnknown(),
+				},
+				Validators: []validator.String{
+					validate.UUID(),
+					validate.NoSeparator(),
+				},
+			},
+			"username": schema.StringAttribute{
+				Description: descriptions["username"],
+				Required:    true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+					stringplanmodifier.UseStateForUnknown(),
+				},
+			},
+			"roles": schema.SetAttribute{
+				Description: descriptions["roles"],
+				ElementType: types.StringType,
+				Required:    true,
+				PlanModifiers: []planmodifier.Set{
+					setplanmodifier.RequiresReplace(),
+				},
+			},
+			"password": schema.StringAttribute{
+				Description: descriptions["password"],
+				Computed:    true,
+				Sensitive:   true,
+			},
+			"host": schema.StringAttribute{
+				Computed: true,
+			},
+			"port": schema.Int64Attribute{
+				Computed: true,
+			},
+			"region": schema.StringAttribute{
+				Optional: true,
+				// must be computed to allow for storing the override value from the provider
+				Computed:    true,
+				Description: descriptions["region"],
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+			"status": schema.StringAttribute{
+				Computed: true,
+			},
+			"default_database": schema.StringAttribute{
+				Computed: true,
+			},
+		},
+	}
+}
+
+// Create creates the resource and sets the initial Terraform state.
+func (r *userResource) Create(
+	ctx context.Context,
+	req resource.CreateRequest,
+	resp *resource.CreateResponse,
+) { // nolint:gocritic // function signature required by Terraform
+	var model Model
+	diags := req.Plan.Get(ctx, &model)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	ctx = core.InitProviderContext(ctx)
+
+	projectId := model.ProjectId.ValueString()
+	instanceId := model.InstanceId.ValueString()
+	region := model.Region.ValueString()
+
+	ctx = tflog.SetField(ctx, "project_id", projectId)
+	ctx = tflog.SetField(ctx, "instance_id", instanceId)
+	ctx = tflog.SetField(ctx, "region", region)
+
+	var roles []sqlserverflexalpha.UserRole
+	if !(model.Roles.IsNull() || model.Roles.IsUnknown()) {
+		diags = model.Roles.ElementsAs(ctx, &roles, false)
+		resp.Diagnostics.Append(diags...)
+		if resp.Diagnostics.HasError() {
+			return
+		}
+	}
+
+	// Generate API request body from model
+	payload, err := toCreatePayload(&model, roles)
+	if err != nil {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating user", fmt.Sprintf("Creating API payload: %v", err))
+		return
+	}
+	// Create new user
+	userResp, err := r.client.CreateUserRequest(
+		ctx,
+		projectId,
+		region,
+		instanceId,
+	).CreateUserRequestPayload(*payload).Execute()
+	if err != nil {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating user", fmt.Sprintf("Calling API: %v", err))
+		return
+	}
+
+	ctx = core.LogResponse(ctx)
+
+	if userResp == nil || userResp.Id == nil || *userResp.Id == 0 {
+		core.LogAndAddError(
+			ctx,
+			&resp.Diagnostics,
+			"Error creating user",
+			"API didn't return user Id. A user might have been created",
+		)
+		return
+	}
+	userId := *userResp.Id
+	ctx = tflog.SetField(ctx, "user_id", userId)
+
+	// Map response body to schema
+	err = mapFieldsCreate(userResp, &model, region)
+	if err != nil {
+		core.LogAndAddError(
+			ctx,
+			&resp.Diagnostics,
+			"Error creating user",
+			fmt.Sprintf("Processing API payload: %v", err),
+		)
+		return
+	}
+	// Set state to fully populated data
+	diags = resp.State.Set(ctx, model)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	tflog.Info(ctx, "SQLServer Flex user created")
+}
+
+// Read refreshes the Terraform state with the latest data.
+func (r *userResource) Read(
+	ctx context.Context,
+	req resource.ReadRequest,
+	resp *resource.ReadResponse,
+) { // nolint:gocritic // function signature required by Terraform
+	var model Model
+	diags := req.State.Get(ctx, &model)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	ctx = core.InitProviderContext(ctx)
+
+	projectId := model.ProjectId.ValueString()
+	instanceId := model.InstanceId.ValueString()
+	userId := model.UserId.ValueInt64()
+	region := r.providerData.GetRegionWithOverride(model.Region)
+	ctx = tflog.SetField(ctx, "project_id", projectId)
+	ctx = tflog.SetField(ctx, "instance_id", instanceId)
+	ctx = tflog.SetField(ctx, "user_id", userId)
+	ctx = tflog.SetField(ctx, "region", region)
+
+	recordSetResp, err := r.client.GetUserRequest(ctx, projectId, region, instanceId, userId).Execute()
+	if err != nil {
+		var oapiErr *oapierror.GenericOpenAPIError
+		ok := errors.As(
+			err,
+			&oapiErr,
+		)
+		//nolint:errorlint //complaining that error.As should be used to catch wrapped errors, but this error should not be wrapped
+		if ok && oapiErr.StatusCode == http.StatusNotFound {
+			resp.State.RemoveResource(ctx)
+			return
+		}
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading user", fmt.Sprintf("Calling API: %v", err))
+		return
+	}
+
+	ctx = core.LogResponse(ctx)
+
+	// Map response body to schema
+	err = mapFields(recordSetResp, &model, region)
+	if err != nil {
+		core.LogAndAddError(
+			ctx,
+			&resp.Diagnostics,
+			"Error reading user",
+			fmt.Sprintf("Processing API payload: %v", err),
+		)
+		return
+	}
+
+	// Set refreshed state
+	diags = resp.State.Set(ctx, model)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	tflog.Info(ctx, "SQLServer Flex user read")
+}
+
+// Update updates the resource and sets the updated Terraform state on success.
+func (r *userResource) Update(
+	ctx context.Context,
+	_ resource.UpdateRequest,
+	resp *resource.UpdateResponse,
+) { // nolint:gocritic // function signature required by Terraform
+	// Update shouldn't be called
+	core.LogAndAddError(ctx, &resp.Diagnostics, "Error updating user", "User can't be updated")
+}
+
+// Delete deletes the resource and removes the Terraform state on success.
+func (r *userResource) Delete(
+	ctx context.Context,
+	req resource.DeleteRequest,
+	resp *resource.DeleteResponse,
+) { // nolint:gocritic // function signature required by Terraform
+	// Retrieve values from plan
+	var model Model
+	diags := req.State.Get(ctx, &model)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	ctx = core.InitProviderContext(ctx)
+
+	projectId := model.ProjectId.ValueString()
+	instanceId := model.InstanceId.ValueString()
+	userId := model.UserId.ValueInt64()
+	region := model.Region.ValueString()
+	ctx = tflog.SetField(ctx, "project_id", projectId)
+	ctx = tflog.SetField(ctx, "instance_id", instanceId)
+	ctx = tflog.SetField(ctx, "user_id", userId)
+	ctx = tflog.SetField(ctx, "region", region)
+
+	// Delete existing record set
+	err := r.client.DeleteUserRequest(ctx, projectId, region, instanceId, userId).Execute()
+	if err != nil {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error deleting user", fmt.Sprintf("Calling API: %v", err))
+		return
+	}
+
+	ctx = core.LogResponse(ctx)
+
+	tflog.Info(ctx, "SQLServer Flex user deleted")
+}
+
+// ImportState imports a resource into the Terraform state on success.
+// The expected format of the resource import identifier is: project_id,zone_id,record_set_id
+func (r *userResource) ImportState(
+	ctx context.Context,
+	req resource.ImportStateRequest,
+	resp *resource.ImportStateResponse,
+) {
+	idParts := strings.Split(req.ID, core.Separator)
+	if len(idParts) != 4 || idParts[0] == "" || idParts[1] == "" || idParts[2] == "" || idParts[3] == "" {
+		core.LogAndAddError(
+			ctx, &resp.Diagnostics,
+			"Error importing user",
+			fmt.Sprintf(
+				"Expected import identifier with format [project_id],[region],[instance_id],[user_id], got %q",
+				req.ID,
+			),
+		)
+		return
+	}
+
+	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("project_id"), idParts[0])...)
+	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("region"), idParts[1])...)
+	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("instance_id"), idParts[2])...)
+	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("user_id"), idParts[3])...)
+	core.LogAndAddWarning(
+		ctx,
+		&resp.Diagnostics,
+		"SQLServer Flex user imported with empty password",
+		"The user password is not imported as it is only available upon creation of a new user. The password field will be empty.",
+	)
+	tflog.Info(ctx, "SQLServer Flex user state imported")
+}
+
+func mapFieldsCreate(userResp *sqlserverflexalpha.CreateUserResponse, model *Model, region string) error {
+	if userResp == nil {
+		return fmt.Errorf("response is nil")
+	}
+	if model == nil {
+		return fmt.Errorf("model input is nil")
+	}
+	user := userResp
+
+	if user.Id == nil {
+		return fmt.Errorf("user id not present")
+	}
+	userId := *user.Id
+	model.Id = utils.BuildInternalTerraformId(
+		model.ProjectId.ValueString(),
+		region,
+		model.InstanceId.ValueString(),
+		strconv.FormatInt(userId, 10),
+	)
+	model.UserId = types.Int64Value(userId)
+	model.Username = types.StringPointerValue(user.Username)
+
+	if user.Password == nil {
+		return fmt.Errorf("user password not present")
+	}
+	model.Password = types.StringValue(*user.Password)
+
+	if user.Roles != nil {
+		var roles []attr.Value
+		for _, role := range *user.Roles {
+			roles = append(roles, types.StringValue(string(role)))
+		}
+		rolesSet, diags := types.SetValue(types.StringType, roles)
+		if diags.HasError() {
+			return fmt.Errorf("failed to map roles: %w", core.DiagsToError(diags))
+		}
+		model.Roles = rolesSet
+	}
+
+	if model.Roles.IsNull() || model.Roles.IsUnknown() {
+		model.Roles = types.SetNull(types.StringType)
+	}
+
+	model.Host = types.StringPointerValue(user.Host)
+	model.Port = types.Int64PointerValue(user.Port)
+	model.Region = types.StringValue(region)
+	model.Status = types.StringPointerValue(user.Status)
+	model.DefaultDatabase = types.StringPointerValue(user.DefaultDatabase)
+
+	return nil
+}
+
+func mapFields(userResp *sqlserverflexalpha.GetUserResponse, model *Model, region string) error {
+	if userResp == nil {
+		return fmt.Errorf("response is nil")
+	}
+	if model == nil {
+		return fmt.Errorf("model input is nil")
+	}
+	user := userResp
+
+	var userId int64
+	if model.UserId.ValueInt64() != 0 {
+		userId = model.UserId.ValueInt64()
+	} else if user.Id != nil {
+		userId = *user.Id
+	} else {
+		return fmt.Errorf("user id not present")
+	}
+	model.Id = utils.BuildInternalTerraformId(
+		model.ProjectId.ValueString(),
+		region,
+		model.InstanceId.ValueString(),
+		strconv.FormatInt(userId, 10),
+	)
+	model.UserId = types.Int64Value(userId)
+	model.Username = types.StringPointerValue(user.Username)
+
+	if user.Roles != nil {
+		var roles []attr.Value
+		for _, role := range *user.Roles {
+			roles = append(roles, types.StringValue(string(role)))
+		}
+		rolesSet, diags := types.SetValue(types.StringType, roles)
+		if diags.HasError() {
+			return fmt.Errorf("failed to map roles: %w", core.DiagsToError(diags))
+		}
+		model.Roles = rolesSet
+	}
+
+	if model.Roles.IsNull() || model.Roles.IsUnknown() {
+		model.Roles = types.SetNull(types.StringType)
+	}
+
+	model.Host = types.StringPointerValue(user.Host)
+	model.Port = types.Int64PointerValue(user.Port)
+	model.Region = types.StringValue(region)
+	return nil
+}
+
+func toCreatePayload(
+	model *Model,
+	roles []sqlserverflexalpha.UserRole,
+) (*sqlserverflexalpha.CreateUserRequestPayload, error) {
+	if model == nil {
+		return nil, fmt.Errorf("nil model")
+	}
+
+	return &sqlserverflexalpha.CreateUserRequestPayload{
+		Username:        conversion.StringValueToPointer(model.Username),
+		DefaultDatabase: conversion.StringValueToPointer(model.DefaultDatabase),
+		Roles:           &roles,
+	}, nil
+}

stackit/internal/services/sqlserverflexalpha/user/resource_test.go

@@ -0,0 +1,387 @@
+// Copyright (c) STACKIT
+
+package sqlserverflexalpha
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/hashicorp/terraform-plugin-framework/attr"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/stackitcloud/stackit-sdk-go/core/utils"
+	"github.com/stackitcloud/terraform-provider-stackit/pkg/sqlserverflexalpha"
+)
+
+func TestMapFieldsCreate(t *testing.T) {
+	const testRegion = "region"
+	tests := []struct {
+		description string
+		input       *sqlserverflexalpha.CreateUserResponse
+		region      string
+		expected    Model
+		isValid     bool
+	}{
+		{
+			"default_values",
+			&sqlserverflexalpha.CreateUserResponse{
+				Id:       utils.Ptr(int64(1)),
+				Password: utils.Ptr(""),
+			},
+			testRegion,
+			Model{
+				Id:         types.StringValue("pid,region,iid,1"),
+				UserId:     types.Int64Value(1),
+				InstanceId: types.StringValue("iid"),
+				ProjectId:  types.StringValue("pid"),
+				Username:   types.StringNull(),
+				Roles:      types.SetNull(types.StringType),
+				Password:   types.StringValue(""),
+				Host:       types.StringNull(),
+				Port:       types.Int64Null(),
+				Region:     types.StringValue(testRegion),
+			},
+			true,
+		},
+		{
+			"simple_values",
+			&sqlserverflexalpha.CreateUserResponse{
+				Id: utils.Ptr(int64(2)),
+				Roles: &[]sqlserverflexalpha.UserRole{
+					"role_1",
+					"role_2",
+					"",
+				},
+				Username:        utils.Ptr("username"),
+				Password:        utils.Ptr("password"),
+				Host:            utils.Ptr("host"),
+				Port:            utils.Ptr(int64(1234)),
+				Status:          utils.Ptr("status"),
+				DefaultDatabase: utils.Ptr("default_db"),
+			},
+			testRegion,
+			Model{
+				Id:         types.StringValue("pid,region,iid,2"),
+				UserId:     types.Int64Value(2),
+				InstanceId: types.StringValue("iid"),
+				ProjectId:  types.StringValue("pid"),
+				Username:   types.StringValue("username"),
+				Roles: types.SetValueMust(
+					types.StringType, []attr.Value{
+						types.StringValue("role_1"),
+						types.StringValue("role_2"),
+						types.StringValue(""),
+					},
+				),
+				Password:        types.StringValue("password"),
+				Host:            types.StringValue("host"),
+				Port:            types.Int64Value(1234),
+				Region:          types.StringValue(testRegion),
+				Status:          types.StringValue("status"),
+				DefaultDatabase: types.StringValue("default_db"),
+			},
+			true,
+		},
+		{
+			"null_fields_and_int_conversions",
+			&sqlserverflexalpha.CreateUserResponse{
+				Id:       utils.Ptr(int64(3)),
+				Roles:    &[]sqlserverflexalpha.UserRole{},
+				Username: nil,
+				Password: utils.Ptr(""),
+				Host:     nil,
+				Port:     utils.Ptr(int64(2123456789)),
+			},
+			testRegion,
+			Model{
+				Id:              types.StringValue("pid,region,iid,3"),
+				UserId:          types.Int64Value(3),
+				InstanceId:      types.StringValue("iid"),
+				ProjectId:       types.StringValue("pid"),
+				Username:        types.StringNull(),
+				Roles:           types.SetValueMust(types.StringType, []attr.Value{}),
+				Password:        types.StringValue(""),
+				Host:            types.StringNull(),
+				Port:            types.Int64Value(2123456789),
+				Region:          types.StringValue(testRegion),
+				DefaultDatabase: types.StringNull(),
+				Status:          types.StringNull(),
+			},
+			true,
+		},
+		{
+			"nil_response",
+			nil,
+			testRegion,
+			Model{},
+			false,
+		},
+		{
+			"nil_response_2",
+			&sqlserverflexalpha.CreateUserResponse{},
+			testRegion,
+			Model{},
+			false,
+		},
+		{
+			"no_resource_id",
+			&sqlserverflexalpha.CreateUserResponse{},
+			testRegion,
+			Model{},
+			false,
+		},
+		{
+			"no_password",
+			&sqlserverflexalpha.CreateUserResponse{
+				Id: utils.Ptr(int64(1)),
+			},
+			testRegion,
+			Model{},
+			false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(
+			tt.description, func(t *testing.T) {
+				state := &Model{
+					ProjectId:  tt.expected.ProjectId,
+					InstanceId: tt.expected.InstanceId,
+				}
+				err := mapFieldsCreate(tt.input, state, tt.region)
+				if !tt.isValid && err == nil {
+					t.Fatalf("Should have failed")
+				}
+				if tt.isValid && err != nil {
+					t.Fatalf("Should not have failed: %v", err)
+				}
+				if tt.isValid {
+					diff := cmp.Diff(state, &tt.expected)
+					if diff != "" {
+						t.Fatalf("Data does not match: %s", diff)
+					}
+				}
+			},
+		)
+	}
+}
+
+func TestMapFields(t *testing.T) {
+	const testRegion = "region"
+	tests := []struct {
+		description string
+		input       *sqlserverflexalpha.GetUserResponse
+		region      string
+		expected    Model
+		isValid     bool
+	}{
+		{
+			"default_values",
+			&sqlserverflexalpha.GetUserResponse{},
+			testRegion,
+			Model{
+				Id:         types.StringValue("pid,region,iid,1"),
+				UserId:     types.Int64Value(1),
+				InstanceId: types.StringValue("iid"),
+				ProjectId:  types.StringValue("pid"),
+				Username:   types.StringNull(),
+				Roles:      types.SetNull(types.StringType),
+				Host:       types.StringNull(),
+				Port:       types.Int64Null(),
+				Region:     types.StringValue(testRegion),
+			},
+			true,
+		},
+		{
+			"simple_values",
+			&sqlserverflexalpha.GetUserResponse{
+				Roles: &[]sqlserverflexalpha.UserRole{
+					"role_1",
+					"role_2",
+					"",
+				},
+				Username: utils.Ptr("username"),
+				Host:     utils.Ptr("host"),
+				Port:     utils.Ptr(int64(1234)),
+			},
+			testRegion,
+			Model{
+				Id:         types.StringValue("pid,region,iid,2"),
+				UserId:     types.Int64Value(2),
+				InstanceId: types.StringValue("iid"),
+				ProjectId:  types.StringValue("pid"),
+				Username:   types.StringValue("username"),
+				Roles: types.SetValueMust(
+					types.StringType, []attr.Value{
+						types.StringValue("role_1"),
+						types.StringValue("role_2"),
+						types.StringValue(""),
+					},
+				),
+				Host:   types.StringValue("host"),
+				Port:   types.Int64Value(1234),
+				Region: types.StringValue(testRegion),
+			},
+			true,
+		},
+		{
+			"null_fields_and_int_conversions",
+			&sqlserverflexalpha.GetUserResponse{
+				Id:       utils.Ptr(int64(1)),
+				Roles:    &[]sqlserverflexalpha.UserRole{},
+				Username: nil,
+				Host:     nil,
+				Port:     utils.Ptr(int64(2123456789)),
+			},
+			testRegion,
+			Model{
+				Id:         types.StringValue("pid,region,iid,1"),
+				UserId:     types.Int64Value(1),
+				InstanceId: types.StringValue("iid"),
+				ProjectId:  types.StringValue("pid"),
+				Username:   types.StringNull(),
+				Roles:      types.SetValueMust(types.StringType, []attr.Value{}),
+				Host:       types.StringNull(),
+				Port:       types.Int64Value(2123456789),
+				Region:     types.StringValue(testRegion),
+			},
+			true,
+		},
+		{
+			"nil_response",
+			nil,
+			testRegion,
+			Model{},
+			false,
+		},
+		{
+			"nil_response_2",
+			&sqlserverflexalpha.GetUserResponse{},
+			testRegion,
+			Model{},
+			false,
+		},
+		{
+			"no_resource_id",
+			&sqlserverflexalpha.GetUserResponse{},
+			testRegion,
+			Model{},
+			false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(
+			tt.description, func(t *testing.T) {
+				state := &Model{
+					ProjectId:  tt.expected.ProjectId,
+					InstanceId: tt.expected.InstanceId,
+					UserId:     tt.expected.UserId,
+				}
+				err := mapFields(tt.input, state, tt.region)
+				if !tt.isValid && err == nil {
+					t.Fatalf("Should have failed")
+				}
+				if tt.isValid && err != nil {
+					t.Fatalf("Should not have failed: %v", err)
+				}
+				if tt.isValid {
+					diff := cmp.Diff(state, &tt.expected)
+					if diff != "" {
+						t.Fatalf("Data does not match: %s", diff)
+					}
+				}
+			},
+		)
+	}
+}
+
+func TestToCreatePayload(t *testing.T) {
+	tests := []struct {
+		description string
+		input       *Model
+		inputRoles  []sqlserverflexalpha.UserRole
+		expected    *sqlserverflexalpha.CreateUserRequestPayload
+		isValid     bool
+	}{
+		{
+			"default_values",
+			&Model{},
+			[]sqlserverflexalpha.UserRole{},
+			&sqlserverflexalpha.CreateUserRequestPayload{
+				Roles:    &[]sqlserverflexalpha.UserRole{},
+				Username: nil,
+			},
+			true,
+		},
+		{
+			"default_values",
+			&Model{
+				Username: types.StringValue("username"),
+			},
+			[]sqlserverflexalpha.UserRole{
+				"role_1",
+				"role_2",
+			},
+			&sqlserverflexalpha.CreateUserRequestPayload{
+				Roles: &[]sqlserverflexalpha.UserRole{
+					"role_1",
+					"role_2",
+				},
+				Username: utils.Ptr("username"),
+			},
+			true,
+		},
+		{
+			"null_fields_and_int_conversions",
+			&Model{
+				Username: types.StringNull(),
+			},
+			[]sqlserverflexalpha.UserRole{
+				"",
+			},
+			&sqlserverflexalpha.CreateUserRequestPayload{
+				Roles: &[]sqlserverflexalpha.UserRole{
+					"",
+				},
+				Username: nil,
+			},
+			true,
+		},
+		{
+			"nil_model",
+			nil,
+			[]sqlserverflexalpha.UserRole{},
+			nil,
+			false,
+		},
+		{
+			"nil_roles",
+			&Model{
+				Username: types.StringValue("username"),
+			},
+			[]sqlserverflexalpha.UserRole{},
+			&sqlserverflexalpha.CreateUserRequestPayload{
+				Roles:    &[]sqlserverflexalpha.UserRole{},
+				Username: utils.Ptr("username"),
+			},
+			true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(
+			tt.description, func(t *testing.T) {
+				output, err := toCreatePayload(tt.input, tt.inputRoles)
+				if !tt.isValid && err == nil {
+					t.Fatalf("Should have failed")
+				}
+				if tt.isValid && err != nil {
+					t.Fatalf("Should not have failed: %v", err)
+				}
+				if tt.isValid {
+					diff := cmp.Diff(output, tt.expected)
+					if diff != "" {
+						t.Fatalf("Data does not match: %s", diff)
+					}
+				}
+			},
+		)
+	}
+}