Merge pull request 'chore: merge main into alpha' (#89 ) from main into alpha

Reviewed-on: #89
Merge branch 'alpha' into main
2026-03-25 09:25:58 +00:00 · 2026-03-25 09:23:47 +00:00 · 2026-03-25 09:23:14 +00:00 · 2026-03-25 10:22:48 +01:00 · 2026-03-25 08:45:31 +00:00 · 2026-03-25 09:40:44 +01:00
290 changed files with 38857 additions and 10336 deletions
--- a/.github/actions/acc_test/README.md
+++ b/.github/actions/acc_test/README.md
@ -0,0 +1 @@
+# acceptance test action
--- a/.github/actions/acc_test/action.yaml
+++ b/.github/actions/acc_test/action.yaml
@ -0,0 +1,290 @@
+name: Acceptance Testing
+description: "Acceptance Testing pipeline"
+
+inputs:
+  tf_debug:
+    description: "enable terraform debug logs"
+    default: 'false'
+    required: true
+
+  test_timeout_string:
+    description: "string that determines the timeout (default: 45m)"
+    default: '90m'
+    required: true
+
+  go-version:
+    description: "go version to install"
+    default: '1.25'
+    required: true
+
+  project_id:
+    description: "STACKIT project ID for tests"
+    required: true
+
+  project_user_email:
+    required: true
+    description: "project user email for acc testing"
+
+  tf_acc_kek_key_id:
+    description: "KEK key ID"
+    required: true
+
+  tf_acc_kek_key_ring_id:
+    description: "KEK key ring ID"
+    required: true
+
+  tf_acc_kek_key_version:
+    description: "KEK key version"
+    required: true
+
+  tf_acc_kek_service_account:
+    description: "KEK service account email"
+    required: true
+
+  region:
+    description: "STACKIT region for tests"
+    default: 'eu01'
+    required: true
+
+  service_account_json_content:
+    description: "STACKIT service account JSON file contents"
+    required: true
+    default: ""
+
+  service_account_json_content_b64:
+    description: "STACKIT service account JSON file contents"
+    required: true
+    default: ""
+
+  service_account_json_file_path:
+    description: "STACKIT service account JSON file contents"
+    required: true
+    default: 'service_account.json'
+
+  test_file:
+    description: "testfile to run"
+    default: ''
+
+
+#outputs:
+#  random-number:
+#    description: "Random number"
+#    value: ${{ steps.random-number-generator.outputs.random-number }}
+
+runs:
+  using: "composite"
+  steps:
+#    - name: Random Number Generator
+#      id: random-number-generator
+#      run: echo "random-number=$(echo $RANDOM)" >> $GITHUB_OUTPUT
+#      shell: bash
+
+    - name: Install needed tools
+      shell: bash
+      run: |
+        echo "::group::apt install"
+        set -e
+        apt-get -y -qq update >apt_update.log 2>apt_update_err.log
+        if [ $? -ne 0 ]; then
+          cat apt_update.log apt_update_err.log
+        fi
+        apt-get -y -qq install jq python3 python3-pip python-is-python3 s3cmd git make wget >apt_get.log 2>apt_get_err.log
+        if [ $? -ne 0 ]; then
+          cat apt_get.log apt_get_err.log
+        fi
+        echo "::endgroup::"
+
+    # Install latest version of Terraform
+    - uses: hashicorp/setup-terraform@v4
+      with:
+        terraform_wrapper: false
+
+    - name: Setup JAVA
+      uses: actions/setup-java@v5
+      with:
+        distribution: 'temurin' # See 'Supported distributions' for available options
+        java-version: '21'
+
+    - name: Install Go ${{ inputs.go-version }}
+      uses: actions/setup-go@v6
+      with:
+        # go-version: ${{ inputs.go-version }}
+        check-latest: true
+        go-version-file: 'go.mod'
+
+    - name: Determine GOMODCACHE
+      shell: bash
+      id: goenv
+      run: |
+        set -e
+        echo "gomodcache=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
+
+    - name: Restore cached GO pkg
+      id: cache-gopkg
+      uses: actions/cache/restore@v5
+      with:
+        path: "${{ steps.goenv.outputs.gomodcache }}"
+        key: ${{ runner.os }}-gopkg
+
+    - name: Install go tools
+      if: steps.cache-gopkg.outputs.cache-hit != 'true'
+      shell: bash
+      run: |
+        echo "::group::go install"
+        set -e
+        go mod download
+        go install golang.org/x/tools/cmd/goimports@latest
+        go install github.com/hashicorp/terraform-plugin-codegen-framework/cmd/tfplugingen-framework@latest
+        go install github.com/hashicorp/terraform-plugin-codegen-openapi/cmd/tfplugingen-openapi@latest
+        go install github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs@latest
+        go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
+        echo "::endgroup::"
+    - name: Run go mod tidy
+      shell: bash
+      run: go mod tidy
+
+    - name: Save GO package Cache
+      id: cache-gopkg-save
+      uses: actions/cache/save@v5
+      with:
+        path: |
+          ${{ steps.goenv.outputs.gomodcache }}
+        key: ${{ runner.os }}-gopkg
+
+    - name: Define service account file path variable
+      id: service_account
+      shell: bash
+      run: |
+        echo "safilepath=${PWD}/stackit/${{ inputs.service_account_json_file_path }}" >> "$GITHUB_OUTPUT"
+
+    - name: Creating service_account file from json input
+      if: inputs.service_account_json_content != ''
+      shell: bash
+      run: |
+        echo "::group::create service account file"
+        set -e
+        set -o pipefail
+
+        jsonFile="${{ inputs.service_account_json_file_path }}"
+        jsonFile="${jsonFile:-x}"
+        if [ "${jsonFile}" == "x" ]; then
+          echo "no service account file path provided"
+          exit 1
+        fi
+        
+        if [ ! -f "${jsonFile}" ]; then
+          echo "creating service account file '${{ inputs.service_account_json_file_path }}'"
+          echo "${{ inputs.service_account_json_content }}" > stackit/"${{ inputs.service_account_json_file_path }}"
+        fi
+        ls -l stackit/"${{ inputs.service_account_json_file_path }}"
+        echo "::endgroup::"
+
+    - name: Creating service_account file from base64 json input
+      if: inputs.service_account_json_content_b64 != ''
+      shell: bash
+      run: |
+        echo "::group::create service account file"
+        set -e
+        set -o pipefail
+
+        jsonFile="${{ inputs.service_account_json_file_path }}"
+        jsonFile="${jsonFile:-x}"
+        if [ "${jsonFile}" == "x" ]; then
+          echo "no service account file path provided"
+          exit 1
+        fi
+        
+        if [ ! -f "${jsonFile}" ]; then
+          echo "creating service account file '${{ inputs.service_account_json_file_path }}'"
+          echo "${{ inputs.service_account_json_content_b64 }}" | base64 -d > stackit/"${{ inputs.service_account_json_file_path }}"
+        fi
+        ls -l stackit/"${{ inputs.service_account_json_file_path }}"
+        echo "::endgroup::"
+
+    - name: Run acceptance test file
+      if: ${{ inputs.test_file != '' }}
+      shell: bash
+      run: |
+        echo "::group::go test file"
+        set -e 
+        set -o pipefail
+        
+        if [[ "${{ inputs.tf_debug }}" == "true" ]]; then
+          TF_LOG=INFO
+          export TF_LOG
+        fi
+
+        echo "Running acceptance tests for the terraform provider"
+        cd stackit || exit 1
+        TF_ACC=1 \
+        TF_ACC_PROJECT_ID=${TF_ACC_PROJECT_ID} \
+        TF_ACC_REGION=${TF_ACC_REGION} \
+        TF_ACC_TEST_PROJECT_USER_EMAIL=${TF_ACC_TEST_PROJECT_USER_EMAIL} \
+        TF_ACC_SERVICE_ACCOUNT_FILE="${PWD}/${{ inputs.service_account_json_file_path }}" \
+        TF_ACC_KEK_KEY_ID=${TF_ACC_KEK_KEY_ID} \
+        TF_ACC_KEK_KEY_RING_ID=${TF_ACC_KEK_KEY_RING_ID} \
+        TF_ACC_KEK_KEY_VERSION=${TF_ACC_KEK_KEY_VERSION} \
+        TF_ACC_KEK_SERVICE_ACCOUNT=${TF_ACC_KEK_SERVICE_ACCOUNT} \
+        go test -v ${{ inputs.test_file }} -timeout=${{ inputs.test_timeout_string }}
+        echo "::endgroup::"
+      env:
+        TF_ACC_PROJECT_ID: ${{ inputs.project_id }}
+        TF_ACC_REGION: ${{ inputs.region }}
+        TF_ACC_TEST_PROJECT_USER_EMAIL: ${{ inputs.project_user_email }}
+        TF_ACC_KEK_KEY_ID: ${{ inputs.tf_acc_kek_key_id }}
+        TF_ACC_KEK_KEY_RING_ID: ${{ inputs.tf_acc_kek_key_ring_id }}
+        TF_ACC_KEK_KEY_VERSION: ${{ inputs.tf_acc_kek_key_version }}
+        TF_ACC_KEK_SERVICE_ACCOUNT: ${{ inputs.tf_acc_kek_service_account }}
+
+# does not work correctly
+#    - name: Run test action
+#      if: ${{ inputs.test_file == '' }}
+#      env:
+#        TF_ACC: 1
+#        TF_ACC_PROJECT_ID: ${{ inputs.project_id }}
+#        TF_ACC_REGION: ${{ inputs.region }}
+#        TF_ACC_TEST_PROJECT_USER_EMAIL: ${{ inputs.project_user_email }}
+#        TF_ACC_KEK_KEY_ID: ${{ inputs.tf_acc_kek_key_id }}
+#        TF_ACC_KEK_KEY_RING_ID: ${{ inputs.tf_acc_kek_key_ring_id }}
+#        TF_ACC_KEK_KEY_VERSION: ${{ inputs.tf_acc_kek_key_version }}
+#        TF_ACC_KEK_SERVICE_ACCOUNT: ${{ inputs.tf_acc_kek_service_account }}
+#        TF_ACC_SERVICE_ACCOUNT_FILE: ${{ steps.service_account.outputs.safile }}
+#      uses: robherley/go-test-action@v0
+#      with:
+#        testArguments: "./... -timeout ${{ inputs.test_timeout_string }}"
+#        moduleDirectory: "stackit"
+
+    - name: Run acceptance tests
+      if: ${{ inputs.test_file == '' }}
+      shell: bash
+      run: |
+        echo "::group::go test all"
+        set -e
+        set -o pipefail
+
+        if [[ "${{ inputs.tf_debug }}" == "true" ]]; then
+          TF_LOG=INFO
+          export TF_LOG
+        fi
+
+        echo "Running acceptance tests for the terraform provider"
+        cd stackit || exit 1
+        TF_ACC=1 \
+        TF_ACC_PROJECT_ID=${TF_ACC_PROJECT_ID} \
+        TF_ACC_REGION=${TF_ACC_REGION} \
+        TF_ACC_TEST_PROJECT_USER_EMAIL=${TF_ACC_TEST_PROJECT_USER_EMAIL} \
+        TF_ACC_SERVICE_ACCOUNT_FILE="${PWD}/${{ inputs.service_account_json_file_path }}" \
+        TF_ACC_KEK_KEY_ID=${TF_ACC_KEK_KEY_ID} \
+        TF_ACC_KEK_KEY_RING_ID=${TF_ACC_KEK_KEY_RING_ID} \
+        TF_ACC_KEK_KEY_VERSION=${TF_ACC_KEK_KEY_VERSION} \
+        TF_ACC_KEK_SERVICE_ACCOUNT=${TF_ACC_KEK_SERVICE_ACCOUNT} \
+        go test -v ./... -timeout=${{ inputs.test_timeout_string }}
+        echo "::endgroup::"
+      env:
+        TF_ACC_PROJECT_ID: ${{ inputs.project_id }}
+        TF_ACC_REGION: ${{ inputs.region }}
+        TF_ACC_TEST_PROJECT_USER_EMAIL: ${{ inputs.project_user_email }}
+        TF_ACC_KEK_KEY_ID: ${{ inputs.tf_acc_kek_key_id }}
+        TF_ACC_KEK_KEY_RING_ID: ${{ inputs.tf_acc_kek_key_ring_id }}
+        TF_ACC_KEK_KEY_VERSION: ${{ inputs.tf_acc_kek_key_version }}
+        TF_ACC_KEK_SERVICE_ACCOUNT: ${{ inputs.tf_acc_kek_service_account }}
--- a/.github/actions/build/action.yaml
+++ b/.github/actions/build/action.yaml
@ -1,4 +1,3 @@
-
 name: Build
 description: "Build pipeline"
 inputs:
@ -21,25 +20,63 @@ runs:
      run: |
        set -e
        apt-get -y -qq update
-        apt-get -y -qq install jq python3 python3-pip python-is-python3 s3cmd git make wget
+        apt-get -y -qq install jq python3 python3-pip python-is-python3 s3cmd git make wget unzip bc

+    - name: Checkout
+      uses: actions/checkout@v6

    - name: Install Go ${{ inputs.go-version }}
      uses: actions/setup-go@v6
      with:
-        go-version: ${{ inputs.go-version }}
+        # go-version: ${{ inputs.go-version }}
        check-latest: true
        go-version-file: 'go.mod'

+    - name: Determine GOMODCACHE
+      shell: bash
+      id: goenv
+      run: |
+        set -e
+        # echo "::set-output name=gomodcache::$(go env GOMODCACHE)"
+        echo "gomodcache=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
+
+    - name: Restore cached GO pkg
+      id: cache-gopkg
+      uses: actions/cache/restore@v5
+      with:
+        path: "${{ steps.goenv.outputs.gomodcache }}"
+        key: ${{ runner.os }}-gopkg
+
    - name: Install go tools
+      if: steps.cache-gopkg.outputs.cache-hit != 'true'
      shell: bash
      run: |
        set -e
        go install golang.org/x/tools/cmd/goimports@latest
        go install github.com/hashicorp/terraform-plugin-codegen-framework/cmd/tfplugingen-framework@latest
        go install github.com/hashicorp/terraform-plugin-codegen-openapi/cmd/tfplugingen-openapi@latest
-        go install github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs@v0.24.0
+        go install github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs@latest

+#    - name: Run build pkg directory
+#      shell: bash
+#      run: |
+#        set -e
+#        go run generator/main.go build
+
+    - name: Get all go packages
+      if: steps.cache-gopkg.outputs.cache-hit != 'true'
+      shell: bash
+      run: |
+        set -e
+        go get ./...
+
+    - name: Save Cache
+      id: cache-gopkg-save
+      uses: actions/cache/save@v5
+      with:
+        path: |
+          ${{ steps.goenv.outputs.gomodcache }}
+        key: ${{ runner.os }}-gopkg

    - name: Setup JAVA ${{ inputs.java-distribution }} ${{ inputs.go-version }}
      uses: actions/setup-java@v5
@ -47,16 +84,6 @@ runs:
        distribution: ${{ inputs.java-distribution }} # See 'Supported distributions' for available options
        java-version: ${{ inputs.java-version }}

-    - name: Checkout
-      uses: actions/checkout@v6
-
-    - name: Run build pkg directory
-      shell: bash
-      run: |
-        set -e
-        go run cmd/main.go build
-
-
    - name: Run make to build app
      shell: bash
      run: |
--- a/.github/actions/clean_up/README.md
+++ b/.github/actions/clean_up/README.md
@ -0,0 +1 @@
+# acceptance test action
--- a/.github/actions/clean_up/action.yaml
+++ b/.github/actions/clean_up/action.yaml
@ -0,0 +1,168 @@
+name: CleanUp Project Resources
+description: "Acceptance Testing CleanUp"
+
+inputs:
+  project_id:
+    description: "STACKIT project ID for tests"
+    required: true
+
+  region:
+    description: "STACKIT region for tests"
+    default: 'eu01'
+    required: true
+
+  tf_resource_prefix:
+    description: "prefix in resource names"
+    default: 'tf-acc-'
+    required: true
+
+  service_account_json_content:
+    description: "STACKIT service account JSON file contents"
+    required: true
+    default: ''
+
+  service_account_json_content_b64:
+    description: "STACKIT service account JSON file contents"
+    required: true
+    default: ''
+
+  list_only:
+    description: "only list resources, DO NOT delete"
+    required: true
+    default: 'true'
+
+  log_level:
+    description: "Log Level"
+    required: true
+    default: 'warning'
+
+outputs:
+  cli-version:
+    description: "stackit cli version"
+    value: ${{ steps.stackit_version.outputs.version }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install needed tools
+      shell: bash
+      run: |
+        echo "::group::apt install"
+        set -e
+        apt-get -y -qq update >apt_update.log 2>apt_update_err.log
+        if [ $? -ne 0 ]; then
+          cat apt_update.log apt_update_err.log
+        fi
+        apt-get -y -qq install curl gnupg jq >apt_get.log 2>apt_get_err.log
+        if [ $? -ne 0 ]; then
+          cat apt_get.log apt_get_err.log
+        fi
+        echo "::endgroup::"
+
+        echo "::group::apt add source"
+        curl https://packages.stackit.cloud/keys/key.gpg | gpg --dearmor -o /usr/share/keyrings/stackit.gpg
+        echo "deb [signed-by=/usr/share/keyrings/stackit.gpg] https://packages.stackit.cloud/apt/cli stackit main" | tee -a /etc/apt/sources.list.d/stackit.list
+        echo "::endgroup::"
+
+        echo "::group::apt install stackit cli"
+        apt-get -y -qq update >apt_update.log 2>apt_update_err.log
+        if [ $? -ne 0 ]; then
+          cat apt_update.log apt_update_err.log
+        fi
+        apt-get -y -qq install stackit >apt_get.log 2>apt_get_err.log
+        if [ $? -ne 0 ]; then
+          cat apt_get.log apt_get_err.log
+        fi        
+        echo "::endgroup::"
+
+    - name: Check stackit cli version
+      id: stackit_version
+      run: |
+        set -e
+        VERSION=$(stackit --version | grep "Version:" | cut -d " " -f 2)
+        echo "stackit cli version: ${VERSION}"
+        echo "version=${VERSION}" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: Creating service_account file from json input
+      if: inputs.service_account_json_content != ''
+      shell: bash
+      run: |
+        echo "::group::create service account file"
+        set -e
+        set -o pipefail
+
+        echo "${{ inputs.service_account_json_content }}" > .svc_acc.json
+        echo "::endgroup::"
+
+    - name: Creating service_account file from base64 json input
+      if: inputs.service_account_json_content_b64 != ''
+      shell: bash
+      run: |
+        echo "::group::create service account file"
+        set -e
+        set -o pipefail
+
+        echo "${{ inputs.service_account_json_content_b64 }}" | base64 -d > .svc_acc.json 
+        echo "::endgroup::"
+
+    - name: Check service account file exists
+      shell: bash
+      run: |
+        set -e
+        if [[ ! -s .svc_acc.json ]]; then
+          echo "ERROR: service account file missing or empty"
+          exit 1
+        fi
+
+    - name: Retrieve resources
+      run: |
+        echo "::group::retrieve resources"
+        set -e
+        echo "authenticating api"
+        STACKIT_SERVICE_ACCOUNT_KEY_PATH="${PWD}/.svc_acc.json"
+        export STACKIT_SERVICE_ACCOUNT_KEY_PATH
+        stackit auth activate-service-account --service-account-key-path .svc_acc.json
+
+        echo "SQL Server Flex resources:"
+        stackit --verbosity ${{ inputs.log_level }} --project-id "${{ inputs.project_id }}" beta sqlserverflex instance list --output-format json | jq -r '.[] | select(.name | startswith("${{ inputs.tf_resource_prefix }}"))'
+
+        echo "PostgreSQL Flex resources:"
+        stackit --verbosity ${{ inputs.log_level }} --project-id "${{ inputs.project_id }}" postgresflex instance list --output-format json | jq -r '.[] | select(.name | startswith("${{ inputs.tf_resource_prefix }}"))'
+
+        echo "::endgroup::"
+      shell: bash
+
+    - name: Delete SQL Server Flex resources
+      if: ${{ inputs.list_only != 'true' }}
+      run: |
+        echo "::group::delete SQL Server Flex resources"
+        set -e
+        stackit --verbosity ${{ inputs.log_level }} auth activate-service-account --service-account-key-path .svc_acc.json
+        for s in $(stackit --verbosity ${{ inputs.log_level }} --project-id ${{ inputs.project_id }} beta sqlserverflex instance list --output-format json | jq -r '.[] | select(.name | startswith("${{ inputs.tf_resource_prefix }}")) | .id'); do stackit --verbosity ${{ inputs.log_level }} -y --project-id ${{ inputs.project_id }} beta sqlserverflex instance delete $s; done
+        echo "::endgroup::"
+      shell: bash
+
+    - name: Skip Delete SQL Server Flex resources
+      if: ${{ inputs.list_only == 'true' }}
+      run: |
+        set -e
+        echo "Skip deleting: list only mode"
+      shell: bash
+
+    - name: Delete PostgreSQL Flex resources
+      if: ${{ inputs.list_only != 'true' }}
+      run: |
+        echo "::group::delete PostgreSQL Flex resources"
+        set -e
+        stackit auth activate-service-account --service-account-key-path .svc_acc.json
+        for s in $(stackit --verbosity ${{ inputs.log_level }} --project-id ${{ inputs.project_id }} postgresflex instance list --output-format json | jq -r '.[] | select(.name | startswith("${{ inputs.tf_resource_prefix }}")) | .id'); do stackit --verbosity ${{ inputs.log_level }} -y --project-id ${{ inputs.project_id }} postgresflex instance delete $s; done
+        echo "::endgroup::"
+      shell: bash
+
+    - name: Skip Delete PostgreSQL Flex resources
+      if: ${{ inputs.list_only == 'true' }}
+      run: |
+        set -e
+        echo "Skip deleting: list only mode"
+      shell: bash
--- a/.github/actions/setup-cache-go/action.yaml
+++ b/.github/actions/setup-cache-go/action.yaml
@ -0,0 +1,71 @@
+name: 'Setup Go and cache dependencies'
+author: 'Forgejo authors, Marcel S. Henselin'
+description: |
+  Wrap the setup-go with improved dependency caching.
+
+inputs:
+  username:
+    description: 'User for which to manage the dependency cache'
+    default: root
+
+  go-version:
+    description: "go version to install"
+    default: '1.25'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Install zstd for faster caching"
+      shell: bash
+      run: |
+        apt-get update -qq
+        apt-get -q install -qq -y zstd
+
+    - name: "Set up Go using setup-go"
+      uses: https://code.forgejo.org/actions/setup-go@v6
+      id: go-version
+      with:
+        # go-version: ${{ inputs.go-version }}
+        check-latest: true # Always check for the latest patch release
+        go-version-file: "go.mod"
+        # do not cache dependencies, we do this manually
+        cache: false
+
+    - name: "Get go environment information"
+      shell: bash
+      id: go-environment
+      run: |
+        chmod 755 $HOME # ensure ${RUN_AS_USER} has permission when go is located in $HOME
+        export GOROOT="$(go env GOROOT)"
+        echo "modcache=$(su ${RUN_AS_USER} -c '${GOROOT}/bin/go env GOMODCACHE')" >> "$GITHUB_OUTPUT"
+        echo "cache=$(su ${RUN_AS_USER} -c '${GOROOT}/bin/go env GOCACHE')" >> "$GITHUB_OUTPUT"
+      env:
+        RUN_AS_USER: ${{ inputs.username }}
+        GO_VERSION: ${{ steps.go-version.outputs.go-version }}
+
+    - name: "Create cache folders with correct permissions (for non-root users)"
+      shell: bash
+      if: inputs.username != 'root'
+      # when the cache is restored, only the permissions of the last part are restored
+      # so assuming that /home/user exists and we are restoring /home/user/go/pkg/mod,
+      # both folders will have the correct permissions, but
+      # /home/user/go and /home/user/go/pkg might be owned by root
+      run: |
+        su ${RUN_AS_USER} -c 'mkdir -p "${MODCACHE_DIR}" "${CACHE_DIR}"'
+      env:
+        RUN_AS_USER: ${{ inputs.username }}
+        MODCACHE_DIR: ${{ steps.go-environment.outputs.modcache }}
+        CACHE_DIR: ${{ steps.go-environment.outputs.cache }}
+
+    - name: "Restore Go dependencies from cache or mark for later caching"
+      id: cache-deps
+      uses: https://code.forgejo.org/actions/cache@v5
+      with:
+        key: setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-${{ steps.go-version.outputs.go_version }}-${{ hashFiles('go.sum', 'go.mod') }}
+        restore-keys: |
+          setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-${{ steps.go-version.outputs.go_version }}-
+          setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-
+        path: |
+          ${{ steps.go-environment.outputs.modcache }}
+          ${{ steps.go-environment.outputs.cache }}
--- a/.github/workflows/ci.yaml.bak
+++ b/.github/workflows/ci.yaml.bak
@ -6,6 +6,11 @@ on:
      - alpha
      - main
  workflow_dispatch:
+  schedule:
+    # every sunday at 00:00
+    # - cron: '0 0 * * 0'
+    # every day at 00:00
+    - cron: '0 0 * * *'
  push:
    branches:
      - '!main'
@ -17,6 +22,39 @@ env:
  CODE_COVERAGE_ARTIFACT_NAME: "code-coverage"

 jobs:
+  runner_test:
+    name: "Test STACKIT runner"
+    runs-on: stackit-docker
+    steps:
+      - name: Install needed tools
+        run: |
+          apt-get -y -qq update
+          apt-get -y -qq install jq python3 python3-pip python-is-python3 s3cmd git make wget
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Install go tools
+        run: |
+          go install golang.org/x/tools/cmd/goimports@latest
+          go install github.com/hashicorp/terraform-plugin-codegen-framework/cmd/tfplugingen-framework@latest
+          go install github.com/hashicorp/terraform-plugin-codegen-openapi/cmd/tfplugingen-openapi@latest
+
+      - name: Setup JAVA
+        uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin' # See 'Supported distributions' for available options
+          java-version: '21'
+
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Run build pkg directory
+        run: |
+          go run cmd/main.go build
+
  publish_test:
    name: "Test readiness for publishing provider"
    needs: config
@ -99,14 +137,72 @@ jobs:
              --gpgPubKeyFile=public_key.pem \
              --version=${VERSION}

+  testing:
+    name: CI run tests
+    runs-on: ubuntu-latest
+    needs: config
+    env:
+      TF_ACC_PROJECT_ID: ${{ vars.TF_ACC_PROJECT_ID }}
+      TF_ACC_REGION: ${{ vars.TF_ACC_REGION }}
+      TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL: ${{ vars.TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL }}
+      TF_ACC_SERVICE_ACCOUNT_FILE: "~/service_account.json"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Build
+        uses: ./.github/actions/build
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_wrapper: false
+
+      - name: Create service account json file
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          echo "${{ secrets.TF_ACC_SERVICE_ACCOUNT_JSON }}" >~/service_account.json
+
+      - name: Run go mod tidy
+        if: ${{ github.event_name == 'pull_request' }}
+        run: go mod tidy
+
+      - name: Testing
+        run: make test
+
+      - name: Acceptance Testing
+        env:
+          TF_ACC: "1"
+        if: ${{ github.event_name == 'pull_request' }}
+        run: make test-acceptance-tf
+
+      - name: Check coverage threshold
+        shell: bash
+        run: |
+          make coverage
+          COVERAGE=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | sed 's/%//')
+          echo "Coverage: $COVERAGE%"
+          if (( $(echo "$COVERAGE < 80" | bc -l) )); then
+            echo "Coverage is below 80%"
+            # exit 1
+          fi
+
+      - name: Archive code coverage results
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.CODE_COVERAGE_ARTIFACT_NAME }}
+          path: "stackit/${{ env.CODE_COVERAGE_FILE_NAME }}"

  main:
-    name: CI
+    if: ${{ github.event_name != 'schedule' }}
+    name: CI run build and linting
    runs-on: ubuntu-latest
    needs: config
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Build
        uses: ./.github/actions/build
@ -130,27 +226,45 @@ jobs:
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v9
        with:
-          version: v2.7
+          version: v2.9
          args: --config=golang-ci.yaml --allow-parallel-runners --timeout=5m
+        continue-on-error: true

-      - name: Lint
+      - name: Linting
        run: make lint
+        continue-on-error: true

-      - name: Test
-        run: make test
+  #      - name: Testing
+  #        run: make test
+  #
+  #      - name: Acceptance Testing
+  #        if: ${{ github.event_name == 'pull_request' }}
+  #        run: make test-acceptance-tf
+  #
+  #      - name: Check coverage threshold
+  #        shell: bash
+  #        run: |
+  #          make coverage
+  #          COVERAGE=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | sed 's/%//')
+  #          echo "Coverage: $COVERAGE%"
+  #          if (( $(echo "$COVERAGE < 80" | bc -l) )); then
+  #            echo "Coverage is below 80%"
+  #            # exit 1
+  #          fi

-      - name: Archive code coverage results
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ env.CODE_COVERAGE_ARTIFACT_NAME }}
-          path: "stackit/${{ env.CODE_COVERAGE_FILE_NAME }}"
+  #      - name: Archive code coverage results
+  #        uses: actions/upload-artifact@v4
+  #        with:
+  #          name: ${{ env.CODE_COVERAGE_ARTIFACT_NAME }}
+  #          path: "stackit/${{ env.CODE_COVERAGE_FILE_NAME }}"

  config:
+    if: ${{ github.event_name != 'schedule' }}
    name: Check GoReleaser config
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Check GoReleaser
        uses: goreleaser/goreleaser-action@v6
--- a/.github/workflows/ci_new.yaml
+++ b/.github/workflows/ci_new.yaml
@ -0,0 +1,354 @@
+name: CI Workflow
+
+on:
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+    branches:
+      - alpha
+      - main
+  workflow_dispatch:
+  schedule:
+    # every sunday at 00:00
+    # - cron: '0 0 * * 0'
+    # every day at 00:00
+    - cron: '0 0 * * *'
+  push:
+    branches:
+      - '!main'
+      - '!alpha'
+    paths:
+      - '!.github'
+
+env:
+  GO_VERSION: "1.25"
+  CODE_COVERAGE_FILE_NAME: "coverage.out" # must be the same as in Makefile
+  CODE_COVERAGE_ARTIFACT_NAME: "code-coverage"
+
+jobs:
+  config:
+    if: ${{ github.event_name != 'schedule' }}
+    name: Check GoReleaser config
+    runs-on: stackit-docker
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Check GoReleaser
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          args: check
+
+  prepare:
+    name: Prepare GO cache
+    runs-on: stackit-docker
+    permissions:
+      actions: read        # Required to identify workflow run.
+      checks: write        # Required to add status summary.
+      contents: read       # Required to checkout repository.
+      pull-requests: write # Required to add PR comment.
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install Go ${{ inputs.go-version }}
+        id: go-install
+        uses: actions/setup-go@v6
+        with:
+          # go-version: ${{ inputs.go-version }}
+          check-latest: true
+          go-version-file: 'go.mod'
+
+      - name: Determine GOMODCACHE
+        shell: bash
+        id: goenv
+        run: |
+          set -e
+          # echo "::set-output name=gomodcache::$(go env GOMODCACHE)"
+          echo "gomodcache=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
+
+      - name: Restore cached GO pkg
+        id: cache-gopkg
+        uses: actions/cache/restore@v5
+        with:
+          path: "${{ steps.goenv.outputs.gomodcache }}"
+          key: ${{ runner.os }}-gopkg
+
+      - name: Install go tools
+        if: steps.cache-gopkg.outputs.cache-hit != 'true'
+        run: |
+          go install golang.org/x/tools/cmd/goimports@latest
+          go install github.com/hashicorp/terraform-plugin-codegen-framework/cmd/tfplugingen-framework@latest
+          go install github.com/hashicorp/terraform-plugin-codegen-openapi/cmd/tfplugingen-openapi@latest
+
+      - name: Get all go packages
+        if: steps.cache-gopkg.outputs.cache-hit != 'true'
+        shell: bash
+        run: |
+          set -e
+          go get ./...
+
+      - name: Save Cache
+        if: steps.cache-gopkg.outputs.cache-hit != 'true'
+        id: cache-gopkg-save
+        uses: actions/cache/save@v5
+        with:
+          path: |
+            ${{ steps.goenv.outputs.gomodcache }}
+          key: ${{ runner.os }}-gopkg
+
+
+  publish_test:
+    name: "Test readiness for publishing provider"
+    needs:
+      - config
+      - prepare
+    runs-on: stackit-docker
+    permissions:
+      actions: read        # Required to identify workflow run.
+      checks: write        # Required to add status summary.
+      contents: read       # Required to checkout repository.
+      pull-requests: write # Required to add PR comment.
+    steps:
+      - name: Install needed tools
+        run: |
+          apt-get -y -qq update
+          apt-get -y -qq install jq python3 python3-pip python-is-python3 s3cmd git make wget unzip bc
+
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          # go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+          go-version-file: 'go.mod'
+
+      - name: Install go tools
+        run: |
+          go install golang.org/x/tools/cmd/goimports@latest
+          go install github.com/hashicorp/terraform-plugin-codegen-framework/cmd/tfplugingen-framework@latest
+          go install github.com/hashicorp/terraform-plugin-codegen-openapi/cmd/tfplugingen-openapi@latest
+
+      - name: Setup JAVA
+        uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin' # See 'Supported distributions' for available options
+          java-version: '21'
+
+#      - name: Run build pkg directory
+#        run: |
+#          go run generator/main.go build
+
+      - name: Set up s3cfg
+        run: |
+          cat <<'EOF' >> ~/.s3cfg
+          [default]
+          host_base = https://object.storage.eu01.onstackit.cloud
+          host_bucket = https://%(bucket).object.storage.eu01.onstackit.cloud
+          check_ssl_certificate = False
+          access_key = ${{ secrets.S3_ACCESS_KEY }}
+          secret_key = ${{ secrets.S3_SECRET_KEY }}
+          EOF
+
+      - name: Import GPG key
+        run: |
+          echo "${{ secrets.PRIVATE_KEY_PEM }}" > ~/private.key.pem
+          gpg --import ~/private.key.pem
+          rm ~/private.key.pem
+
+      - name: Run GoReleaser with SNAPSHOT
+        id: goreleaser
+        env:
+          GITHUB_TOKEN: ${{ env.FORGEJO_TOKEN }}
+          GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          args: release --skip publish --clean --snapshot
+
+      - name: Prepare key file
+        run: |
+          echo "${{ secrets.PUBLIC_KEY_PEM }}" >public_key.pem
+
+      - name: Prepare provider directory structure
+        run: |
+          VERSION=$(jq -r .version < dist/metadata.json)
+          go run generator/main.go \
+            publish \
+              --namespace=mhenselin \
+              --providerName=stackitprivatepreview \
+              --repoName=terraform-provider-stackitprivatepreview \
+              --domain=tfregistry.sysops.stackit.rocks \
+              --gpgFingerprint="${{ secrets.GPG_FINGERPRINT }}" \
+              --gpgPubKeyFile=public_key.pem \
+              --version=${VERSION}
+
+  testing:
+    name: CI run tests
+    runs-on: stackit-docker
+    needs:
+      - config
+      - prepare
+    env:
+      TF_ACC_PROJECT_ID: ${{ vars.TF_ACC_PROJECT_ID }}
+      TF_ACC_ORGANIZATION_ID: ${{ vars.TF_ACC_ORGANIZATION_ID }}
+      TF_ACC_REGION: ${{ vars.TF_ACC_REGION }}
+      TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL: ${{ vars.TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL }}
+      TF_ACC_SERVICE_ACCOUNT_FILE: "~/service_account.json"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Build
+        uses: ./.github/actions/build
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_wrapper: false
+
+      - name: Create service account json file
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          echo "${{ secrets.TF_ACC_SERVICE_ACCOUNT_JSON }}" >~/.service_account.json
+
+      - name: Run go mod tidy
+        if: ${{ github.event_name == 'pull_request' }}
+        run: go mod tidy
+
+      - name: Testing
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          unset TF_ACC
+          TF_ACC_SERVICE_ACCOUNT_FILE=~/.service_account.json
+          export TF_ACC_SERVICE_ACCOUNT_FILE
+          make test
+
+      - name: Testing with coverage
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          unset TF_ACC
+          TF_ACC_SERVICE_ACCOUNT_FILE=~/.service_account.json
+          export TF_ACC_SERVICE_ACCOUNT_FILE
+          make coverage
+
+#      - name: Acceptance Testing
+#        env:
+#          TF_ACC: "1"
+#        if: ${{ github.event_name == 'pull_request' }}
+#        run: |
+#          TF_ACC_SERVICE_ACCOUNT_FILE=~/.service_account.json
+#          export TF_ACC_SERVICE_ACCOUNT_FILE
+#          make test-acceptance-tf
+
+#      - name: Run Acceptance Test
+#        if: ${{ github.event_name == 'pull_request' }}
+#        uses: ./.github/actions/acc_test
+#        with:
+#          go-version: ${{ env.GO_VERSION }}
+#          project_id: ${{ vars.TF_ACC_PROJECT_ID }}
+#          region: ${{ vars.TF_ACC_REGION }}
+#          service_account_json_content_b64: "${{ secrets.TF_ACC_SERVICE_ACCOUNT_JSON_B64 }}"
+#          project_user_email: ${{ vars.TEST_PROJECT_USER_EMAIL }}
+#          tf_acc_kek_key_id: ${{ vars.TF_ACC_KEK_KEY_ID }}
+#          tf_acc_kek_key_ring_id: ${{ vars.TF_ACC_KEK_KEY_RING_ID }}
+#          tf_acc_kek_key_version: ${{ vars.TF_ACC_KEK_KEY_VERSION }}
+#          tf_acc_kek_service_account: ${{ vars.TF_ACC_KEK_SERVICE_ACCOUNT }}
+#          # service_account_json_file_path: "~/service_account.json"
+
+      - name: Check coverage threshold
+        shell: bash
+        run: |
+          make coverage
+          COVERAGE=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | sed 's/%//')
+          echo "Coverage: $COVERAGE%"
+          if (( $(echo "$COVERAGE < 80" | bc -l) )); then
+            echo "Coverage is below 80%"
+            # exit 1
+          fi
+
+      - name: Archive code coverage results
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.CODE_COVERAGE_ARTIFACT_NAME }}
+          path: "stackit/${{ env.CODE_COVERAGE_FILE_NAME }}"
+
+  main:
+    if: ${{ github.event_name != 'schedule' }}
+    name: CI run build and linting
+    runs-on: stackit-docker
+    needs:
+      - config
+      - prepare
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      
+#      - uses: actions/cache@v5
+#        id: cache
+#        with:
+#          path: path/to/dependencies
+#          key: ${{ runner.os }}-${{ hashFiles('**/lockfiles') }}
+
+#      - name: Install Dependencies
+#        if: steps.cache.outputs.cache-hit != 'true'
+#        run: /install.sh
+
+      - name: Build
+        uses: ./.github/actions/build
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_wrapper: false
+
+      - name: "Ensure docs are up-to-date"
+        if: ${{ github.event_name == 'pull_request' }}
+        run: ./scripts/check-docs.sh
+        continue-on-error: true
+
+      - name: "Run go mod tidy"
+        if: ${{ github.event_name == 'pull_request' }}
+        run: go mod tidy
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v9
+        with:
+          version: v2.10
+          args: --config=.golang-ci.yaml --allow-parallel-runners --timeout=5m
+        continue-on-error: true
+
+      - name: Linting terraform files
+        run: make lint-tf
+        continue-on-error: true
+
+  code_coverage:
+    name: "Code coverage report"
+    if: github.event_name == 'pull_request' # Do not run when workflow is triggered by push to main branch
+    runs-on: stackit-docker
+    needs:
+      - main
+      - prepare
+    permissions:
+      contents: read
+      actions: read  # to download code coverage results from "main" job
+      pull-requests: write # write permission needed to comment on PR
+    steps:
+      - name: Install needed tools
+        shell: bash
+        run: |
+          set -e
+          apt-get -y -qq update
+          apt-get -y -qq install sudo
+
+      - name: Check new code coverage
+        uses: fgrosse/go-coverage-report@v1.2.0
+        continue-on-error: true  # Add this line to prevent pipeline failures in forks
+        with:
+          coverage-artifact-name: ${{ env.CODE_COVERAGE_ARTIFACT_NAME }}
+          coverage-file-name: ${{ env.CODE_COVERAGE_FILE_NAME }}
+          root-package: 'github.com/stackitcloud/terraform-provider-stackit'
--- a/.github/workflows/clean_up.yaml
+++ b/.github/workflows/clean_up.yaml
@ -0,0 +1,45 @@
+name: TF Acceptance Test CleanUp
+
+on:
+  workflow_dispatch:
+    inputs:
+      list_only:
+        description: "only list resources"
+        type: boolean
+        default: true
+        required: true
+
+      res_prefix:
+        description: "resource name prefix"
+        type: string
+        default: 'tf-acc-'
+        required: true
+
+      log_level:
+        description: 'Log Level'
+        required: true
+        default: 'warning'
+        type: choice
+        options:
+          - info
+          - warning
+          - debug
+          - error
+
+jobs:
+  clean:
+    name: Clean up
+    runs-on: stackit-docker
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Clean
+        uses: ./.github/actions/clean_up
+        with:
+          project_id: ${{ vars.TF_ACC_PROJECT_ID }}
+          region: 'eu01'
+          tf_resource_prefix: ${{ inputs.res_prefix }}
+          service_account_json_content_b64: "${{ secrets.TF_ACC_SERVICE_ACCOUNT_JSON_B64 }}"
+          list_only: ${{ inputs.list_only }}
+          log_level: ${{ inputs.log_level }}
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@ -4,9 +4,10 @@ run-name: Publish by @${{ github.actor }}

 on:
  workflow_dispatch:
+
  push:
    tags:
-      - 'v0.*'
+      - 'v*'

 env:
  GO_VERSION: "1.25"
@ -16,26 +17,24 @@ env:
 jobs:
  config:
    name: Check GoReleaser config
-    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Check GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
        with:
          args: check

  publish:
    name: "Publish provider"
-    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
    needs: config
    runs-on: ubuntu-latest
    permissions:
      actions: read        # Required to identify workflow run.
      checks: write        # Required to add status summary.
-      contents: read       # Required to checkout repository.
+      contents: write       # Required to checkout repository.
      pull-requests: write # Required to add PR comment.
    steps:
      - name: Install needed tools
@ -43,10 +42,17 @@ jobs:
          apt-get -y -qq update
          apt-get -y -qq install jq python3 python3-pip python-is-python3 s3cmd git make wget

+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-tags: true
+
      - name: Setup Go
        uses: actions/setup-go@v6
        with:
-          go-version: ${{ env.GO_VERSION }}
+          # go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+          go-version-file: 'go.mod'

      - name: Install go tools
        run: |
@ -60,13 +66,6 @@ jobs:
          distribution: 'temurin' # See 'Supported distributions' for available options
          java-version: '21'

-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Run build pkg directory
-        run: |
-          go run cmd/main.go build
-
      - name: Set up s3cfg
        run: |
          cat <<'EOF' >> ~/.s3cfg
@ -84,15 +83,16 @@ jobs:
          gpg --import ~/private.key.pem
          rm ~/private.key.pem

-      - name: Run GoReleaser with SNAPSHOT
+      - name: Run GoReleaser
        if: github.event_name == 'workflow_dispatch'
        id: goreleaser
        env:
          GITHUB_TOKEN: ${{ env.FORGEJO_TOKEN }}
          GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
        with:
-          args: release --skip publish --clean --snapshot
+#          args: release --skip publish --clean --snapshot
+          args: release --skip publish --clean

      - name: Run GoReleaser
        if: github.event_name != 'workflow_dispatch'
@ -100,7 +100,7 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ env.FORGEJO_TOKEN }}
          GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
        with:
          args: release --skip publish --clean

@ -108,10 +108,16 @@ jobs:
        run: |
          echo "${{ secrets.PUBLIC_KEY_PEM }}" >public_key.pem

+      - name: Determine version
+        id: get_version
+        run: |
+          set -e
+          VERSION=$(jq -r .version < dist/metadata.json)
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+
      - name: Prepare provider directory structure
        run: |
-          VERSION=$(jq -r .version < dist/metadata.json)
-          go run cmd/main.go \
+          go run generator/main.go \
            publish \
              --namespace=mhenselin \
              --providerName=stackitprivatepreview \
@ -119,7 +125,13 @@ jobs:
              --domain=tfregistry.sysops.stackit.rocks \
              --gpgFingerprint="${{ secrets.GPG_FINGERPRINT }}" \
              --gpgPubKeyFile=public_key.pem \
-              --version=${VERSION}
+              --version=${{ steps.get_version.outputs.version }}
+
+      - name: Prepare documentation nav file
+        run: |
+          go run generator/main.go \
+            docs \
+            --outFile nav.md

      - name: Publish provider to S3
        run: |
@ -127,3 +139,18 @@ jobs:
          cd release/
          s3cmd put --recursive v1 s3://terraform-provider-privatepreview/
          s3cmd put --recursive .well-known s3://terraform-provider-privatepreview/
+
+      - name: Import SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.DOCS_UPLOAD_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+      - name: Upload docs via scp
+        run: |
+          set -e
+          ssh -o StrictHostKeyChecking=no ubuntu@${{ vars.DOCS_SERVER_IP }} 'rm -rf /srv/www/docs'
+          echo "${{ steps.get_version.outputs.version }}" >docs/_version.txt
+          # echo "${{ github.ref_name }}" >docs/_version.txt
+          scp -o StrictHostKeyChecking=no -r docs ubuntu@${{ vars.DOCS_SERVER_IP }}:/srv/www/
+          scp -o StrictHostKeyChecking=no nav.md ubuntu@${{ vars.DOCS_SERVER_IP }}:/srv/www/
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -16,23 +16,25 @@ permissions:

 jobs:
  goreleaser:
-    runs-on: ubuntu-latest
+    runs-on: stackit-docker
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
        with:
          # Allow goreleaser to access older tag information.
          fetch-depth: 0
-      - uses: actions/setup-go@v5
+
+      - uses: actions/setup-go@v6
        with:
          go-version-file: "go.mod"
          cache: true
+
      - name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v6
        id: import_gpg
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
        with:
          args: release --clean
        env:
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@ -8,12 +8,14 @@ on:
 jobs:
  renovate:
    name: Renovate
-    runs-on: ubuntu-latest
+    runs-on: stackit-docker
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+
      - name: Self-hosted Renovate
-        uses: renovatebot/github-action@v41.0.0
+        uses: renovatebot/github-action@v46.1.5
        with:
          configurationFile: .github/renovate.json
-          token: ${{ secrets.RENOVATE_TOKEN }}
+          # token: ${{ secrets.RENOVATE_TOKEN }}
+          token: ${{ env.FORGEJO_TOKEN }}
--- a/.github/workflows/runnerstats.yaml
+++ b/.github/workflows/runnerstats.yaml
@ -0,0 +1,29 @@
+name: Runner stats
+
+on:
+  workflow_dispatch:
+
+jobs:
+  stats-own:
+    name: "Get own runner stats"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install needed tools
+        run: |
+          apt-get -y -qq update
+          apt-get -y -qq install inxi
+
+      - name: Show stats
+        run: inxi -c 0
+
+  stats-stackit:
+    name: "Get STACKIT runner stats"
+    runs-on: stackit-docker
+    steps:
+      - name: Install needed tools
+        run: |
+          apt-get -y -qq update
+          apt-get -y -qq install inxi
+
+      - name: Show stats
+        run: inxi -c 0
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@ -20,7 +20,7 @@ permissions:
 jobs:
  stale:
    name: "Stale"
-    runs-on: ubuntu-latest
+    runs-on: stackit-docker
    timeout-minutes: 10
    steps:
      - name: "Mark old PRs as stale"
--- a/.github/workflows/tf-acc-test.yaml
+++ b/.github/workflows/tf-acc-test.yaml
@ -1,27 +1,61 @@
 name: TF Acceptance Tests Workflow

 on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches:
+      - alpha
+      - main
  push:
    branches:
      - master
  workflow_dispatch:
+    inputs:
+      enable_debug:
+        description: "enable terraform debug logs"
+        type: boolean
+        default: false
+        required: true
+      test_timeout_string:
+        description: "string that determines the timeout (default: 45m)"
+        type: string
+        default: '90m'
+        required: true

 jobs:
-  main:
+  acc_test:
    name: Acceptance Tests
-    runs-on: ubuntu-latest
+    runs-on: stackit-docker
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install project tools and dependencies
-        run: make project-tools
-      - name: Run tests
-        run: |
-          make test-acceptance-tf TF_ACC_PROJECT_ID=$${{ secrets.TF_ACC_PROJECT_ID }} TF_ACC_ORGANIZATION_ID=$${{ secrets.TF_ACC_ORGANIZATION_ID }} TF_ACC_REGION="eu01"
-        env:
-          STACKIT_SERVICE_ACCOUNT_TOKEN: ${{ secrets.TF_ACC_SERVICE_ACCOUNT_TOKEN }}
-          TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL: ${{ secrets.TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL }}
-          TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_TOKEN: ${{ secrets.TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_TOKEN }}
-          TF_ACC_TEST_PROJECT_PARENT_CONTAINER_ID: ${{ secrets.TF_ACC_TEST_PROJECT_PARENT_CONTAINER_ID }}
-          TF_ACC_TEST_PROJECT_PARENT_UUID: ${{ secrets.TF_ACC_TEST_PROJECT_PARENT_UUID }}
-          TF_ACC_TEST_PROJECT_USER_EMAIL: ${{ secrets.TF_ACC_TEST_PROJECT_USER_EMAIL }}
+        uses: actions/checkout@v6
+
+      - name: Run Test (workflow dispatch)
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        uses: ./.github/actions/acc_test
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          project_id: ${{ vars.TF_ACC_PROJECT_ID }}
+          region: 'eu01'
+          service_account_json_content_b64: "${{ secrets.TF_ACC_SERVICE_ACCOUNT_JSON_B64 }}"
+          project_user_email: ${{ vars.TEST_PROJECT_USER_EMAIL }}
+          tf_acc_kek_key_id: ${{ vars.TF_ACC_KEK_KEY_ID }}
+          tf_acc_kek_key_ring_id: ${{ vars.TF_ACC_KEK_KEY_RING_ID }}
+          tf_acc_kek_key_version: ${{ vars.TF_ACC_KEK_KEY_VERSION }}
+          tf_acc_kek_service_account: ${{ vars.TF_ACC_KEK_SERVICE_ACCOUNT }}
+          tf_debug: ${{ inputs.enable_debug }}
+          test_timeout_string: ${{ inputs.test_timeout_string }}
+
+      - name: Run Test (automatic)
+        if: ${{ github.event_name != 'workflow_dispatch' }}
+        uses: ./.github/actions/acc_test
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          project_id: ${{ vars.TF_ACC_PROJECT_ID }}
+          region: 'eu01'
+          service_account_json_content_b64: "${{ secrets.TF_ACC_SERVICE_ACCOUNT_JSON_B64 }}"
+          project_user_email: ${{ vars.TEST_PROJECT_USER_EMAIL }}
+          tf_acc_kek_key_id: ${{ vars.TF_ACC_KEK_KEY_ID }}
+          tf_acc_kek_key_ring_id: ${{ vars.TF_ACC_KEK_KEY_RING_ID }}
+          tf_acc_kek_key_version: ${{ vars.TF_ACC_KEK_KEY_VERSION }}
+          tf_acc_kek_service_account: ${{ vars.TF_ACC_KEK_SERVICE_ACCOUNT }}
--- a/.gitignore
+++ b/.gitignore
@ -40,8 +40,12 @@ coverage.out
 coverage.html
 generated
 stackit-sdk-generator
+stackit-sdk-generator/**
 dist

 .secrets

 pkg_gen
+/release/
+.env
+**/.env
--- a/.golang-ci.yaml
+++ b/.golang-ci.yaml
@ -1,7 +1,13 @@
-
 version: "2"
 run:
  concurrency: 4
+output:
+  formats:
+    text:
+      print-linter-name: true
+      print-issued-lines: true
+      colors: true
+      path: stdout
 linters:
  enable:
    - bodyclose
@ -23,7 +29,8 @@ linters:
    depguard:
      rules:
        main:
-          list-mode: lax
+          list-mode: original
+          allow: []
          deny:
            - pkg: github.com/stretchr/testify
              desc: Do not use a testing framework
@ -63,13 +70,17 @@ linters:
        - name: empty-lines
        - name: early-return
  exclusions:
-    generated: lax
    paths:
-      - third_party$
-      - builtin$
-      - examples$
-      - tools/copy.go
-      - tools/main.go
+      - generator/
+      - internal/testutils
+    generated: lax
+    warn-unused: true
+    # Excluding configuration per-path, per-linter, per-text and per-source.
+    rules:
+      # Exclude some linters from running on tests files.
+        - path: _test\.go
+          linters:
+            - gochecknoinits
 formatters:
  enable:
    - gofmt
@ -77,10 +88,4 @@ formatters:
  settings:
    goimports:
      local-prefixes:
-        - github.com/freiheit-com/nmww
-  exclusions:
-    generated: lax
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
+        - tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -19,20 +19,20 @@ builds:
  ldflags:
    - '-s -w -X main.version={{.Version}} -X main.commit={{.Commit}}'
  goos:
-#    - freebsd
-#    - windows
+    - freebsd
+    - windows
    - linux
    - darwin
  goarch:
    - amd64
-#    - '386'
-#    - arm
+    - '386'
+    - arm
    - arm64
-#  ignore:
-#    - goos: darwin
-#      goarch: '386'
-#    - goos: windows
-#      goarch: arm
+  ignore:
+    - goos: darwin
+      goarch: '386'
+    - goos: windows
+      goarch: arm
  binary: '{{ .ProjectName }}_v{{ .Version }}'
 archives:
 - formats: [ 'zip' ]
--- a/14
+++ b/14
@ -12,17 +12,20 @@ project-tools:
 # LINT
 lint-golangci-lint:
 	@echo "Linting with golangci-lint"
-	@$(SCRIPTS_BASE)/lint-golangci-lint.sh
+	@go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint run --fix --config .golang-ci.yaml
+

 lint-tf:
 	@echo "Linting terraform files"
-	@terraform fmt -check -diff -recursive
+	@terraform fmt -check -diff -recursive examples/
+	@terraform fmt -check -diff -recursive stackit/

 lint: lint-golangci-lint lint-tf

 # DOCUMENTATION GENERATION
 generate-docs:
 	@echo "Generating documentation with tfplugindocs"
+
 	@$(SCRIPTS_BASE)/tfplugindocs.sh

 build:
@ -34,15 +37,16 @@ fmt:
 	@terraform fmt -diff -recursive

 # TEST
+.PHONY: test coverage
 test:
 	@echo "Running tests for the terraform provider"
-	@cd $(ROOT_DIR)/stackit && go test ./... -count=1 -coverprofile=coverage.out && cd $(ROOT_DIR)
+	@cd $(ROOT_DIR)/stackit && go test -timeout 0 ./... -count=1 -coverprofile=../coverage.out && cd $(ROOT_DIR)

 # Test coverage
 coverage:
 	@echo ">> Creating test coverage report for the terraform provider"
-	@cd $(ROOT_DIR)/stackit && (go test ./... -count=1 -coverprofile=coverage.out || true) && cd $(ROOT_DIR)
-	@cd $(ROOT_DIR)/stackit && go tool cover -html=coverage.out -o coverage.html && cd $(ROOT_DIR)
+	@cd $(ROOT_DIR)/stackit && (go test -timeout 0 ./... -count=1 -coverprofile=../coverage.out || true) && cd $(ROOT_DIR)
+	@cd $(ROOT_DIR)/stackit && go tool cover -html=../coverage.out -o ../coverage.html && cd $(ROOT_DIR)

 test-acceptance-tf:
 	@if [ -z $(TF_ACC_PROJECT_ID) ]; then echo "Input TF_ACC_PROJECT_ID missing"; exit 1; fi
--- a/README.md
+++ b/README.md
@ -1,15 +1,14 @@
 <div align="center">
-<br>
 <img src=".github/images/stackit-logo.svg" alt="STACKIT logo" width="50%"/>
-<br>
-<br>
 </div>

-# STACKIT Terraform Provider
+# STACKIT Terraform Provider <br />(PRIVATE PREVIEW)

-[![Go Report Card](https://goreportcard.com/badge/github.com/stackitcloud/terraform-provider-stackit)](https://goreportcard.com/report/github.com/stackitcloud/terraform-provider-stackit) [![GitHub Release](https://img.shields.io/github/v/release/stackitcloud/terraform-provider-stackit)](https://registry.terraform.io/providers/stackitcloud/stackit/latest) ![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/stackitcloud/terraform-provider-stackit) [![GitHub License](https://img.shields.io/github/license/stackitcloud/terraform-provider-stackit)](https://www.apache.org/licenses/LICENSE-2.0)
+[![GitHub Release](https://img.shields.io/github/v/release/stackitcloud/terraform-provider-stackit)](https://registry.terraform.io/providers/stackitcloud/stackit/latest) ![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/stackitcloud/terraform-provider-stackit) [![GitHub License](https://img.shields.io/github/license/stackitcloud/terraform-provider-stackit)](https://www.apache.org/licenses/LICENSE-2.0)

-This project is the official [Terraform Provider](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs) for [STACKIT](https://www.stackit.de/en/), which allows you to manage STACKIT resources through Terraform.
+This project is the **NOT** official [Terraform Provider](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs) for [STACKIT](https://www.stackit.de/en/)!
+
+This a **private preview only**, which allows you to manage STACKIT resources through Terraform.

 ## Getting Started

@ -18,26 +17,27 @@ To install the [STACKIT Terraform Provider](https://registry.terraform.io/provid
 ```hcl
 terraform {
  required_providers {
-    stackit = {
-      source = "stackitcloud/stackit"
-      version = "X.X.X"
+    stackitprivatepreview = {
+      source  = "tfregistry.sysops.stackit.rocks/mhenselin/stackitprivatepreview"
+      version = ">= 0.1.0"
    }
  }
 }

-provider "stackit" {
+provider "stackitprivatepreview" {
  # Configuration options
 }
 ```

 Check one of the examples in the [examples](examples/) folder.

+<big font-size="3rem">TODO: revise the following sections</big>
+
 ## Authentication

 To authenticate, you will need a [service account](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/). Create it in the [STACKIT Portal](https://portal.stackit.cloud/) and assign the necessary permissions to it, e.g. `project.owner`. There are multiple ways to authenticate:

 - Key flow (recommended)
- Token flow (is scheduled for deprecation and will be removed on December 17, 2025.)

 When setting up authentication, the provider will always try to use the key flow first and search for credentials in several locations, following a specific order:

@ -51,7 +51,6 @@ When setting up authentication, the provider will always try to use the key flow

   ```json
   {
-     "STACKIT_SERVICE_ACCOUNT_TOKEN": "foo_token",
     "STACKIT_SERVICE_ACCOUNT_KEY_PATH": "path/to/sa_key.json"
   }
   ```
@ -99,6 +98,12 @@ To configure the key flow, follow this steps:
 3. Configure the service account key for authentication in the provider by following one of the alternatives below:

   - setting the fields in the provider block: `service_account_key` or `service_account_key_path`
+     ```hcl
+     provider "stackitprivatepreview" {
+        default_region           = "eu01"
+        service_account_key_path = "../service_account.json"
+     }
+     ```
   - setting the environment variable: `STACKIT_SERVICE_ACCOUNT_KEY_PATH` or `STACKIT_SERVICE_ACCOUNT_KEY`
     - ensure the set the service account key in `STACKIT_SERVICE_ACCOUNT_KEY` is correctly formatted. Use e.g.
       `$ export STACKIT_SERVICE_ACCOUNT_KEY=$(cat ./service-account-key.json)`
@ -110,16 +115,6 @@ To configure the key flow, follow this steps:
 > - setting the environment variable: `STACKIT_PRIVATE_KEY_PATH` or `STACKIT_PRIVATE_KEY`
 > - setting `STACKIT_PRIVATE_KEY_PATH` in the credentials file (see above)

-### Token flow
-
-> Is scheduled for deprecation and will be removed on December 17, 2025.
-
-Using this flow is less secure since the token is long-lived. You can provide the token in several ways:
-
-1. Setting the field `service_account_token` in the provider
-2. Setting the environment variable `STACKIT_SERVICE_ACCOUNT_TOKEN`
-3. Setting it in the credentials file (see above)
-
 ## Backend configuration

 To keep track of your terraform state, you can configure an [S3 backend](https://developer.hashicorp.com/terraform/language/settings/backends/s3) using [STACKIT Object Storage](https://docs.stackit.cloud/products/storage/object-storage).
@ -149,62 +144,6 @@ terraform {

 Note: AWS specific checks must be skipped as they do not work on STACKIT. For details on what those validations do, see [here](https://developer.hashicorp.com/terraform/language/settings/backends/s3#configuration).

-## Opting into Beta Resources
-
-To use beta resources in the STACKIT Terraform provider, follow these steps:
-
-1. **Provider Configuration Option**
-
-   Set the `enable_beta_resources` option in the provider configuration. This is a boolean attribute that can be either `true` or `false`.
-
-   ```hcl
-   provider "stackit" {
-     default_region        = "eu01"
-     enable_beta_resources = true
-   }
-   ```
-
-2. **Environment Variable**
-
-   Set the `STACKIT_TF_ENABLE_BETA_RESOURCES` environment variable to `"true"` or `"false"`. Other values will be ignored and will produce a warning.
-
-   ```sh
-   export STACKIT_TF_ENABLE_BETA_RESOURCES=true
-   ```
-
-> **Note**: The environment variable takes precedence over the provider configuration option. This means that if the `STACKIT_TF_ENABLE_BETA_RESOURCES` environment variable is set to a valid value (`"true"` or `"false"`), it will override the `enable_beta_resources` option specified in the provider configuration.
-
-For more details, please refer to the [beta resources configuration guide](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources).
-
-## Opting into Experiments
-
-Experiments are features that are even less mature and stable than Beta Resources. While there is some assumed stability in beta resources, will have to expect breaking changes while using experimental resources. Experimental Resources do not come with any support or warranty.
-
-To enable experiments set the experiments field in the provider definition:
-
-```hcl
-provider "stackit" {
-  default_region        = "eu01"
-  experiments           = ["iam", "routing-tables", "network"]
-}
-```
-
-### Available Experiments
-
-#### `iam`
-
-Enables IAM management features in the Terraform provider. The underlying IAM API is expected to undergo a redesign in the future, which leads to it being considered experimental.
-
-#### `routing-tables`
-
-This feature enables experimental routing table capabilities in the Terraform Provider, available only to designated SNAs at this time.
-
-#### `network`
-
-The `stackit_network` provides the fields `region` and `routing_table_id` when the experiment flag `network` is set. 
-The underlying API is not stable yet and could change in the future.  
-If you don't need these fields, don't set the experiment flag `network`, to use the stable api.
-
 ## Acceptance Tests

 > [!WARNING]
--- a/cmd/cmd/build/build.go
+++ b/cmd/cmd/build/build.go
@ -1,737 +0,0 @@
-package build
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"io"
-	"log"
-	"log/slog"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"regexp"
-	"strconv"
-	"strings"
-	"text/template"
-
-	"github.com/ldez/go-git-cmd-wrapper/v2/clone"
-	"github.com/ldez/go-git-cmd-wrapper/v2/git"
-)
-
-const (
-	OAS_REPO_NAME = "stackit-api-specifications"
-	OAS_REPO      = "https://github.com/stackitcloud/stackit-api-specifications.git"
-	GEN_REPO_NAME = "stackit-sdk-generator"
-	GEN_REPO      = "https://github.com/stackitcloud/stackit-sdk-generator.git"
-)
-
-type version struct {
-	verString string
-	major     int
-	minor     int
-}
-
-func Build() error {
-	slog.Info("Starting Builder")
-	root, err := getRoot()
-	if err != nil {
-		log.Fatal(err)
-	}
-	if root == nil || *root == "" {
-		return fmt.Errorf("unable to determine root directory from git")
-	}
-	slog.Info("Using root directory", "dir", *root)
-
-	slog.Info("Cleaning up old generator directory")
-	err = os.RemoveAll(path.Join(*root, GEN_REPO_NAME))
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Cleaning up old packages directory")
-	err = os.RemoveAll(path.Join(*root, "pkg_gen"))
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Creating generator dir", "dir", fmt.Sprintf("%s/%s", *root, GEN_REPO_NAME))
-	genDir, err := createGeneratorDir(*root, GEN_REPO, GEN_REPO_NAME)
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Creating oas dir", "dir", fmt.Sprintf("%s/%s", *root, OAS_REPO_NAME))
-	repoDir, err := createRepoDir(genDir, OAS_REPO, OAS_REPO_NAME)
-	if err != nil {
-		return fmt.Errorf("%s", err.Error())
-	}
-
-	slog.Info("Retrieving versions from subdirs")
-	// TODO - major
-	verMap, err := getVersions(repoDir)
-	if err != nil {
-		return fmt.Errorf("%s", err.Error())
-	}
-
-	slog.Info("Reducing to only latest or highest")
-	res, err := getOnlyLatest(verMap)
-	if err != nil {
-		return fmt.Errorf("%s", err.Error())
-	}
-
-	slog.Info("Creating OAS dir")
-	err = os.MkdirAll(path.Join(genDir, "oas"), 0755)
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Copying OAS files")
-	for service, item := range res {
-		baseService := strings.TrimSuffix(service, "alpha")
-		baseService = strings.TrimSuffix(baseService, "beta")
-		itemVersion := fmt.Sprintf("v%d%s", item.major, item.verString)
-		if item.minor != 0 {
-			itemVersion = itemVersion + "" + strconv.Itoa(item.minor)
-		}
-		srcFile := path.Join(
-			repoDir,
-			"services",
-			baseService,
-			itemVersion,
-			fmt.Sprintf("%s.json", baseService),
-		)
-		dstFile := path.Join(genDir, "oas", fmt.Sprintf("%s.json", service))
-		_, err = copyFile(srcFile, dstFile)
-		if err != nil {
-			return fmt.Errorf("%s", err.Error())
-		}
-	}
-
-	slog.Info("Cleaning up", "dir", repoDir)
-	err = os.RemoveAll(filepath.Dir(repoDir))
-	if err != nil {
-		return fmt.Errorf("%s", err.Error())
-	}
-
-	slog.Info("Changing dir", "dir", genDir)
-	err = os.Chdir(genDir)
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Calling make", "command", "generate-go-sdk")
-	cmd := exec.Command("make", "generate-go-sdk")
-	var stdOut, stdErr bytes.Buffer
-	cmd.Stdout = &stdOut
-	cmd.Stderr = &stdErr
-
-	if err = cmd.Start(); err != nil {
-		slog.Error("cmd.Start", "error", err)
-		return err
-	}
-
-	if err = cmd.Wait(); err != nil {
-		var exitErr *exec.ExitError
-		if errors.As(err, &exitErr) {
-			slog.Error("cmd.Wait", "code", exitErr.ExitCode(), "error", err, "stdout", stdOut.String(), "stderr", stdErr.String())
-			return fmt.Errorf("%s", stdErr.String())
-		}
-		if err != nil {
-			slog.Error("cmd.Wait", "err", err)
-			return err
-		}
-	}
-
-	slog.Info("Cleaning up go.mod and go.sum files")
-	cleanDir := path.Join(genDir, "sdk-repo-updated", "services")
-	dirEntries, err := os.ReadDir(cleanDir)
-	if err != nil {
-		return err
-	}
-	for _, entry := range dirEntries {
-		if entry.IsDir() {
-			err = deleteFiles(
-				path.Join(cleanDir, entry.Name(), "go.mod"),
-				path.Join(cleanDir, entry.Name(), "go.sum"),
-			)
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	slog.Info("Changing dir", "dir", *root)
-	err = os.Chdir(*root)
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Rearranging package directories")
-	err = os.MkdirAll(path.Join(*root, "pkg_gen"), 0755) // noqa:gosec
-	if err != nil {
-		return err
-	}
-	srcDir := path.Join(genDir, "sdk-repo-updated", "services")
-	items, err := os.ReadDir(srcDir)
-	if err != nil {
-		return err
-	}
-	for _, item := range items {
-		if item.IsDir() {
-			slog.Info(" -> package", "name", item.Name())
-			tgtDir := path.Join(*root, "pkg_gen", item.Name())
-			// no backup needed as we generate new
-			//bakName := fmt.Sprintf("%s.%s", item.Name(), time.Now().Format("20060102-150405"))
-			//if _, err = os.Stat(tgtDir); !os.IsNotExist(err) {
-			//	err = os.Rename(
-			//		tgtDir,
-			//		path.Join(*root, "pkg", bakName),
-			//	)
-			//	if err != nil {
-			//		return err
-			//	}
-			//}
-			err = os.Rename(path.Join(srcDir, item.Name()), tgtDir)
-			if err != nil {
-				return err
-			}
-
-			// wait is placed outside now
-			//if _, err = os.Stat(path.Join(*root, "pkg", bakName, "wait")); !os.IsNotExist(err) {
-			//	slog.Info("    Copying wait subfolder")
-			//	err = os.Rename(path.Join(*root, "pkg", bakName, "wait"), path.Join(tgtDir, "wait"))
-			//	if err != nil {
-			//		return err
-			//	}
-			//}
-		}
-	}
-
-	slog.Info("Checking needed commands available")
-	err = checkCommands([]string{"tfplugingen-framework", "tfplugingen-openapi"})
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Generating service boilerplate")
-	err = generateServiceFiles(*root, path.Join(*root, GEN_REPO_NAME))
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Copying all service files")
-	err = CopyDirectory(
-		path.Join(*root, "generated", "internal", "services"),
-		path.Join(*root, "stackit", "internal", "services"),
-	)
-	if err != nil {
-		return err
-	}
-
-	err = createBoilerplate(*root, path.Join(*root, "stackit", "internal", "services"))
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Finally removing temporary files and directories")
-	//err = os.RemoveAll(path.Join(*root, "generated"))
-	//if err != nil {
-	//	slog.Error("RemoveAll", "dir", path.Join(*root, "generated"), "err", err)
-	//	return err
-	//}
-
-	err = os.RemoveAll(path.Join(*root, GEN_REPO_NAME))
-	if err != nil {
-		slog.Error("RemoveAll", "dir", path.Join(*root, GEN_REPO_NAME), "err", err)
-		return err
-	}
-
-	slog.Info("Done")
-	return nil
-}
-
-type templateData struct {
-	PackageName string
-	NameCamel   string
-	NamePascal  string
-	NameSnake   string
-}
-
-func fileExists(path string) bool {
-	_, err := os.Stat(path)
-	if os.IsNotExist(err) {
-		return false
-	}
-	if err != nil {
-		panic(err)
-	}
-	return true
-}
-
-func createBoilerplate(rootFolder, folder string) error {
-	services, err := os.ReadDir(folder)
-	if err != nil {
-		return err
-	}
-	for _, svc := range services {
-		if !svc.IsDir() {
-			continue
-		}
-		resources, err := os.ReadDir(path.Join(folder, svc.Name()))
-		if err != nil {
-			return err
-		}
-
-		var handleDS bool
-		var handleRes bool
-		var foundDS bool
-		var foundRes bool
-
-		for _, res := range resources {
-			if !res.IsDir() {
-				continue
-			}
-
-			resourceName := res.Name()
-
-			dsFile := path.Join(folder, svc.Name(), res.Name(), "datasources_gen", fmt.Sprintf("%s_data_source_gen.go", res.Name()))
-			handleDS = fileExists(dsFile)
-
-			resFile := path.Join(folder, svc.Name(), res.Name(), "resources_gen", fmt.Sprintf("%s_resource_gen.go", res.Name()))
-			handleRes = fileExists(resFile)
-
-			dsGoFile := path.Join(folder, svc.Name(), res.Name(), "datasource.go")
-			foundDS = fileExists(dsGoFile)
-
-			resGoFile := path.Join(folder, svc.Name(), res.Name(), "resource.go")
-			foundRes = fileExists(resGoFile)
-
-			if handleDS && !foundDS {
-				slog.Info("Creating missing datasource.go", "service", svc.Name(), "resource", resourceName)
-				if !ValidateSnakeCase(resourceName) {
-					return errors.New("resource name is invalid")
-				}
-
-				tplName := "data_source_scaffold.gotmpl"
-				err = writeTemplateToFile(
-					tplName,
-					path.Join(rootFolder, "tools", "templates", tplName),
-					path.Join(folder, svc.Name(), res.Name(), "datasource.go"),
-					&templateData{
-						PackageName: svc.Name(),
-						NameCamel:   ToCamelCase(resourceName),
-						NamePascal:  ToPascalCase(resourceName),
-						NameSnake:   resourceName,
-					},
-				)
-				if err != nil {
-					panic(err)
-				}
-			}
-
-			if handleRes && !foundRes {
-				slog.Info("Creating missing resource.go", "service", svc.Name(), "resource", resourceName)
-				if !ValidateSnakeCase(resourceName) {
-					return errors.New("resource name is invalid")
-				}
-
-				tplName := "resource_scaffold.gotmpl"
-				err = writeTemplateToFile(
-					tplName,
-					path.Join(rootFolder, "tools", "templates", tplName),
-					path.Join(folder, svc.Name(), res.Name(), "resource.go"),
-					&templateData{
-						PackageName: svc.Name(),
-						NameCamel:   ToCamelCase(resourceName),
-						NamePascal:  ToPascalCase(resourceName),
-						NameSnake:   resourceName,
-					},
-				)
-				if err != nil {
-					return err
-				}
-			}
-		}
-	}
-	return nil
-}
-
-func ucfirst(s string) string {
-	if len(s) == 0 {
-		return ""
-	}
-	return strings.ToUpper(s[:1]) + s[1:]
-}
-
-func writeTemplateToFile(tplName, tplFile, outFile string, data *templateData) error {
-	fn := template.FuncMap{
-		"ucfirst": ucfirst,
-	}
-
-	tmpl, err := template.New(tplName).Funcs(fn).ParseFiles(tplFile)
-	if err != nil {
-		return err
-	}
-
-	var f *os.File
-	f, err = os.Create(outFile)
-	if err != nil {
-		return err
-	}
-
-	err = tmpl.Execute(f, *data)
-	if err != nil {
-		return err
-	}
-
-	err = f.Close()
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func generateServiceFiles(rootDir, generatorDir string) error {
-	// slog.Info("Generating specs folder")
-	err := os.MkdirAll(path.Join(rootDir, "generated", "specs"), 0755)
-	if err != nil {
-		return err
-	}
-
-	specs, err := os.ReadDir(path.Join(rootDir, "service_specs"))
-	if err != nil {
-		return err
-	}
-	for _, spec := range specs {
-		if spec.IsDir() {
-			continue
-		}
-		// slog.Info("Checking spec", "name", spec.Name())
-		r := regexp.MustCompile(`^([a-z-]+)_(.*)_config.yml$`)
-		matches := r.FindAllStringSubmatch(spec.Name(), -1)
-		if matches != nil {
-			fileName := matches[0][0]
-			service := matches[0][1]
-			resource := matches[0][2]
-			slog.Info(
-				"Found service spec",
-				"name",
-				spec.Name(),
-				"service",
-				service,
-				"resource",
-				resource,
-			)
-
-			for _, part := range []string{"alpha", "beta"} {
-				oasFile := path.Join(generatorDir, "oas", fmt.Sprintf("%s%s.json", service, part))
-				if _, err = os.Stat(oasFile); !os.IsNotExist(err) {
-					slog.Info("found matching oas", "service", service, "version", part)
-					scName := fmt.Sprintf("%s%s", service, part)
-					scName = strings.ReplaceAll(scName, "-", "")
-					err = os.MkdirAll(path.Join(rootDir, "generated", "internal", "services", scName, resource), 0755)
-					if err != nil {
-						return err
-					}
-
-					// slog.Info("Generating openapi spec json")
-					specFile := path.Join(rootDir, "generated", "specs", fmt.Sprintf("%s_%s_spec.json", scName, resource))
-
-					var stdOut, stdErr bytes.Buffer
-
-					// noqa:gosec
-					cmd := exec.Command(
-						"tfplugingen-openapi",
-						"generate",
-						"--config",
-						path.Join(rootDir, "service_specs", fileName),
-						"--output",
-						specFile,
-						oasFile,
-					)
-					cmd.Stdout = &stdOut
-					cmd.Stderr = &stdErr
-
-					if err = cmd.Start(); err != nil {
-						slog.Error("tfplugingen-openapi generate", "error", err)
-						return err
-					}
-
-					if err = cmd.Wait(); err != nil {
-						var exitErr *exec.ExitError
-						if errors.As(err, &exitErr) {
-							slog.Error("tfplugingen-openapi generate", "code", exitErr.ExitCode(), "error", err, "stdout", stdOut.String(), "stderr", stdErr.String())
-							return fmt.Errorf("%s", stdErr.String())
-						}
-						if err != nil {
-							slog.Error("tfplugingen-openapi generate", "err", err, "stdout", stdOut.String(), "stderr", stdErr.String())
-							return err
-						}
-					}
-
-					// slog.Info("Creating terraform service resource files folder")
-					tgtFolder := path.Join(rootDir, "generated", "internal", "services", scName, resource, "resources_gen")
-					err = os.MkdirAll(tgtFolder, 0755)
-					if err != nil {
-						return err
-					}
-
-					// slog.Info("Generating terraform service resource files")
-
-					// noqa:gosec
-					cmd2 := exec.Command(
-						"tfplugingen-framework",
-						"generate",
-						"resources",
-						"--input",
-						specFile,
-						"--output",
-						tgtFolder,
-						"--package",
-						scName,
-					)
-
-					cmd2.Stdout = &stdOut
-					cmd2.Stderr = &stdErr
-					if err = cmd2.Start(); err != nil {
-						slog.Error("tfplugingen-framework generate resources", "error", err)
-						return err
-					}
-
-					if err = cmd2.Wait(); err != nil {
-						var exitErr *exec.ExitError
-						if errors.As(err, &exitErr) {
-							slog.Error("tfplugingen-framework generate resources", "code", exitErr.ExitCode(), "error", err, "stdout", stdOut.String(), "stderr", stdErr.String())
-							return fmt.Errorf("%s", stdErr.String())
-						}
-						if err != nil {
-							slog.Error("tfplugingen-framework generate resources", "err", err, "stdout", stdOut.String(), "stderr", stdErr.String())
-							return err
-						}
-					}
-
-					// slog.Info("Creating terraform service datasource files folder")
-					tgtFolder = path.Join(rootDir, "generated", "internal", "services", scName, resource, "datasources_gen")
-					err = os.MkdirAll(tgtFolder, 0755)
-					if err != nil {
-						return err
-					}
-
-					// slog.Info("Generating terraform service resource files")
-
-					// noqa:gosec
-					cmd3 := exec.Command(
-						"tfplugingen-framework",
-						"generate",
-						"data-sources",
-						"--input",
-						specFile,
-						"--output",
-						tgtFolder,
-						"--package",
-						scName,
-					)
-					var stdOut3, stdErr3 bytes.Buffer
-					cmd3.Stdout = &stdOut3
-					cmd3.Stderr = &stdErr3
-
-					if err = cmd3.Start(); err != nil {
-						slog.Error("tfplugingen-framework generate data-sources", "error", err)
-						return err
-					}
-
-					if err = cmd3.Wait(); err != nil {
-						var exitErr *exec.ExitError
-						if errors.As(err, &exitErr) {
-							slog.Error("tfplugingen-framework generate data-sources", "code", exitErr.ExitCode(), "error", err, "stdout", stdOut.String(), "stderr", stdErr.String())
-							return fmt.Errorf("%s", stdErr.String())
-						}
-						if err != nil {
-							slog.Error("tfplugingen-framework generate data-sources", "err", err, "stdout", stdOut.String(), "stderr", stdErr.String())
-							return err
-						}
-					}
-				}
-			}
-		}
-	}
-	return nil
-}
-
-func checkCommands(commands []string) error {
-	for _, commandName := range commands {
-		if !commandExists(commandName) {
-			return fmt.Errorf("missing command %s", commandName)
-		}
-		slog.Info("found", "command", commandName)
-	}
-	return nil
-}
-
-func commandExists(cmd string) bool {
-	_, err := exec.LookPath(cmd)
-	return err == nil
-}
-
-func deleteFiles(fNames ...string) error {
-	for _, fName := range fNames {
-		if _, err := os.Stat(fName); !os.IsNotExist(err) {
-			err = os.Remove(fName)
-			if err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-func copyFile(src, dst string) (int64, error) {
-	sourceFileStat, err := os.Stat(src)
-	if err != nil {
-		return 0, err
-	}
-
-	if !sourceFileStat.Mode().IsRegular() {
-		return 0, fmt.Errorf("%s is not a regular file", src)
-	}
-
-	source, err := os.Open(src)
-	if err != nil {
-		return 0, err
-	}
-	defer source.Close()
-
-	destination, err := os.Create(dst)
-	if err != nil {
-		return 0, err
-	}
-	defer destination.Close()
-	nBytes, err := io.Copy(destination, source)
-	return nBytes, err
-}
-
-func getOnlyLatest(m map[string]version) (map[string]version, error) {
-	tmpMap := make(map[string]version)
-	for k, v := range m {
-		item, ok := tmpMap[k]
-		if !ok {
-			tmpMap[k] = v
-		} else {
-			if item.major == v.major && item.minor < v.minor {
-				tmpMap[k] = v
-			}
-		}
-	}
-	return tmpMap, nil
-}
-
-func getVersions(dir string) (map[string]version, error) {
-	res := make(map[string]version)
-	children, err := os.ReadDir(path.Join(dir, "services"))
-	if err != nil {
-		return nil, err
-	}
-
-	for _, entry := range children {
-		if entry.IsDir() {
-			versions, err := os.ReadDir(path.Join(dir, "services", entry.Name()))
-			if err != nil {
-				return nil, err
-			}
-			m, err2 := extractVersions(entry.Name(), versions)
-			if err2 != nil {
-				return m, err2
-			}
-			for k, v := range m {
-				res[k] = v
-			}
-		}
-	}
-	return res, nil
-}
-
-func extractVersions(service string, versionDirs []os.DirEntry) (map[string]version, error) {
-	res := make(map[string]version)
-	for _, vDir := range versionDirs {
-		if vDir.IsDir() {
-			r := regexp.MustCompile(`v([0-9]+)([a-z]+)([0-9]*)`)
-			matches := r.FindAllStringSubmatch(vDir.Name(), -1)
-			if matches == nil {
-				continue
-			}
-			svc, ver, err := handleVersion(service, matches[0])
-			if err != nil {
-				return nil, err
-			}
-
-			if svc != nil && ver != nil {
-				res[*svc] = *ver
-			}
-		}
-	}
-	return res, nil
-}
-
-func handleVersion(service string, match []string) (*string, *version, error) {
-	if match == nil {
-		fmt.Println("no matches")
-		return nil, nil, nil
-	}
-	verString := match[2]
-	if verString != "alpha" && verString != "beta" {
-		return nil, nil, errors.New("unsupported version")
-	}
-	majVer, err := strconv.Atoi(match[1])
-	if err != nil {
-		return nil, nil, err
-	}
-	if match[3] == "" {
-		match[3] = "0"
-	}
-	minVer, err := strconv.Atoi(match[3])
-	if err != nil {
-		return nil, nil, err
-	}
-	resStr := fmt.Sprintf("%s%s", service, verString)
-	return &resStr, &version{verString: verString, major: majVer, minor: minVer}, nil
-}
-
-func createRepoDir(root, repoUrl, repoName string) (string, error) {
-	oasTmpDir, err := os.MkdirTemp(root, "oas-tmp")
-	if err != nil {
-		return "", err
-	}
-	targetDir := path.Join(oasTmpDir, repoName)
-	_, err = git.Clone(
-		clone.Repository(repoUrl),
-		clone.Directory(targetDir),
-	)
-	if err != nil {
-		return "", err
-	}
-	return targetDir, nil
-}
-
-func createGeneratorDir(root, repoUrl, repoName string) (string, error) {
-	targetDir := path.Join(root, repoName)
-	_, err := git.Clone(
-		clone.Repository(repoUrl),
-		clone.Directory(targetDir),
-	)
-	if err != nil {
-		return "", err
-	}
-	return targetDir, nil
-}
-
-func getRoot() (*string, error) {
-	cmd := exec.Command("git", "rev-parse", "--show-toplevel")
-	out, err := cmd.Output()
-	if err != nil {
-		return nil, err
-	}
-	lines := strings.Split(string(out), "\n")
-	return &lines[0], nil
-}
--- a/cmd/cmd/build/templates/data_source_scaffold.gotmpl
+++ b/cmd/cmd/build/templates/data_source_scaffold.gotmpl
@ -1,51 +0,0 @@
-package {{.PackageName}}
-
-import (
-	"context"
-
-	"github.com/hashicorp/terraform-plugin-framework/datasource"
-	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
-	"github.com/hashicorp/terraform-plugin-framework/types"
-
-    "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/pkg/{{.PackageName}}"
-
-    {{.PackageName}}Gen "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/services/{{.PackageName}}/{{.NameSnake}}/datasources_gen"
-)
-
-var _ datasource.DataSource = (*{{.NameCamel}}DataSource)(nil)
-
-func New{{.NamePascal}}DataSource() datasource.DataSource {
-	return &{{.NameCamel}}DataSource{}
-}
-
-type {{.NameCamel}}DataSource struct{
-	client       *{{.PackageName}}.APIClient
-	providerData core.ProviderData
-}
-
-func (d *{{.NameCamel}}DataSource) Metadata(_ context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
-	resp.TypeName = req.ProviderTypeName + "_{{.PackageName}}_{{.NameSnake}}"
-}
-
-func (d *{{.NameCamel}}DataSource) Schema(ctx context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) {
-	resp.Schema = {{.PackageName}}Gen.{{.NamePascal}}DataSourceSchema(ctx)
-}
-
-func (d *{{.NameCamel}}DataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) {
-	var data {{.PackageName}}Gen.{{.NameCamel}}Model
-
-	// Read Terraform configuration data into the model
-	resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
-
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	// Todo: Read API call logic
-
-	// Example data value setting
-	// data.Id = types.StringValue("example-id")
-
-	// Save data into Terraform state
-	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
-}
--- a/cmd/cmd/build/templates/resource_scaffold.gotmpl
+++ b/cmd/cmd/build/templates/resource_scaffold.gotmpl
@ -1,208 +0,0 @@
-package {{.PackageName}}
-
-import (
-	"context"
-
-	"github.com/hashicorp/terraform-plugin-framework/resource"
-	"github.com/hashicorp/terraform-plugin-framework/types"
-
-    "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/core"
-    "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/utils"
-
-	{{.PackageName}}Gen "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/services/{{.PackageName}}/{{.NameSnake}}/resources_gen"
-)
-
-var (
-	_ resource.Resource                = &{{.NameCamel}}Resource{}
-	_ resource.ResourceWithConfigure   = &{{.NameCamel}}Resource{}
-	_ resource.ResourceWithImportState = &{{.NameCamel}}Resource{}
-	_ resource.ResourceWithModifyPlan  = &{{.NameCamel}}Resource{}
-)
-
-func New{{.NamePascal}}Resource() resource.Resource {
-	return &{{.NameCamel}}Resource{}
-}
-
-type {{.NameCamel}}Resource struct{
-	client       *{{.PackageName}}.APIClient
-	providerData core.ProviderData
-}
-
-func (r *{{.NameCamel}}Resource) Metadata(ctx context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
-	resp.TypeName = req.ProviderTypeName + "_{{.PackageName}}_{{.NameSnake}}"
-}
-
-func (r *{{.NameCamel}}Resource) Schema(ctx context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) {
-	resp.Schema = {{.PackageName}}Gen.{{.NamePascal}}ResourceSchema(ctx)
-}
-
-// Configure adds the provider configured client to the resource.
-func (r *{{.NameCamel}}Resource) Configure(
-	ctx context.Context,
-	req resource.ConfigureRequest,
-	resp *resource.ConfigureResponse,
-) {
-	var ok bool
-	r.providerData, ok = conversion.ParseProviderData(ctx, req.ProviderData, &resp.Diagnostics)
-	if !ok {
-		return
-	}
-
-	apiClientConfigOptions := []config.ConfigurationOption{
-		config.WithCustomAuth(r.providerData.RoundTripper),
-		utils.UserAgentConfigOption(r.providerData.Version),
-	}
-	if r.providerData.PostgresFlexCustomEndpoint != "" {
-		apiClientConfigOptions = append(apiClientConfigOptions, config.WithEndpoint(r.providerData.PostgresFlexCustomEndpoint))
-	} else {
-		apiClientConfigOptions = append(apiClientConfigOptions, config.WithRegion(r.providerData.GetRegion()))
-	}
-	apiClient, err := {{.PackageName}}.NewAPIClient(apiClientConfigOptions...)
-	if err != nil {
-		resp.Diagnostics.AddError( "Error configuring API client", fmt.Sprintf("Configuring client: %v. This is an error related to the provider configuration, not to the resource configuration", err))
-		return
-	}
-	r.client = apiClient
-	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} client configured")
-}
-
-func (r *{{.NameCamel}}Resource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
-	var data {{.PackageName}}Gen.{{.NamePascal}}Model
-
-	// Read Terraform plan data into the model
-	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
-
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	// TODO: Create API call logic
-
-	// Example data value setting
-	data.{{.NameCamel | ucfirst}}Id = types.StringValue("id-from-response")
-
-	// Save data into Terraform state
-	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
-
-	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} created")
-}
-
-func (r *{{.NameCamel}}Resource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
-	var data {{.PackageName}}Gen.{{.NamePascal}}Model
-
-	// Read Terraform prior state data into the model
-	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
-
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	// Todo: Read API call logic
-
-	// Save updated data into Terraform state
-	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
-
-	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} read")
-}
-
-func (r *{{.NameCamel}}Resource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
-	var data {{.PackageName}}Gen.{{.NamePascal}}Model
-
-	// Read Terraform plan data into the model
-	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
-
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	// Todo: Update API call logic
-
-	// Save updated data into Terraform state
-	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
-
-	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} updated")
-}
-
-func (r *{{.NameCamel}}Resource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
-	var data {{.PackageName}}Gen.{{.NamePascal}}Model
-
-	// Read Terraform prior state data into the model
-	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
-
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	// Todo: Delete API call logic
-
-	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} deleted")
-}
-
-// ModifyPlan implements resource.ResourceWithModifyPlan.
-// Use the modifier to set the effective region in the current plan.
-func (r *{{.NameCamel}}Resource) ModifyPlan(
-	ctx context.Context,
-	req resource.ModifyPlanRequest,
-	resp *resource.ModifyPlanResponse,
-) { // nolint:gocritic // function signature required by Terraform
-	var configModel {{.PackageName}}Gen.{{.NamePascal}}Model
-	// skip initial empty configuration to avoid follow-up errors
-	if req.Config.Raw.IsNull() {
-		return
-	}
-	resp.Diagnostics.Append(req.Config.Get(ctx, &configModel)...)
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	var planModel {{.PackageName}}Gen.{{.NamePascal}}Model
-	resp.Diagnostics.Append(req.Plan.Get(ctx, &planModel)...)
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	utils.AdaptRegion(ctx, configModel.Region, &planModel.Region, r.providerData.GetRegion(), resp)
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	resp.Diagnostics.Append(resp.Plan.Set(ctx, planModel)...)
-	if resp.Diagnostics.HasError() {
-		return
-	}
-}
-
-// ImportState imports a resource into the Terraform state on success.
-// The expected format of the resource import identifier is: project_id,zone_id,record_set_id
-func (r *{{.NameCamel}}Resource) ImportState(
-	ctx context.Context,
-	req resource.ImportStateRequest,
-	resp *resource.ImportStateResponse,
-) {
-	idParts := strings.Split(req.ID, core.Separator)
-
-	// Todo: Import logic
-	if len(idParts) < 2 || idParts[0] == "" || idParts[1] == "" {
-		core.LogAndAddError(
-			ctx, &resp.Diagnostics,
-			"Error importing database",
-			fmt.Sprintf(
-				"Expected import identifier with format [project_id],[region],..., got %q",
-				req.ID,
-			),
-		)
-		return
-	}
-
-	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("project_id"), idParts[0])...)
-	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("region"), idParts[1])...)
-	// ... more ...
-
-	core.LogAndAddWarning(
-		ctx,
-		&resp.Diagnostics,
-		"{{.PackageName | ucfirst}} database imported with empty password",
-		"The database password is not imported as it is only available upon creation of a new database. The password field will be empty.",
-	)
-	tflog.Info(ctx, "{{.PackageName | ucfirst}} {{.NameCamel}} state imported")
-}
--- a/cmd/cmd/buildCmd.go
+++ b/cmd/cmd/buildCmd.go
@ -1,17 +0,0 @@
-package cmd
-
-import (
-	"github.com/spf13/cobra"
-	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/cmd/cmd/build"
-)
-
-func NewBuildCmd() *cobra.Command {
-	return &cobra.Command{
-		Use:   "build",
-		Short: "Build the necessary boilerplate",
-		Long:  `...`,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return build.Build()
-		},
-	}
-}
--- a/cmd/main.go
+++ b/cmd/main.go
@ -1,27 +0,0 @@
-package main
-
-import (
-	"log"
-	"os"
-
-	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/cmd/cmd"
-)
-
-func main() {
-	rootCmd := cmd.NewRootCmd()
-	//rootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is $HOME/.cobra.yaml)")
-	//rootCmd.PersistentFlags().StringP("author", "a", "YOUR NAME", "author name for copyright attribution")
-	//rootCmd.PersistentFlags().StringVarP(&userLicense, "license", "l", "", "name of license for the project")
-
-	rootCmd.SetOut(os.Stdout)
-
-	rootCmd.AddCommand(
-		cmd.NewBuildCmd(),
-		cmd.NewPublishCmd(),
-	)
-
-	err := rootCmd.Execute()
-	if err != nil {
-		log.Fatal(err)
-	}
-}
--- a/docs/data-sources/postgresflexalpha_database.md
+++ b/docs/data-sources/postgresflexalpha_database.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_postgresflexalpha_database Data Source - stackitprivatepreview"
 subcategory: ""
 description: |-
-  Postgres Flex database resource schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_postgresflexalpha_database (Data Source)

-Postgres Flex database resource schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -25,16 +25,17 @@ data "stackitprivatepreview_postgresflexalpha_database" "example" {

 ### Required

- `instance_id` (String) ID of the Postgres Flex instance.
- `project_id` (String) STACKIT project ID to which the instance is associated.
+- `database_id` (Number) The ID of the database.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.

 ### Optional

- `database_id` (Number) Database ID.
- `name` (String) Database name.
- `region` (String) The resource region. If not defined, the provider region is used.
+- `region` (String) The region which should be addressed

 ### Read-Only

- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`instance_id`,`database_id`".
- `owner` (String) Username of the database owner.
+- `id` (String) Terraform's internal resource ID. It is structured as \"`project_id`,`region`,`instance_id`,`database_id`\".",
+- `name` (String) The name of the database.
+- `owner` (String) The owner of the database.
+- `tf_original_api_id` (Number) The id of the database.
--- a/docs/data-sources/postgresflexalpha_flavor.md
+++ b/docs/data-sources/postgresflexalpha_flavor.md
@ -10,7 +10,18 @@ description: |-



+## Example Usage

+```terraform
+data "stackitprivatepreview_postgresflexalpha_flavor" "flavor" {
+  project_id    = var.project_id
+  region        = var.region
+  cpu           = 4
+  ram           = 16
+  node_type     = "Single"
+  storage_class = "premium-perf2-stackit"
+}
+```

 <!-- schema generated by tfplugindocs -->
 ## Schema
--- a/docs/data-sources/postgresflexalpha_flavors.md
+++ b/docs/data-sources/postgresflexalpha_flavors.md
@ -38,12 +38,12 @@ Read-Only:

 - `cpu` (Number) The cpu count of the instance.
 - `description` (String) The flavor description.
- `id` (String) The id of the instance flavor.
 - `max_gb` (Number) maximum storage which can be ordered for the flavor in Gigabyte.
 - `memory` (Number) The memory of the instance in Gibibyte.
 - `min_gb` (Number) minimum storage which is required to order in Gigabyte.
 - `node_type` (String) defines the nodeType it can be either single or replica
 - `storage_classes` (Attributes List) maximum storage which can be ordered for the flavor in Gigabyte. (see [below for nested schema](#nestedatt--flavors--storage_classes))
+- `tf_original_api_id` (String) The id of the instance flavor.

 <a id="nestedatt--flavors--storage_classes"></a>
 ### Nested Schema for `flavors.storage_classes`
--- a/docs/data-sources/postgresflexalpha_instance.md
+++ b/docs/data-sources/postgresflexalpha_instance.md
@ -26,17 +26,21 @@ data "stackitprivatepreview_postgresflexalpha_instance" "example" {

 - `instance_id` (String) The ID of the instance.
 - `project_id` (String) The STACKIT project ID.
+
+### Optional
+
 - `region` (String) The region which should be addressed

 ### Read-Only

- `backup_schedule` (String) The schedule for on what time and how often the database backup will be created. The schedule is written as a cron schedule.
- `connection_info` (Attributes) The DNS name and port in the instance overview (see [below for nested schema](#nestedatt--connection_info))
+- `acl` (List of String) List of IPV4 cidr.
+- `backup_schedule` (String) The schedule for when the database backup will be created. Currently, ONLY daily schedules are supported (every 24 hours). The schedule is written as a cron schedule.
+- `connection_info` (Attributes) The connection information of the instance (see [below for nested schema](#nestedatt--connection_info))
 - `encryption` (Attributes) The configuration for instance's volume and backup storage encryption.

-⚠️ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected. (see [below for nested schema](#nestedatt--encryption))
+⚠︝ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected. (see [below for nested schema](#nestedatt--encryption))
 - `flavor_id` (String) The id of the instance flavor.
- `id` (String) The ID of the instance.
+- `id` (String) internal ID
 - `is_deletable` (Boolean) Whether the instance can be deleted or not.
 - `name` (String) The name of the instance.
 - `network` (Attributes) The access configuration of the instance (see [below for nested schema](#nestedatt--network))
@ -44,6 +48,7 @@ data "stackitprivatepreview_postgresflexalpha_instance" "example" {
 - `retention_days` (Number) How long backups are retained. The value can only be between 32 and 365 days.
 - `status` (String) The current status of the instance.
 - `storage` (Attributes) The object containing information about the storage size and class. (see [below for nested schema](#nestedatt--storage))
+- `tf_original_api_id` (String) The ID of the instance.
 - `version` (String) The Postgres version used for the instance. See [Versions Endpoint](/documentation/postgres-flex-service/version/v3alpha1#tag/Version) for supported version parameters.

 <a id="nestedatt--connection_info"></a>
@ -51,10 +56,18 @@ data "stackitprivatepreview_postgresflexalpha_instance" "example" {

 Read-Only:

+- `write` (Attributes) The DNS name and port in the instance overview (see [below for nested schema](#nestedatt--connection_info--write))
+
+<a id="nestedatt--connection_info--write"></a>
+### Nested Schema for `connection_info.write`
+
+Read-Only:
+
 - `host` (String) The host of the instance.
 - `port` (Number) The port of the instance.


+
 <a id="nestedatt--encryption"></a>
 ### Nested Schema for `encryption`

--- a/docs/data-sources/postgresflexalpha_user.md
+++ b/docs/data-sources/postgresflexalpha_user.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_postgresflexalpha_user Data Source - stackitprivatepreview"
 subcategory: ""
 description: |-
-  Postgres Flex user data source schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_postgresflexalpha_user (Data Source)

-Postgres Flex user data source schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -25,20 +25,18 @@ data "stackitprivatepreview_postgresflexalpha_user" "example" {

 ### Required

- `instance_id` (String) ID of the PostgresFlex instance.
- `project_id` (String) STACKIT project ID to which the instance is associated.
- `user_id` (String) User ID.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `user_id` (Number) The ID of the user.

 ### Optional

- `region` (String) The resource region. If not defined, the provider region is used.
+- `id` (String) Terraform's internal resource ID. It is structured as \"`project_id`,`region`,`instance_id`,`user_id`\".",
+- `region` (String) The region which should be addressed

 ### Read-Only

- `connection_string` (String) The connection string for the user to the instance.
- `host` (String) The host address for the user to connect to the instance.
- `id` (String) Terraform's internal data source. ID. It is structured as "`project_id`,`region`,`instance_id`,`user_id`".
- `port` (Number) The port number for the user to connect to the instance.
- `roles` (Set of String) The roles assigned to the user.
+- `name` (String) The name of the user.
+- `roles` (List of String) A list of user roles.
 - `status` (String) The current status of the user.
- `username` (String) The name of the user.
+- `tf_original_api_id` (Number) The ID of the user.
--- a/docs/data-sources/sqlserverflexalpha_database.md
+++ b/docs/data-sources/sqlserverflexalpha_database.md
@ -26,6 +26,7 @@ description: |-

 - `collation_name` (String) The collation of the database. This database collation should match the *collation_name* of one of the collations given by the **Get database collation list** endpoint.
 - `compatibility_level` (Number) CompatibilityLevel of the Database.
- `id` (Number) The id of the database.
+- `id` (String) The terraform internal identifier.
 - `name` (String) The name of the database.
 - `owner` (String) The owner of the database.
+- `tf_original_api_id` (Number) The id of the database.
--- a/docs/data-sources/sqlserverflexalpha_flavor.md
+++ b/docs/data-sources/sqlserverflexalpha_flavor.md
@ -1,43 +0,0 @@
---
-# generated by https://github.com/hashicorp/terraform-plugin-docs
-page_title: "stackitprivatepreview_sqlserverflexalpha_flavor Data Source - stackitprivatepreview"
-subcategory: ""
-description: |-
-  
---
-
-# stackitprivatepreview_sqlserverflexalpha_flavor (Data Source)
-
-
-
-
-
-<!-- schema generated by tfplugindocs -->
-## Schema
-
-### Required
-
- `cpu` (Number) The cpu count of the instance.
- `node_type` (String) defines the nodeType it can be either single or replica
- `project_id` (String) The cpu count of the instance.
- `ram` (Number) The memory of the instance in Gibibyte.
- `region` (String) The flavor description.
- `storage_class` (String) The memory of the instance in Gibibyte.
-
-### Read-Only
-
- `description` (String) The flavor description.
- `flavor_id` (String) The flavor id of the instance flavor.
- `id` (String) The terraform id of the instance flavor.
- `max_gb` (Number) maximum storage which can be ordered for the flavor in Gigabyte.
- `min_gb` (Number) minimum storage which is required to order in Gigabyte.
- `storage_classes` (Attributes List) (see [below for nested schema](#nestedatt--storage_classes))
-
-<a id="nestedatt--storage_classes"></a>
-### Nested Schema for `storage_classes`
-
-Read-Only:
-
- `class` (String)
- `max_io_per_sec` (Number)
- `max_through_in_mb` (Number)
--- a/docs/data-sources/sqlserverflexalpha_instance.md
+++ b/docs/data-sources/sqlserverflexalpha_instance.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_sqlserverflexalpha_instance Data Source - stackitprivatepreview"
 subcategory: ""
 description: |-
-  SQLServer Flex ALPHA instance resource schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_sqlserverflexalpha_instance (Data Source)

-SQLServer Flex ALPHA instance resource schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -24,61 +24,48 @@ data "stackitprivatepreview_sqlserverflexalpha_instance" "example" {

 ### Required

- `instance_id` (String) ID of the SQLServer Flex instance.
- `project_id` (String) STACKIT project ID to which the instance is associated.
-
-### Optional
-
- `region` (String) The resource region. If not defined, the provider region is used.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed

 ### Read-Only

- `backup_schedule` (String) The backup schedule. Should follow the cron scheduling system format (e.g. "0 0 * * *")
- `edition` (String)
- `encryption` (Attributes) The encryption block. (see [below for nested schema](#nestedatt--encryption))
- `flavor` (Attributes) (see [below for nested schema](#nestedatt--flavor))
- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`instance_id`".
- `is_deletable` (Boolean)
- `name` (String) Instance name.
- `network` (Attributes) The network block. (see [below for nested schema](#nestedatt--network))
- `replicas` (Number)
- `retention_days` (Number)
+- `backup_schedule` (String) The schedule for on what time and how often the database backup will be created. The schedule is written as a cron schedule.
+- `edition` (String) Edition of the MSSQL server instance
+- `encryption` (Attributes) this defines which key to use for storage encryption (see [below for nested schema](#nestedatt--encryption))
+- `flavor_id` (String) The id of the instance flavor.
+- `is_deletable` (Boolean) Whether the instance can be deleted or not.
+- `name` (String) The name of the instance.
+- `network` (Attributes) The access configuration of the instance (see [below for nested schema](#nestedatt--network))
+- `replicas` (Number) How many replicas the instance should have.
+- `retention_days` (Number) The days for how long the backup files should be stored before cleaned up. 30 to 365
 - `status` (String)
- `storage` (Attributes) (see [below for nested schema](#nestedatt--storage))
- `version` (String)
+- `storage` (Attributes) The object containing information about the storage size and class. (see [below for nested schema](#nestedatt--storage))
+- `tf_original_api_id` (String) The ID of the instance.
+- `version` (String) The sqlserver version used for the instance.

 <a id="nestedatt--encryption"></a>
 ### Nested Schema for `encryption`

 Read-Only:

- `key_id` (String) STACKIT KMS - Key ID of the encryption key to use.
- `key_version` (String) STACKIT KMS - Key version to use in the encryption key.
- `keyring_id` (String) STACKIT KMS - KeyRing ID of the encryption key to use.
+- `kek_key_id` (String) The key identifier
+- `kek_key_ring_id` (String) The keyring identifier
+- `kek_key_version` (String) The key version
 - `service_account` (String)


-<a id="nestedatt--flavor"></a>
-### Nested Schema for `flavor`
-
-Read-Only:
-
- `cpu` (Number)
- `description` (String)
- `id` (String)
- `node_type` (String)
- `ram` (Number)
-
-
 <a id="nestedatt--network"></a>
 ### Nested Schema for `network`

 Read-Only:

- `access_scope` (String) The access scope of the instance. (e.g. SNA)
- `acl` (List of String) The Access Control List (ACL) for the SQLServer Flex instance.
- `instance_address` (String) The returned instance IP address of the SQLServer Flex instance.
- `router_address` (String) The returned router IP address of the SQLServer Flex instance.
+- `access_scope` (String) The network access scope of the instance
+
+⚠️ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected.
+- `acl` (List of String) List of IPV4 cidr.
+- `instance_address` (String)
+- `router_address` (String)


 <a id="nestedatt--storage"></a>
@ -86,5 +73,5 @@ Read-Only:

 Read-Only:

- `class` (String)
- `size` (Number)
+- `class` (String) The storage class for the storage.
+- `size` (Number) The storage size in Gigabytes.
--- a/docs/data-sources/sqlserverflexalpha_user.md
+++ b/docs/data-sources/sqlserverflexalpha_user.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_sqlserverflexalpha_user Data Source - stackitprivatepreview"
 subcategory: ""
 description: |-
-  SQLServer Flex user data source schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_sqlserverflexalpha_user (Data Source)

-SQLServer Flex user data source schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -25,20 +25,38 @@ data "stackitprivatepreview_sqlserverflexalpha_user" "example" {

 ### Required

- `instance_id` (String) ID of the SQLServer Flex instance.
- `project_id` (String) STACKIT project ID to which the instance is associated.
- `user_id` (Number) User ID.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed

 ### Optional

- `region` (String) The resource region. If not defined, the provider region is used.
+- `page` (Number) Number of the page of items list to be returned.
+- `size` (Number) Number of items to be returned on each page.
+- `sort` (String) Sorting of the users to be returned on each page.

 ### Read-Only

- `default_database` (String)
- `host` (String)
- `id` (String) Terraform's internal data source. ID. It is structured as "`project_id`,`region`,`instance_id`,`user_id`".
- `port` (Number)
- `roles` (Set of String) Database access levels for the user.
- `status` (String)
- `username` (String) Username of the SQLServer Flex instance.
+- `pagination` (Attributes) (see [below for nested schema](#nestedatt--pagination))
+- `users` (Attributes List) List of all users inside an instance (see [below for nested schema](#nestedatt--users))
+
+<a id="nestedatt--pagination"></a>
+### Nested Schema for `pagination`
+
+Read-Only:
+
+- `page` (Number)
+- `size` (Number)
+- `sort` (String)
+- `total_pages` (Number)
+- `total_rows` (Number)
+
+
+<a id="nestedatt--users"></a>
+### Nested Schema for `users`
+
+Read-Only:
+
+- `status` (String) The current status of the user.
+- `tf_original_api_id` (Number) The ID of the user.
+- `username` (String) The name of the user.
--- a/docs/data-sources/sqlserverflexalpha_version.md
+++ b/docs/data-sources/sqlserverflexalpha_version.md
@ -1,35 +0,0 @@
---
-# generated by https://github.com/hashicorp/terraform-plugin-docs
-page_title: "stackitprivatepreview_sqlserverflexalpha_version Data Source - stackitprivatepreview"
-subcategory: ""
-description: |-
-  
---
-
-# stackitprivatepreview_sqlserverflexalpha_version (Data Source)
-
-
-
-
-
-<!-- schema generated by tfplugindocs -->
-## Schema
-
-### Required
-
- `project_id` (String) The STACKIT project ID.
- `region` (String) The region which should be addressed
-
-### Read-Only
-
- `versions` (Attributes List) A list containing available sqlserver versions. (see [below for nested schema](#nestedatt--versions))
-
-<a id="nestedatt--versions"></a>
-### Nested Schema for `versions`
-
-Read-Only:
-
- `beta` (Boolean) Flag if the version is a beta version. If set the version may contain bugs and is not fully tested.
- `deprecated` (String) Timestamp in RFC3339 format which says when the version will no longer be supported by STACKIT.
- `recommend` (Boolean) Flag if the version is recommend by the STACKIT Team.
- `version` (String) The sqlserver version used for the instance.
--- a/docs/data-sources/sqlserverflexbeta_database.md
+++ b/docs/data-sources/sqlserverflexbeta_database.md
@ -0,0 +1,40 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackitprivatepreview_sqlserverflexbeta_database Data Source - stackitprivatepreview"
+subcategory: ""
+description: |-
+  
+---
+
+# stackitprivatepreview_sqlserverflexbeta_database (Data Source)
+
+
+
+## Example Usage
+
+```terraform
+data "stackitprivatepreview_sqlserverflexbeta_database" "example" {
+  project_id    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  database_name = "dbname"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `database_name` (String) The name of the database.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+
+### Read-Only
+
+- `collation_name` (String) The collation of the database. This database collation should match the *collation_name* of one of the collations given by the **Get database collation list** endpoint.
+- `compatibility_level` (Number) CompatibilityLevel of the Database.
+- `id` (String) The terraform internal identifier.
+- `name` (String) The name of the database.
+- `owner` (String) The owner of the database.
+- `tf_original_api_id` (Number) The id of the database.
--- a/docs/data-sources/sqlserverflexbeta_instance.md
+++ b/docs/data-sources/sqlserverflexbeta_instance.md
@ -0,0 +1,77 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackitprivatepreview_sqlserverflexbeta_instance Data Source - stackitprivatepreview"
+subcategory: ""
+description: |-
+  
+---
+
+# stackitprivatepreview_sqlserverflexbeta_instance (Data Source)
+
+
+
+## Example Usage
+
+```terraform
+data "stackitprivatepreview_sqlserverflexbeta_instance" "example" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+
+### Read-Only
+
+- `backup_schedule` (String) The schedule for on what time and how often the database backup will be created. The schedule is written as a cron schedule.
+- `edition` (String) Edition of the MSSQL server instance
+- `encryption` (Attributes) this defines which key to use for storage encryption (see [below for nested schema](#nestedatt--encryption))
+- `flavor_id` (String) The id of the instance flavor.
+- `is_deletable` (Boolean) Whether the instance can be deleted or not.
+- `name` (String) The name of the instance.
+- `network` (Attributes) The access configuration of the instance (see [below for nested schema](#nestedatt--network))
+- `replicas` (Number) How many replicas the instance should have.
+- `retention_days` (Number) The days for how long the backup files should be stored before cleaned up. 30 to 365
+- `status` (String)
+- `storage` (Attributes) The object containing information about the storage size and class. (see [below for nested schema](#nestedatt--storage))
+- `tf_original_api_id` (String) The ID of the instance.
+- `version` (String) The sqlserver version used for the instance.
+
+<a id="nestedatt--encryption"></a>
+### Nested Schema for `encryption`
+
+Read-Only:
+
+- `kek_key_id` (String) The key identifier
+- `kek_key_ring_id` (String) The keyring identifier
+- `kek_key_version` (String) The key version
+- `service_account` (String)
+
+
+<a id="nestedatt--network"></a>
+### Nested Schema for `network`
+
+Read-Only:
+
+- `access_scope` (String) The network access scope of the instance
+
+⚠️ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected.
+- `acl` (List of String) List of IPV4 cidr.
+- `instance_address` (String)
+- `router_address` (String)
+
+
+<a id="nestedatt--storage"></a>
+### Nested Schema for `storage`
+
+Read-Only:
+
+- `class` (String) The storage class for the storage.
+- `size` (Number) The storage size in Gigabytes.
--- a/docs/data-sources/sqlserverflexbeta_user.md
+++ b/docs/data-sources/sqlserverflexbeta_user.md
@ -0,0 +1,54 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackitprivatepreview_sqlserverflexbeta_user Data Source - stackitprivatepreview"
+subcategory: ""
+description: |-
+  
+---
+
+# stackitprivatepreview_sqlserverflexbeta_user (Data Source)
+
+
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+
+### Optional
+
+- `page` (Number) Number of the page of items list to be returned.
+- `size` (Number) Number of items to be returned on each page.
+- `sort` (String) Sorting of the users to be returned on each page.
+
+### Read-Only
+
+- `pagination` (Attributes) (see [below for nested schema](#nestedatt--pagination))
+- `users` (Attributes List) List of all users inside an instance (see [below for nested schema](#nestedatt--users))
+
+<a id="nestedatt--pagination"></a>
+### Nested Schema for `pagination`
+
+Read-Only:
+
+- `page` (Number)
+- `size` (Number)
+- `sort` (String)
+- `total_pages` (Number)
+- `total_rows` (Number)
+
+
+<a id="nestedatt--users"></a>
+### Nested Schema for `users`
+
+Read-Only:
+
+- `status` (String) The current status of the user.
+- `tf_original_api_id` (Number) The ID of the user.
+- `username` (String) The name of the user.
--- a/docs/index.md
+++ b/docs/index.md
@ -16,14 +16,13 @@ provider "stackitprivatepreview" {
  default_region = "eu01"
 }

-# Authentication
-
-# Token flow (scheduled for deprecation and will be removed on December 17, 2025)
 provider "stackitprivatepreview" {
  default_region           = "eu01"
-  service_account_token = var.service_account_token
+  service_account_key_path = "service_account.json"
 }

+# Authentication
+
 # Key flow
 provider "stackitprivatepreview" {
  default_region      = "eu01"
--- a/docs/resources/postgresflexalpha_database.md
+++ b/docs/resources/postgresflexalpha_database.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_postgresflexalpha_database Resource - stackitprivatepreview"
 subcategory: ""
 description: |-
-  Postgres Flex database resource schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_postgresflexalpha_database (Resource)

-Postgres Flex database resource schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -25,6 +25,16 @@ import {
  to = stackitprivatepreview_postgresflexalpha_database.import-example
  id = "${var.project_id},${var.region},${var.postgres_instance_id},${var.postgres_database_id}"
 }
+
+import {
+  to = stackitprivatepreview_postgresflexalpha_database.import-example
+  identity = {
+    project_id  = "project_id"
+    region      = "region"
+    instance_id = "instance_id"
+    database_id = "database_id"
+  }
+}
 ```

 <!-- schema generated by tfplugindocs -->
@ -32,16 +42,16 @@ import {

 ### Required

- `instance_id` (String) ID of the Postgres Flex instance.
- `name` (String) Database name.
- `owner` (String) Username of the database owner.
- `project_id` (String) STACKIT project ID to which the instance is associated.
+- `name` (String) The name of the database.

 ### Optional

- `region` (String) The resource region. If not defined, the provider region is used.
+- `database_id` (Number) The ID of the database.
+- `instance_id` (String) The ID of the instance.
+- `owner` (String) The owner of the database.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed

 ### Read-Only

- `database_id` (Number) Database ID.
- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`instance_id`,`database_id`".
+- `id` (String) The id of the database.
--- a/docs/resources/postgresflexalpha_instance.md
+++ b/docs/resources/postgresflexalpha_instance.md
@ -13,21 +13,29 @@ description: |-
 ## Example Usage

 ```terraform
-resource "stackitprivatepreview_postgresflexalpha_instance" "example" {
+resource "stackitprivatepreview_postgresflexalpha_instance" "example-instance" {
  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  name            = "example-instance"
  acl             = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
-  backup_schedule = "00 00 * * *"
-  flavor = {
-    cpu = 2
-    ram = 4
-  }
-  replicas = 3
+  backup_schedule = "0 0 * * *"
+  retention_days  = 30
+  flavor_id       = "flavor.id"
+  replicas        = 1
  storage = {
-    class = "class"
-    size  = 5
+    performance_class = "premium-perf2-stackit"
+    size              = 10
  }
-  version = 14
+  encryption = {
+    kek_key_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_ring_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_version = 1
+    service_account = "service@account.email"
+  }
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "PUBLIC"
+  }
+  version = 17
 }

 # Only use the import statement, if you want to import an existing postgresflex instance
@ -35,6 +43,15 @@ import {
  to = stackitprivatepreview_postgresflexalpha_instance.import-example
  id = "${var.project_id},${var.region},${var.postgres_instance_id}"
 }
+
+import {
+  to = stackitprivatepreview_postgresflexalpha_instance.import-example
+  identity = {
+    project_id  = var.project_id
+    region      = var.region
+    instance_id = var.postgres_instance_id
+  }
+}
 ```

 <!-- schema generated by tfplugindocs -->
@ -42,7 +59,7 @@ import {

 ### Required

- `backup_schedule` (String) The schedule for on what time and how often the database backup will be created. The schedule is written as a cron schedule.
+- `backup_schedule` (String) The schedule for when the database backup will be created. Currently, ONLY daily schedules are supported (every 24 hours). The schedule is written as a cron schedule.
 - `flavor_id` (String) The id of the instance flavor.
 - `name` (String) The name of the instance.
 - `network` (Attributes) The access configuration of the instance (see [below for nested schema](#nestedatt--network))
@ -55,14 +72,15 @@ import {

 - `encryption` (Attributes) The configuration for instance's volume and backup storage encryption.

-⚠️ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected. (see [below for nested schema](#nestedatt--encryption))
+⚠︝ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected. (see [below for nested schema](#nestedatt--encryption))
 - `instance_id` (String) The ID of the instance.
 - `project_id` (String) The STACKIT project ID.
 - `region` (String) The region which should be addressed

 ### Read-Only

- `connection_info` (Attributes) The DNS name and port in the instance overview (see [below for nested schema](#nestedatt--connection_info))
+- `acl` (List of String) List of IPV4 cidr.
+- `connection_info` (Attributes) The connection information of the instance (see [below for nested schema](#nestedatt--connection_info))
 - `id` (String) The ID of the instance.
 - `is_deletable` (Boolean) Whether the instance can be deleted or not.
 - `status` (String) The current status of the instance.
@ -77,6 +95,9 @@ Required:
 Optional:

 - `access_scope` (String) The access scope of the instance. It defines if the instance is public or airgapped.
+
+Read-Only:
+
 - `instance_address` (String)
 - `router_address` (String)

@ -106,5 +127,12 @@ Required:

 Read-Only:

+- `write` (Attributes) The DNS name and port in the instance overview (see [below for nested schema](#nestedatt--connection_info--write))
+
+<a id="nestedatt--connection_info--write"></a>
+### Nested Schema for `connection_info.write`
+
+Read-Only:
+
 - `host` (String) The host of the instance.
 - `port` (Number) The port of the instance.
--- a/docs/resources/postgresflexalpha_user.md
+++ b/docs/resources/postgresflexalpha_user.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_postgresflexalpha_user Resource - stackitprivatepreview"
 subcategory: ""
 description: |-
-  Postgres Flex user resource schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_postgresflexalpha_user (Resource)

-Postgres Flex user resource schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -16,7 +16,7 @@ Postgres Flex user resource schema. Must have a `region` specified in the provid
 resource "stackitprivatepreview_postgresflexalpha_user" "example" {
  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-  username    = "username"
+  name        = "username"
  roles       = ["role"]
 }

@ -25,6 +25,16 @@ import {
  to = stackitprivatepreview_postgresflexalpha_user.import-example
  id = "${var.project_id},${var.region},${var.postgres_instance_id},${var.user_id}"
 }
+
+import {
+  to = stackitprivatepreview_postgresflexalpha_user.import-example
+  identity = {
+    project_id  = "project.id"
+    region      = "region"
+    instance_id = "instance.id"
+    user_id     = "user.id"
+  }
+}
 ```

 <!-- schema generated by tfplugindocs -->
@ -32,21 +42,18 @@ import {

 ### Required

- `instance_id` (String) ID of the PostgresFlex instance.
- `project_id` (String) STACKIT project ID to which the instance is associated.
- `roles` (Set of String) Database access levels for the user. Possible values are: `login`, `createdb`, `createrole`.
- `username` (String) The name of the user.
+- `name` (String) The name of the user.

 ### Optional

- `region` (String) The resource region. If not defined, the provider region is used.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+- `roles` (List of String) A list containing the user roles for the instance.
+- `user_id` (Number) The ID of the user.

 ### Read-Only

- `connection_string` (String) The connection string for the user to the instance.
- `host` (String) The host of the Postgres Flex instance.
- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`instance_id`,`user_id`".
- `password` (String, Sensitive) The password for the user. This is only set upon creation.
- `port` (Number) The port of the Postgres Flex instance.
+- `id` (String) The ID of the user.
+- `password` (String) The password for the user.
 - `status` (String) The current status of the user.
- `user_id` (Number) User ID.
--- a/docs/resources/sqlserverflexalpha_database.md
+++ b/docs/resources/sqlserverflexalpha_database.md
@ -10,7 +10,34 @@ description: |-



+## Example Usage

+```terraform
+resource "stackitprivatepreview_sqlserverflexalpha_database" "example" {
+  project_id    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  collation     = ""
+  compatibility = "160"
+  name          = ""
+  owner         = ""
+}
+
+# Only use the import statement, if you want to import a existing sqlserverflex database
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_database.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id},${var.sql_user_id}"
+}
+
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_database.import-example
+  identity = {
+    project_id  = "project.id"
+    region      = "region"
+    instance_id = "instance.id"
+    database_id = "database.id"
+  }
+}
+```

 <!-- schema generated by tfplugindocs -->
 ## Schema
--- a/docs/resources/sqlserverflexalpha_instance.md
+++ b/docs/resources/sqlserverflexalpha_instance.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_sqlserverflexalpha_instance Resource - stackitprivatepreview"
 subcategory: ""
 description: |-
-  SQLServer Flex ALPHA instance resource schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_sqlserverflexalpha_instance (Resource)

-SQLServer Flex ALPHA instance resource schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -41,41 +41,55 @@ import {

 ### Required

- `flavor_id` (String)
- `name` (String) Instance name.
- `network` (Attributes) The network block. (see [below for nested schema](#nestedatt--network))
- `project_id` (String) STACKIT project ID to which the instance is associated.
+- `backup_schedule` (String) The schedule for on what time and how often the database backup will be created. The schedule is written as a cron schedule.
+- `flavor_id` (String) The id of the instance flavor.
+- `name` (String) The name of the instance.
+- `network` (Attributes) the network configuration of the instance. (see [below for nested schema](#nestedatt--network))
+- `retention_days` (Number) The days for how long the backup files should be stored before cleaned up. 30 to 365
+- `storage` (Attributes) The object containing information about the storage size and class. (see [below for nested schema](#nestedatt--storage))
+- `version` (String) The sqlserver version used for the instance.

 ### Optional

- `backup_schedule` (String) The backup schedule. Should follow the cron scheduling system format (e.g. "0 0 * * *")
- `encryption` (Attributes) The encryption block. (see [below for nested schema](#nestedatt--encryption))
- `is_deletable` (Boolean)
- `region` (String) The resource region. If not defined, the provider region is used.
- `retention_days` (Number)
- `status` (String)
- `storage` (Attributes) (see [below for nested schema](#nestedatt--storage))
- `version` (String)
+- `encryption` (Attributes) this defines which key to use for storage encryption (see [below for nested schema](#nestedatt--encryption))
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed

 ### Read-Only

- `edition` (String)
- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`instance_id`".
- `instance_id` (String) ID of the SQLServer Flex instance.
- `replicas` (Number)
+- `edition` (String) Edition of the MSSQL server instance
+- `id` (String) The ID of the instance.
+- `is_deletable` (Boolean) Whether the instance can be deleted or not.
+- `replicas` (Number) How many replicas the instance should have.
+- `status` (String)

 <a id="nestedatt--network"></a>
 ### Nested Schema for `network`

 Required:

- `access_scope` (String) The access scope of the instance. (SNA | PUBLIC)
- `acl` (List of String) The Access Control List (ACL) for the SQLServer Flex instance.
+- `acl` (List of String) List of IPV4 cidr.
+
+Optional:
+
+- `access_scope` (String) The network access scope of the instance
+
+⚠️ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected.

 Read-Only:

- `instance_address` (String) The returned instance IP address of the SQLServer Flex instance.
- `router_address` (String) The returned router IP address of the SQLServer Flex instance.
+- `instance_address` (String)
+- `router_address` (String)
+
+
+<a id="nestedatt--storage"></a>
+### Nested Schema for `storage`
+
+Required:
+
+- `class` (String) The storage class for the storage.
+- `size` (Number) The storage size in Gigabytes.


 <a id="nestedatt--encryption"></a>
@ -83,16 +97,7 @@ Read-Only:

 Required:

- `key_id` (String) STACKIT KMS - Key ID of the encryption key to use.
- `key_version` (String) STACKIT KMS - Key version to use in the encryption key.
- `keyring_id` (String) STACKIT KMS - KeyRing ID of the encryption key to use.
+- `kek_key_id` (String) The key identifier
+- `kek_key_ring_id` (String) The keyring identifier
+- `kek_key_version` (String) The key version
 - `service_account` (String)
-
-
-<a id="nestedatt--storage"></a>
-### Nested Schema for `storage`
-
-Optional:
-
- `class` (String)
- `size` (Number)
--- a/docs/resources/sqlserverflexalpha_user.md
+++ b/docs/resources/sqlserverflexalpha_user.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_sqlserverflexalpha_user Resource - stackitprivatepreview"
 subcategory: ""
 description: |-
-  SQLServer Flex user resource schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_sqlserverflexalpha_user (Resource)

-SQLServer Flex user resource schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -32,21 +32,22 @@ import {

 ### Required

- `instance_id` (String) ID of the SQLServer Flex instance.
- `project_id` (String) STACKIT project ID to which the instance is associated.
- `roles` (Set of String) Database access levels for the user. The values for the default roles are: `##STACKIT_DatabaseManager##`, `##STACKIT_LoginManager##`, `##STACKIT_ProcessManager##`, `##STACKIT_ServerManager##`, `##STACKIT_SQLAgentManager##`, `##STACKIT_SQLAgentUser##`
- `username` (String) Username of the SQLServer Flex instance.
+- `roles` (List of String) A list containing the user roles for the instance. A list with the valid user roles can be retrieved using the List Roles endpoint.
+- `username` (String) The name of the user.

 ### Optional

- `region` (String)
+- `default_database` (String) The default database for a user of the instance.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+- `user_id` (Number) The ID of the user.

 ### Read-Only

- `default_database` (String)
- `host` (String)
- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`instance_id`,`user_id`".
- `password` (String, Sensitive) Password of the user account.
- `port` (Number)
- `status` (String)
- `user_id` (Number) User ID.
+- `host` (String) The host of the instance in which the user belongs to.
+- `id` (Number) The ID of the user.
+- `password` (String) The password for the user.
+- `port` (Number) The port of the instance in which the user belongs to.
+- `status` (String) The current status of the user.
+- `uri` (String) The connection string for the user to the instance.
--- a/docs/resources/sqlserverflexbeta_database.md
+++ b/docs/resources/sqlserverflexbeta_database.md
@ -0,0 +1,51 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackitprivatepreview_sqlserverflexbeta_database Resource - stackitprivatepreview"
+subcategory: ""
+description: |-
+  
+---
+
+# stackitprivatepreview_sqlserverflexbeta_database (Resource)
+
+
+
+## Example Usage
+
+```terraform
+resource "stackitprivatepreview_sqlserverflexalpha_user" "example" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  username    = "username"
+  roles       = ["role"]
+}
+
+# Only use the import statement, if you want to import an existing sqlserverflex user
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_user.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id},${var.sql_user_id}"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name of the database.
+- `owner` (String) The owner of the database.
+
+### Optional
+
+- `collation` (String) The collation of the database. This database collation should match the *collation_name* of one of the collations given by the **Get database collation list** endpoint.
+- `compatibility` (Number) CompatibilityLevel of the Database.
+- `database_name` (String) The name of the database.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+
+### Read-Only
+
+- `collation_name` (String) The collation of the database. This database collation should match the *collation_name* of one of the collations given by the **Get database collation list** endpoint.
+- `compatibility_level` (Number) CompatibilityLevel of the Database.
+- `id` (Number) The id of the database.
--- a/docs/resources/sqlserverflexbeta_instance.md
+++ b/docs/resources/sqlserverflexbeta_instance.md
@ -0,0 +1,158 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackitprivatepreview_sqlserverflexbeta_instance Resource - stackitprivatepreview"
+subcategory: ""
+description: |-
+  
+---
+
+# stackitprivatepreview_sqlserverflexbeta_instance (Resource)
+
+
+
+## Example Usage
+
+```terraform
+# without encryption and SNA
+resource "stackitprivatepreview_sqlserverflexbeta_instance" "instance" {
+  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name            = "example-instance"
+  backup_schedule = "0 3 * * *"
+  retention_days  = 31
+  flavor_id       = "flavor_id"
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 50
+  }
+  version = 2022
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "SNA"
+  }
+}
+
+# without encryption and PUBLIC
+resource "stackitprivatepreview_sqlserverflexbeta_instance" "instance" {
+  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name            = "example-instance"
+  backup_schedule = "0 3 * * *"
+  retention_days  = 31
+  flavor_id       = "flavor_id"
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 50
+  }
+  version = 2022
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "PUBLIC"
+  }
+}
+
+# with encryption and SNA
+resource "stackitprivatepreview_sqlserverflexbeta_instance" "instance" {
+  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name            = "example-instance"
+  backup_schedule = "0 3 * * *"
+  retention_days  = 31
+  flavor_id       = "flavor_id"
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 50
+  }
+  version = 2022
+  encryption = {
+    kek_key_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_ring_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_version = 1
+    service_account = "service_account@email"
+  }
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "SNA"
+  }
+}
+
+
+# Only use the import statement, if you want to import an existing sqlserverflex instance
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_instance.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id}"
+}
+
+# import with identity
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_instance.import-example
+  identity = {
+    project_id  = var.project_id
+    region      = var.region
+    instance_id = var.sql_instance_id
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `backup_schedule` (String) The schedule for on what time and how often the database backup will be created. The schedule is written as a cron schedule.
+- `flavor_id` (String) The id of the instance flavor.
+- `name` (String) The name of the instance.
+- `network` (Attributes) the network configuration of the instance. (see [below for nested schema](#nestedatt--network))
+- `retention_days` (Number) The days for how long the backup files should be stored before cleaned up. 30 to 365
+- `storage` (Attributes) The object containing information about the storage size and class. (see [below for nested schema](#nestedatt--storage))
+- `version` (String) The sqlserver version used for the instance.
+
+### Optional
+
+- `encryption` (Attributes) this defines which key to use for storage encryption (see [below for nested schema](#nestedatt--encryption))
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+
+### Read-Only
+
+- `edition` (String) Edition of the MSSQL server instance
+- `id` (String) The ID of the instance.
+- `is_deletable` (Boolean) Whether the instance can be deleted or not.
+- `replicas` (Number) How many replicas the instance should have.
+- `status` (String)
+
+<a id="nestedatt--network"></a>
+### Nested Schema for `network`
+
+Required:
+
+- `acl` (List of String) List of IPV4 cidr.
+
+Optional:
+
+- `access_scope` (String) The network access scope of the instance
+
+⚠️ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected.
+
+Read-Only:
+
+- `instance_address` (String)
+- `router_address` (String)
+
+
+<a id="nestedatt--storage"></a>
+### Nested Schema for `storage`
+
+Required:
+
+- `class` (String) The storage class for the storage.
+- `size` (Number) The storage size in Gigabytes.
+
+
+<a id="nestedatt--encryption"></a>
+### Nested Schema for `encryption`
+
+Required:
+
+- `kek_key_id` (String) The key identifier
+- `kek_key_ring_id` (String) The keyring identifier
+- `kek_key_version` (String) The key version
+- `service_account` (String)
--- a/docs/resources/sqlserverflexbeta_user.md
+++ b/docs/resources/sqlserverflexbeta_user.md
@ -0,0 +1,53 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackitprivatepreview_sqlserverflexbeta_user Resource - stackitprivatepreview"
+subcategory: ""
+description: |-
+  
+---
+
+# stackitprivatepreview_sqlserverflexbeta_user (Resource)
+
+
+
+## Example Usage
+
+```terraform
+resource "stackitprivatepreview_sqlserverflexalpha_user" "example" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  username    = "username"
+  roles       = ["role"]
+}
+
+# Only use the import statement, if you want to import an existing sqlserverflex user
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_user.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id},${var.sql_user_id}"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `roles` (List of String) A list containing the user roles for the instance. A list with the valid user roles can be retrieved using the List Roles endpoint.
+- `username` (String) The name of the user.
+
+### Optional
+
+- `default_database` (String) The default database for a user of the instance.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+- `user_id` (Number) The ID of the user.
+
+### Read-Only
+
+- `host` (String) The host of the instance in which the user belongs to.
+- `id` (Number) The ID of the user.
+- `password` (String) The password for the user.
+- `port` (Number) The port of the instance in which the user belongs to.
+- `status` (String) The current status of the user.
+- `uri` (String) The connection string for the user to the instance.
--- a/examples/data-sources/stackitprivatepreview_postgresflexalpha_flavor/data-source.tf
+++ b/examples/data-sources/stackitprivatepreview_postgresflexalpha_flavor/data-source.tf
@ -0,0 +1,8 @@
+data "stackitprivatepreview_postgresflexalpha_flavor" "flavor" {
+  project_id    = var.project_id
+  region        = var.region
+  cpu           = 4
+  ram           = 16
+  node_type     = "Single"
+  storage_class = "premium-perf2-stackit"
+}
--- a/examples/data-sources/stackitprivatepreview_sqlserverflexalpha_flavor/data-source.tf
+++ b/examples/data-sources/stackitprivatepreview_sqlserverflexalpha_flavor/data-source.tf
@ -0,0 +1,8 @@
+data "stackitprivatepreview_sqlserverflexalpha_flavor" "flavor" {
+  project_id    = var.project_id
+  region        = var.region
+  cpu           = 4
+  ram           = 16
+  node_type     = "Single"
+  storage_class = "premium-perf2-stackit"
+}
--- a/examples/data-sources/stackitprivatepreview_sqlserverflexbeta_database/data-source.tf
+++ b/examples/data-sources/stackitprivatepreview_sqlserverflexbeta_database/data-source.tf
@ -0,0 +1,5 @@
+data "stackitprivatepreview_sqlserverflexbeta_database" "example" {
+  project_id    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  database_name = "dbname"
+}
--- a/examples/data-sources/stackitprivatepreview_sqlserverflexbeta_flavor/data-source.tf
+++ b/examples/data-sources/stackitprivatepreview_sqlserverflexbeta_flavor/data-source.tf
@ -0,0 +1,8 @@
+data "stackitprivatepreview_sqlserverflexbeta_flavor" "flavor" {
+  project_id    = var.project_id
+  region        = var.region
+  cpu           = 4
+  ram           = 16
+  node_type     = "Single"
+  storage_class = "premium-perf2-stackit"
+}
--- a/examples/data-sources/stackitprivatepreview_sqlserverflexbeta_instance/data-source.tf
+++ b/examples/data-sources/stackitprivatepreview_sqlserverflexbeta_instance/data-source.tf
@ -0,0 +1,4 @@
+data "stackitprivatepreview_sqlserverflexbeta_instance" "example" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
--- a/examples/provider/provider.tf
+++ b/examples/provider/provider.tf
@ -2,14 +2,13 @@ provider "stackitprivatepreview" {
  default_region = "eu01"
 }

+provider "stackitprivatepreview" {
+  default_region           = "eu01"
+  service_account_key_path = "service_account.json"
+}
+
 # Authentication

-# Token flow (scheduled for deprecation and will be removed on December 17, 2025)
-provider "stackitprivatepreview" {
-  default_region        = "eu01"
-  service_account_token = var.service_account_token
-}
-
 # Key flow
 provider "stackitprivatepreview" {
  default_region      = "eu01"
@ -23,4 +22,3 @@ provider "stackitprivatepreview" {
  service_account_key_path = var.service_account_key_path
  private_key_path         = var.private_key_path
 }
-
--- a/examples/resources/stackitprivatepreview_postgresflexalpha_database/resource.tf
+++ b/examples/resources/stackitprivatepreview_postgresflexalpha_database/resource.tf
@ -10,3 +10,13 @@ import {
  to = stackitprivatepreview_postgresflexalpha_database.import-example
  id = "${var.project_id},${var.region},${var.postgres_instance_id},${var.postgres_database_id}"
 }
+
+import {
+  to = stackitprivatepreview_postgresflexalpha_database.import-example
+  identity = {
+    project_id  = "project_id"
+    region      = "region"
+    instance_id = "instance_id"
+    database_id = "database_id"
+  }
+}
--- a/examples/resources/stackitprivatepreview_postgresflexalpha_instance/resource.tf
+++ b/examples/resources/stackitprivatepreview_postgresflexalpha_instance/resource.tf
@ -1,18 +1,26 @@
-resource "stackitprivatepreview_postgresflexalpha_instance" "example" {
+resource "stackitprivatepreview_postgresflexalpha_instance" "example-instance" {
  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  name            = "example-instance"
  acl             = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
-  backup_schedule = "00 00 * * *"
-  flavor = {
-    cpu = 2
-    ram = 4
-  }
-  replicas = 3
+  backup_schedule = "0 0 * * *"
+  retention_days  = 30
+  flavor_id       = "flavor.id"
+  replicas        = 1
  storage = {
-    class = "class"
-    size  = 5
+    performance_class = "premium-perf2-stackit"
+    size              = 10
  }
-  version = 14
+  encryption = {
+    kek_key_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_ring_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_version = 1
+    service_account = "service@account.email"
+  }
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "PUBLIC"
+  }
+  version = 17
 }

 # Only use the import statement, if you want to import an existing postgresflex instance
@ -20,3 +28,12 @@ import {
  to = stackitprivatepreview_postgresflexalpha_instance.import-example
  id = "${var.project_id},${var.region},${var.postgres_instance_id}"
 }
+
+import {
+  to = stackitprivatepreview_postgresflexalpha_instance.import-example
+  identity = {
+    project_id  = var.project_id
+    region      = var.region
+    instance_id = var.postgres_instance_id
+  }
+}
--- a/examples/resources/stackitprivatepreview_postgresflexalpha_user/resource.tf
+++ b/examples/resources/stackitprivatepreview_postgresflexalpha_user/resource.tf
@ -1,7 +1,7 @@
 resource "stackitprivatepreview_postgresflexalpha_user" "example" {
  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-  username    = "username"
+  name        = "username"
  roles       = ["role"]
 }

@ -10,3 +10,13 @@ import {
  to = stackitprivatepreview_postgresflexalpha_user.import-example
  id = "${var.project_id},${var.region},${var.postgres_instance_id},${var.user_id}"
 }
+
+import {
+  to = stackitprivatepreview_postgresflexalpha_user.import-example
+  identity = {
+    project_id  = "project.id"
+    region      = "region"
+    instance_id = "instance.id"
+    user_id     = "user.id"
+  }
+}
--- a/examples/resources/stackitprivatepreview_sqlserverflexalpha_database/resource.tf
+++ b/examples/resources/stackitprivatepreview_sqlserverflexalpha_database/resource.tf
@ -0,0 +1,24 @@
+resource "stackitprivatepreview_sqlserverflexalpha_database" "example" {
+  project_id    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  collation     = ""
+  compatibility = "160"
+  name          = ""
+  owner         = ""
+}
+
+# Only use the import statement, if you want to import a existing sqlserverflex database
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_database.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id},${var.sql_user_id}"
+}
+
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_database.import-example
+  identity = {
+    project_id  = "project.id"
+    region      = "region"
+    instance_id = "instance.id"
+    database_id = "database.id"
+  }
+}
--- a/examples/resources/stackitprivatepreview_sqlserverflexbeta_database/resource.tf
+++ b/examples/resources/stackitprivatepreview_sqlserverflexbeta_database/resource.tf
@ -0,0 +1,12 @@
+resource "stackitprivatepreview_sqlserverflexalpha_user" "example" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  username    = "username"
+  roles       = ["role"]
+}
+
+# Only use the import statement, if you want to import an existing sqlserverflex user
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_user.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id},${var.sql_user_id}"
+}
--- a/examples/resources/stackitprivatepreview_sqlserverflexbeta_instance/resource.tf
+++ b/examples/resources/stackitprivatepreview_sqlserverflexbeta_instance/resource.tf
@ -0,0 +1,76 @@
+# without encryption and SNA
+resource "stackitprivatepreview_sqlserverflexbeta_instance" "instance" {
+  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name            = "example-instance"
+  backup_schedule = "0 3 * * *"
+  retention_days  = 31
+  flavor_id       = "flavor_id"
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 50
+  }
+  version = 2022
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "SNA"
+  }
+}
+
+# without encryption and PUBLIC
+resource "stackitprivatepreview_sqlserverflexbeta_instance" "instance" {
+  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name            = "example-instance"
+  backup_schedule = "0 3 * * *"
+  retention_days  = 31
+  flavor_id       = "flavor_id"
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 50
+  }
+  version = 2022
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "PUBLIC"
+  }
+}
+
+# with encryption and SNA
+resource "stackitprivatepreview_sqlserverflexbeta_instance" "instance" {
+  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name            = "example-instance"
+  backup_schedule = "0 3 * * *"
+  retention_days  = 31
+  flavor_id       = "flavor_id"
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 50
+  }
+  version = 2022
+  encryption = {
+    kek_key_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_ring_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_version = 1
+    service_account = "service_account@email"
+  }
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "SNA"
+  }
+}
+
+
+# Only use the import statement, if you want to import an existing sqlserverflex instance
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_instance.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id}"
+}
+
+# import with identity
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_instance.import-example
+  identity = {
+    project_id  = var.project_id
+    region      = var.region
+    instance_id = var.sql_instance_id
+  }
+}
--- a/examples/resources/stackitprivatepreview_sqlserverflexbeta_user/resource.tf
+++ b/examples/resources/stackitprivatepreview_sqlserverflexbeta_user/resource.tf
@ -0,0 +1,12 @@
+resource "stackitprivatepreview_sqlserverflexalpha_user" "example" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  username    = "username"
+  roles       = ["role"]
+}
+
+# Only use the import statement, if you want to import an existing sqlserverflex user
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_user.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id},${var.sql_user_id}"
+}
--- a/generator/cmd/build/build.go
+++ b/generator/cmd/build/build.go
@ -0,0 +1,341 @@
+package build
+
+import (
+	"errors"
+	"fmt"
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"log/slog"
+	"os"
+	"path"
+	"regexp"
+	"strings"
+
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/generator/cmd/tools"
+)
+
+type Builder struct {
+	rootDir      string
+	SkipClone    bool
+	SkipCleanup  bool
+	PackagesOnly bool
+	Verbose      bool
+	Debug        bool
+}
+
+func (b *Builder) Build() error {
+	slog.Info("Starting Builder")
+	if b.PackagesOnly {
+		slog.Info("  >>> only generating pkg_gen <<<")
+	}
+
+	rootErr := b.determineRoot()
+	if rootErr != nil {
+		return rootErr
+	}
+
+	if !b.PackagesOnly {