chore: update README (#87 )

## Description  relates to #1234 ## Checklist - [ ] Issue was linked above - [ ] Code format was applied: `make fmt` - [ ] Examples were added / adjusted (see `examples/` directory) - [x] Docs are up-to-date: `make generate-docs` (will be checked by CI) - [ ] Unit tests got implemented or updated - [ ] Acceptance tests got implemented or updated (see e.g. [here](f5f99d1709/stackit/internal/services/dns/dns_acc_test.go)) - [x] Unit tests are passing: `make test` (will be checked by CI) - [x] No linter issues: `make lint` (will be checked by CI) Co-authored-by: Marcel S. Henselin <marcel@henselin.net> Co-authored-by: Marcel S. Henselin <marcel.henselin@stackit.cloud> Reviewed-on: #87
feat: more_tests (#85 )
2026-03-17 15:33:21 +00:00 · 2026-03-17 15:02:08 +00:00 · 2026-03-13 09:53:54 +00:00 · 2026-03-11 13:28:48 +00:00 · 2026-03-11 13:13:46 +00:00 · 2026-02-27 10:25:10 +00:00
286 changed files with 38604 additions and 10324 deletions
--- a/.github/actions/acc_test/README.md
+++ b/.github/actions/acc_test/README.md
@ -0,0 +1 @@
+# acceptance test action
--- a/.github/actions/acc_test/action.yaml
+++ b/.github/actions/acc_test/action.yaml
@ -0,0 +1,285 @@
+name: Acceptance Testing
+description: "Acceptance Testing pipeline"
+
+inputs:
+  tf_debug:
+    description: "enable terraform debug logs"
+    default: 'false'
+    required: true
+
+  test_timeout_string:
+    description: "string that determines the timeout (default: 45m)"
+    default: '90m'
+    required: true
+
+  go-version:
+    description: "go version to install"
+    default: '1.25'
+    required: true
+
+  project_id:
+    description: "STACKIT project ID for tests"
+    required: true
+
+  project_user_email:
+    required: true
+    description: "project user email for acc testing"
+
+  tf_acc_kek_key_id:
+    description: "KEK key ID"
+    required: true
+
+  tf_acc_kek_key_ring_id:
+    description: "KEK key ring ID"
+    required: true
+
+  tf_acc_kek_key_version:
+    description: "KEK key version"
+    required: true
+
+  tf_acc_kek_service_account:
+    description: "KEK service account email"
+    required: true
+
+  region:
+    description: "STACKIT region for tests"
+    default: 'eu01'
+    required: true
+
+  service_account_json_content:
+    description: "STACKIT service account JSON file contents"
+    required: true
+    default: ""
+
+  service_account_json_content_b64:
+    description: "STACKIT service account JSON file contents"
+    required: true
+    default: ""
+
+  service_account_json_file_path:
+    description: "STACKIT service account JSON file contents"
+    required: true
+    default: 'service_account.json'
+
+  test_file:
+    description: "testfile to run"
+    default: ''
+
+
+#outputs:
+#  random-number:
+#    description: "Random number"
+#    value: ${{ steps.random-number-generator.outputs.random-number }}
+
+runs:
+  using: "composite"
+  steps:
+#    - name: Random Number Generator
+#      id: random-number-generator
+#      run: echo "random-number=$(echo $RANDOM)" >> $GITHUB_OUTPUT
+#      shell: bash
+
+    - name: Install needed tools
+      shell: bash
+      run: |
+        echo "::group::apt install"
+        set -e
+        apt-get -y -qq update >apt_update.log 2>apt_update_err.log
+        if [ $? -ne 0 ]; then
+          cat apt_update.log apt_update_err.log
+        fi
+        apt-get -y -qq install jq python3 python3-pip python-is-python3 s3cmd git make wget >apt_get.log 2>apt_get_err.log
+        if [ $? -ne 0 ]; then
+          cat apt_get.log apt_get_err.log
+        fi
+        echo "::endgroup::"
+
+    - name: Setup JAVA
+      uses: actions/setup-java@v5
+      with:
+        distribution: 'temurin' # See 'Supported distributions' for available options
+        java-version: '21'
+
+    - name: Install Go ${{ inputs.go-version }}
+      uses: actions/setup-go@v6
+      with:
+        # go-version: ${{ inputs.go-version }}
+        check-latest: true
+        go-version-file: 'go.mod'
+
+    - name: Determine GOMODCACHE
+      shell: bash
+      id: goenv
+      run: |
+        set -e
+        echo "gomodcache=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
+
+    - name: Restore cached GO pkg
+      id: cache-gopkg
+      uses: actions/cache/restore@v5
+      with:
+        path: "${{ steps.goenv.outputs.gomodcache }}"
+        key: ${{ runner.os }}-gopkg
+
+    - name: Install go tools
+      if: steps.cache-gopkg.outputs.cache-hit != 'true'
+      shell: bash
+      run: |
+        echo "::group::go install"
+        set -e
+        go mod download
+        go install golang.org/x/tools/cmd/goimports@latest
+        go install github.com/hashicorp/terraform-plugin-codegen-framework/cmd/tfplugingen-framework@latest
+        go install github.com/hashicorp/terraform-plugin-codegen-openapi/cmd/tfplugingen-openapi@latest
+        go install github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs@latest
+        go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
+        echo "::endgroup::"
+    - name: Run go mod tidy
+      shell: bash
+      run: go mod tidy
+
+    - name: Save GO package Cache
+      id: cache-gopkg-save
+      uses: actions/cache/save@v5
+      with:
+        path: |
+          ${{ steps.goenv.outputs.gomodcache }}
+        key: ${{ runner.os }}-gopkg
+
+    - name: Define service account file path variable
+      id: service_account
+      shell: bash
+      run: |
+        echo "safilepath=${PWD}/stackit/${{ inputs.service_account_json_file_path }}" >> "$GITHUB_OUTPUT"
+
+    - name: Creating service_account file from json input
+      if: inputs.service_account_json_content != ''
+      shell: bash
+      run: |
+        echo "::group::create service account file"
+        set -e
+        set -o pipefail
+
+        jsonFile="${{ inputs.service_account_json_file_path }}"
+        jsonFile="${jsonFile:-x}"
+        if [ "${jsonFile}" == "x" ]; then
+          echo "no service account file path provided"
+          exit 1
+        fi
+        
+        if [ ! -f "${jsonFile}" ]; then
+          echo "creating service account file '${{ inputs.service_account_json_file_path }}'"
+          echo "${{ inputs.service_account_json_content }}" > stackit/"${{ inputs.service_account_json_file_path }}"
+        fi
+        ls -l stackit/"${{ inputs.service_account_json_file_path }}"
+        echo "::endgroup::"
+
+    - name: Creating service_account file from base64 json input
+      if: inputs.service_account_json_content_b64 != ''
+      shell: bash
+      run: |
+        echo "::group::create service account file"
+        set -e
+        set -o pipefail
+
+        jsonFile="${{ inputs.service_account_json_file_path }}"
+        jsonFile="${jsonFile:-x}"
+        if [ "${jsonFile}" == "x" ]; then
+          echo "no service account file path provided"
+          exit 1
+        fi
+        
+        if [ ! -f "${jsonFile}" ]; then
+          echo "creating service account file '${{ inputs.service_account_json_file_path }}'"
+          echo "${{ inputs.service_account_json_content_b64 }}" | base64 -d > stackit/"${{ inputs.service_account_json_file_path }}"
+        fi
+        ls -l stackit/"${{ inputs.service_account_json_file_path }}"
+        echo "::endgroup::"
+
+    - name: Run acceptance test file
+      if: ${{ inputs.test_file != '' }}
+      shell: bash
+      run: |
+        echo "::group::go test file"
+        set -e 
+        set -o pipefail
+        
+        if [[ "${{ inputs.tf_debug }}" == "true" ]]; then
+          TF_LOG=INFO
+          export TF_LOG
+        fi
+
+        echo "Running acceptance tests for the terraform provider"
+        cd stackit || exit 1
+        TF_ACC=1 \
+        TF_ACC_PROJECT_ID=${TF_ACC_PROJECT_ID} \
+        TF_ACC_REGION=${TF_ACC_REGION} \
+        TF_ACC_TEST_PROJECT_USER_EMAIL=${TF_ACC_TEST_PROJECT_USER_EMAIL} \
+        TF_ACC_SERVICE_ACCOUNT_FILE="${PWD}/${{ inputs.service_account_json_file_path }}" \
+        TF_ACC_KEK_KEY_ID=${TF_ACC_KEK_KEY_ID} \
+        TF_ACC_KEK_KEY_RING_ID=${TF_ACC_KEK_KEY_RING_ID} \
+        TF_ACC_KEK_KEY_VERSION=${TF_ACC_KEK_KEY_VERSION} \
+        TF_ACC_KEK_SERVICE_ACCOUNT=${TF_ACC_KEK_SERVICE_ACCOUNT} \
+        go test -v ${{ inputs.test_file }} -timeout=${{ inputs.test_timeout_string }}
+        echo "::endgroup::"
+      env:
+        TF_ACC_PROJECT_ID: ${{ inputs.project_id }}
+        TF_ACC_REGION: ${{ inputs.region }}
+        TF_ACC_TEST_PROJECT_USER_EMAIL: ${{ inputs.project_user_email }}
+        TF_ACC_KEK_KEY_ID: ${{ inputs.tf_acc_kek_key_id }}
+        TF_ACC_KEK_KEY_RING_ID: ${{ inputs.tf_acc_kek_key_ring_id }}
+        TF_ACC_KEK_KEY_VERSION: ${{ inputs.tf_acc_kek_key_version }}
+        TF_ACC_KEK_SERVICE_ACCOUNT: ${{ inputs.tf_acc_kek_service_account }}
+
+# does not work correctly
+#    - name: Run test action
+#      if: ${{ inputs.test_file == '' }}
+#      env:
+#        TF_ACC: 1
+#        TF_ACC_PROJECT_ID: ${{ inputs.project_id }}
+#        TF_ACC_REGION: ${{ inputs.region }}
+#        TF_ACC_TEST_PROJECT_USER_EMAIL: ${{ inputs.project_user_email }}
+#        TF_ACC_KEK_KEY_ID: ${{ inputs.tf_acc_kek_key_id }}
+#        TF_ACC_KEK_KEY_RING_ID: ${{ inputs.tf_acc_kek_key_ring_id }}
+#        TF_ACC_KEK_KEY_VERSION: ${{ inputs.tf_acc_kek_key_version }}
+#        TF_ACC_KEK_SERVICE_ACCOUNT: ${{ inputs.tf_acc_kek_service_account }}
+#        TF_ACC_SERVICE_ACCOUNT_FILE: ${{ steps.service_account.outputs.safile }}
+#      uses: robherley/go-test-action@v0
+#      with:
+#        testArguments: "./... -timeout ${{ inputs.test_timeout_string }}"
+#        moduleDirectory: "stackit"
+
+    - name: Run acceptance tests
+      if: ${{ inputs.test_file == '' }}
+      shell: bash
+      run: |
+        echo "::group::go test all"
+        set -e
+        set -o pipefail
+
+        if [[ "${{ inputs.tf_debug }}" == "true" ]]; then
+          TF_LOG=INFO
+          export TF_LOG
+        fi
+
+        echo "Running acceptance tests for the terraform provider"
+        cd stackit || exit 1
+        TF_ACC=1 \
+        TF_ACC_PROJECT_ID=${TF_ACC_PROJECT_ID} \
+        TF_ACC_REGION=${TF_ACC_REGION} \
+        TF_ACC_TEST_PROJECT_USER_EMAIL=${TF_ACC_TEST_PROJECT_USER_EMAIL} \
+        TF_ACC_SERVICE_ACCOUNT_FILE="${PWD}/${{ inputs.service_account_json_file_path }}" \
+        TF_ACC_KEK_KEY_ID=${TF_ACC_KEK_KEY_ID} \
+        TF_ACC_KEK_KEY_RING_ID=${TF_ACC_KEK_KEY_RING_ID} \
+        TF_ACC_KEK_KEY_VERSION=${TF_ACC_KEK_KEY_VERSION} \
+        TF_ACC_KEK_SERVICE_ACCOUNT=${TF_ACC_KEK_SERVICE_ACCOUNT} \
+        go test -v ./... -timeout=${{ inputs.test_timeout_string }}
+        echo "::endgroup::"
+      env:
+        TF_ACC_PROJECT_ID: ${{ inputs.project_id }}
+        TF_ACC_REGION: ${{ inputs.region }}
+        TF_ACC_TEST_PROJECT_USER_EMAIL: ${{ inputs.project_user_email }}
+        TF_ACC_KEK_KEY_ID: ${{ inputs.tf_acc_kek_key_id }}
+        TF_ACC_KEK_KEY_RING_ID: ${{ inputs.tf_acc_kek_key_ring_id }}
+        TF_ACC_KEK_KEY_VERSION: ${{ inputs.tf_acc_kek_key_version }}
+        TF_ACC_KEK_SERVICE_ACCOUNT: ${{ inputs.tf_acc_kek_service_account }}
--- a/.github/actions/build/action.yaml
+++ b/.github/actions/build/action.yaml
@ -1,4 +1,3 @@
-
 name: Build
 description: "Build pipeline"
 inputs:
@ -21,25 +20,63 @@ runs:
      run: |
        set -e
        apt-get -y -qq update
-        apt-get -y -qq install jq python3 python3-pip python-is-python3 s3cmd git make wget
+        apt-get -y -qq install jq python3 python3-pip python-is-python3 s3cmd git make wget unzip bc

+    - name: Checkout
+      uses: actions/checkout@v6

    - name: Install Go ${{ inputs.go-version }}
      uses: actions/setup-go@v6
      with:
-        go-version: ${{ inputs.go-version }}
+        # go-version: ${{ inputs.go-version }}
        check-latest: true
        go-version-file: 'go.mod'

+    - name: Determine GOMODCACHE
+      shell: bash
+      id: goenv
+      run: |
+        set -e
+        # echo "::set-output name=gomodcache::$(go env GOMODCACHE)"
+        echo "gomodcache=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
+
+    - name: Restore cached GO pkg
+      id: cache-gopkg
+      uses: actions/cache/restore@v5
+      with:
+        path: "${{ steps.goenv.outputs.gomodcache }}"
+        key: ${{ runner.os }}-gopkg
+
    - name: Install go tools
+      if: steps.cache-gopkg.outputs.cache-hit != 'true'
      shell: bash
      run: |
        set -e
        go install golang.org/x/tools/cmd/goimports@latest
        go install github.com/hashicorp/terraform-plugin-codegen-framework/cmd/tfplugingen-framework@latest
        go install github.com/hashicorp/terraform-plugin-codegen-openapi/cmd/tfplugingen-openapi@latest
-        go install github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs@v0.24.0
+        go install github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs@latest

+#    - name: Run build pkg directory
+#      shell: bash
+#      run: |
+#        set -e
+#        go run generator/main.go build
+
+    - name: Get all go packages
+      if: steps.cache-gopkg.outputs.cache-hit != 'true'
+      shell: bash
+      run: |
+        set -e
+        go get ./...
+
+    - name: Save Cache
+      id: cache-gopkg-save
+      uses: actions/cache/save@v5
+      with:
+        path: |
+          ${{ steps.goenv.outputs.gomodcache }}
+        key: ${{ runner.os }}-gopkg

    - name: Setup JAVA ${{ inputs.java-distribution }} ${{ inputs.go-version }}
      uses: actions/setup-java@v5
@ -47,16 +84,6 @@ runs:
        distribution: ${{ inputs.java-distribution }} # See 'Supported distributions' for available options
        java-version: ${{ inputs.java-version }}

-    - name: Checkout
-      uses: actions/checkout@v6
-
-    - name: Run build pkg directory
-      shell: bash
-      run: |
-        set -e
-        go run cmd/main.go build
-
-
    - name: Run make to build app
      shell: bash
      run: |
--- a/.github/actions/setup-cache-go/action.yaml
+++ b/.github/actions/setup-cache-go/action.yaml
@ -0,0 +1,71 @@
+name: 'Setup Go and cache dependencies'
+author: 'Forgejo authors, Marcel S. Henselin'
+description: |
+  Wrap the setup-go with improved dependency caching.
+
+inputs:
+  username:
+    description: 'User for which to manage the dependency cache'
+    default: root
+
+  go-version:
+    description: "go version to install"
+    default: '1.25'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Install zstd for faster caching"
+      shell: bash
+      run: |
+        apt-get update -qq
+        apt-get -q install -qq -y zstd
+
+    - name: "Set up Go using setup-go"
+      uses: https://code.forgejo.org/actions/setup-go@v6
+      id: go-version
+      with:
+        # go-version: ${{ inputs.go-version }}
+        check-latest: true # Always check for the latest patch release
+        go-version-file: "go.mod"
+        # do not cache dependencies, we do this manually
+        cache: false
+
+    - name: "Get go environment information"
+      shell: bash
+      id: go-environment
+      run: |
+        chmod 755 $HOME # ensure ${RUN_AS_USER} has permission when go is located in $HOME
+        export GOROOT="$(go env GOROOT)"
+        echo "modcache=$(su ${RUN_AS_USER} -c '${GOROOT}/bin/go env GOMODCACHE')" >> "$GITHUB_OUTPUT"
+        echo "cache=$(su ${RUN_AS_USER} -c '${GOROOT}/bin/go env GOCACHE')" >> "$GITHUB_OUTPUT"
+      env:
+        RUN_AS_USER: ${{ inputs.username }}
+        GO_VERSION: ${{ steps.go-version.outputs.go-version }}
+
+    - name: "Create cache folders with correct permissions (for non-root users)"
+      shell: bash
+      if: inputs.username != 'root'
+      # when the cache is restored, only the permissions of the last part are restored
+      # so assuming that /home/user exists and we are restoring /home/user/go/pkg/mod,
+      # both folders will have the correct permissions, but
+      # /home/user/go and /home/user/go/pkg might be owned by root
+      run: |
+        su ${RUN_AS_USER} -c 'mkdir -p "${MODCACHE_DIR}" "${CACHE_DIR}"'
+      env:
+        RUN_AS_USER: ${{ inputs.username }}
+        MODCACHE_DIR: ${{ steps.go-environment.outputs.modcache }}
+        CACHE_DIR: ${{ steps.go-environment.outputs.cache }}
+
+    - name: "Restore Go dependencies from cache or mark for later caching"
+      id: cache-deps
+      uses: https://code.forgejo.org/actions/cache@v5
+      with:
+        key: setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-${{ steps.go-version.outputs.go_version }}-${{ hashFiles('go.sum', 'go.mod') }}
+        restore-keys: |
+          setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-${{ steps.go-version.outputs.go_version }}-
+          setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-
+        path: |
+          ${{ steps.go-environment.outputs.modcache }}
+          ${{ steps.go-environment.outputs.cache }}
--- a/.github/workflows/ci.yaml.bak
+++ b/.github/workflows/ci.yaml.bak
@ -6,6 +6,11 @@ on:
      - alpha
      - main
  workflow_dispatch:
+  schedule:
+    # every sunday at 00:00
+    # - cron: '0 0 * * 0'
+    # every day at 00:00
+    - cron: '0 0 * * *'
  push:
    branches:
      - '!main'
@ -17,6 +22,39 @@ env:
  CODE_COVERAGE_ARTIFACT_NAME: "code-coverage"

 jobs:
+  runner_test:
+    name: "Test STACKIT runner"
+    runs-on: stackit-docker
+    steps:
+      - name: Install needed tools
+        run: |
+          apt-get -y -qq update
+          apt-get -y -qq install jq python3 python3-pip python-is-python3 s3cmd git make wget
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Install go tools
+        run: |
+          go install golang.org/x/tools/cmd/goimports@latest
+          go install github.com/hashicorp/terraform-plugin-codegen-framework/cmd/tfplugingen-framework@latest
+          go install github.com/hashicorp/terraform-plugin-codegen-openapi/cmd/tfplugingen-openapi@latest
+
+      - name: Setup JAVA
+        uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin' # See 'Supported distributions' for available options
+          java-version: '21'
+
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Run build pkg directory
+        run: |
+          go run cmd/main.go build
+
  publish_test:
    name: "Test readiness for publishing provider"
    needs: config
@ -99,20 +137,78 @@ jobs:
              --gpgPubKeyFile=public_key.pem \
              --version=${VERSION}

-
-  main:
-    name: CI
+  testing:
+    name: CI run tests
    runs-on: ubuntu-latest
    needs: config
+    env:
+      TF_ACC_PROJECT_ID: ${{ vars.TF_ACC_PROJECT_ID }}
+      TF_ACC_REGION: ${{ vars.TF_ACC_REGION }}
+      TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL: ${{ vars.TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL }}
+      TF_ACC_SERVICE_ACCOUNT_FILE: "~/service_account.json"
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
-      
+        uses: actions/checkout@v6
+
      - name: Build
        uses: ./.github/actions/build
        with:
          go-version: ${{ env.GO_VERSION }}
-      
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_wrapper: false
+
+      - name: Create service account json file
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          echo "${{ secrets.TF_ACC_SERVICE_ACCOUNT_JSON }}" >~/service_account.json
+
+      - name: Run go mod tidy
+        if: ${{ github.event_name == 'pull_request' }}
+        run: go mod tidy
+
+      - name: Testing
+        run: make test
+
+      - name: Acceptance Testing
+        env:
+          TF_ACC: "1"
+        if: ${{ github.event_name == 'pull_request' }}
+        run: make test-acceptance-tf
+
+      - name: Check coverage threshold
+        shell: bash
+        run: |
+          make coverage
+          COVERAGE=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | sed 's/%//')
+          echo "Coverage: $COVERAGE%"
+          if (( $(echo "$COVERAGE < 80" | bc -l) )); then
+            echo "Coverage is below 80%"
+            # exit 1
+          fi
+
+      - name: Archive code coverage results
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.CODE_COVERAGE_ARTIFACT_NAME }}
+          path: "stackit/${{ env.CODE_COVERAGE_FILE_NAME }}"
+
+  main:
+    if: ${{ github.event_name != 'schedule' }}
+    name: CI run build and linting
+    runs-on: ubuntu-latest
+    needs: config
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Build
+        uses: ./.github/actions/build
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
        with:
@ -130,27 +226,45 @@ jobs:
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v9
        with:
-          version: v2.7
+          version: v2.9
          args: --config=golang-ci.yaml --allow-parallel-runners --timeout=5m
+        continue-on-error: true

-      - name: Lint
+      - name: Linting
        run: make lint
-      
-      - name: Test
-        run: make test
+        continue-on-error: true

-      - name: Archive code coverage results
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ env.CODE_COVERAGE_ARTIFACT_NAME }}
-          path: "stackit/${{ env.CODE_COVERAGE_FILE_NAME }}"
+  #      - name: Testing
+  #        run: make test
+  #
+  #      - name: Acceptance Testing
+  #        if: ${{ github.event_name == 'pull_request' }}
+  #        run: make test-acceptance-tf
+  #
+  #      - name: Check coverage threshold
+  #        shell: bash
+  #        run: |
+  #          make coverage
+  #          COVERAGE=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | sed 's/%//')
+  #          echo "Coverage: $COVERAGE%"
+  #          if (( $(echo "$COVERAGE < 80" | bc -l) )); then
+  #            echo "Coverage is below 80%"
+  #            # exit 1
+  #          fi
+
+  #      - name: Archive code coverage results
+  #        uses: actions/upload-artifact@v4
+  #        with:
+  #          name: ${{ env.CODE_COVERAGE_ARTIFACT_NAME }}
+  #          path: "stackit/${{ env.CODE_COVERAGE_FILE_NAME }}"

  config:
+    if: ${{ github.event_name != 'schedule' }}
    name: Check GoReleaser config
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Check GoReleaser
        uses: goreleaser/goreleaser-action@v6
--- a/.github/workflows/ci_new.yaml
+++ b/.github/workflows/ci_new.yaml
@ -0,0 +1,354 @@
+name: CI Workflow
+
+on:
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+    branches:
+      - alpha
+      - main
+  workflow_dispatch:
+  schedule:
+    # every sunday at 00:00
+    # - cron: '0 0 * * 0'
+    # every day at 00:00
+    - cron: '0 0 * * *'
+  push:
+    branches:
+      - '!main'
+      - '!alpha'
+    paths:
+      - '!.github'
+
+env:
+  GO_VERSION: "1.25"
+  CODE_COVERAGE_FILE_NAME: "coverage.out" # must be the same as in Makefile
+  CODE_COVERAGE_ARTIFACT_NAME: "code-coverage"
+
+jobs:
+  config:
+    if: ${{ github.event_name != 'schedule' }}
+    name: Check GoReleaser config
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Check GoReleaser
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          args: check
+
+  prepare:
+    name: Prepare GO cache
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read        # Required to identify workflow run.
+      checks: write        # Required to add status summary.
+      contents: read       # Required to checkout repository.
+      pull-requests: write # Required to add PR comment.
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install Go ${{ inputs.go-version }}
+        id: go-install
+        uses: actions/setup-go@v6
+        with:
+          # go-version: ${{ inputs.go-version }}
+          check-latest: true
+          go-version-file: 'go.mod'
+
+      - name: Determine GOMODCACHE
+        shell: bash
+        id: goenv
+        run: |
+          set -e
+          # echo "::set-output name=gomodcache::$(go env GOMODCACHE)"
+          echo "gomodcache=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
+
+      - name: Restore cached GO pkg
+        id: cache-gopkg
+        uses: actions/cache/restore@v5
+        with:
+          path: "${{ steps.goenv.outputs.gomodcache }}"
+          key: ${{ runner.os }}-gopkg
+
+      - name: Install go tools
+        if: steps.cache-gopkg.outputs.cache-hit != 'true'
+        run: |
+          go install golang.org/x/tools/cmd/goimports@latest
+          go install github.com/hashicorp/terraform-plugin-codegen-framework/cmd/tfplugingen-framework@latest
+          go install github.com/hashicorp/terraform-plugin-codegen-openapi/cmd/tfplugingen-openapi@latest
+
+      - name: Get all go packages
+        if: steps.cache-gopkg.outputs.cache-hit != 'true'
+        shell: bash
+        run: |
+          set -e
+          go get ./...
+
+      - name: Save Cache
+        if: steps.cache-gopkg.outputs.cache-hit != 'true'
+        id: cache-gopkg-save
+        uses: actions/cache/save@v5
+        with:
+          path: |
+            ${{ steps.goenv.outputs.gomodcache }}
+          key: ${{ runner.os }}-gopkg
+
+
+  publish_test:
+    name: "Test readiness for publishing provider"
+    needs:
+      - config
+      - prepare
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read        # Required to identify workflow run.
+      checks: write        # Required to add status summary.
+      contents: read       # Required to checkout repository.
+      pull-requests: write # Required to add PR comment.
+    steps:
+      - name: Install needed tools
+        run: |
+          apt-get -y -qq update
+          apt-get -y -qq install jq python3 python3-pip python-is-python3 s3cmd git make wget unzip bc
+
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          # go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+          go-version-file: 'go.mod'
+
+      - name: Install go tools
+        run: |
+          go install golang.org/x/tools/cmd/goimports@latest
+          go install github.com/hashicorp/terraform-plugin-codegen-framework/cmd/tfplugingen-framework@latest
+          go install github.com/hashicorp/terraform-plugin-codegen-openapi/cmd/tfplugingen-openapi@latest
+
+      - name: Setup JAVA
+        uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin' # See 'Supported distributions' for available options
+          java-version: '21'
+
+#      - name: Run build pkg directory
+#        run: |
+#          go run generator/main.go build
+
+      - name: Set up s3cfg
+        run: |
+          cat <<'EOF' >> ~/.s3cfg
+          [default]
+          host_base = https://object.storage.eu01.onstackit.cloud
+          host_bucket = https://%(bucket).object.storage.eu01.onstackit.cloud
+          check_ssl_certificate = False
+          access_key = ${{ secrets.S3_ACCESS_KEY }}
+          secret_key = ${{ secrets.S3_SECRET_KEY }}
+          EOF
+
+      - name: Import GPG key
+        run: |
+          echo "${{ secrets.PRIVATE_KEY_PEM }}" > ~/private.key.pem
+          gpg --import ~/private.key.pem
+          rm ~/private.key.pem
+
+      - name: Run GoReleaser with SNAPSHOT
+        id: goreleaser
+        env:
+          GITHUB_TOKEN: ${{ env.FORGEJO_TOKEN }}
+          GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          args: release --skip publish --clean --snapshot
+
+      - name: Prepare key file
+        run: |
+          echo "${{ secrets.PUBLIC_KEY_PEM }}" >public_key.pem
+
+      - name: Prepare provider directory structure
+        run: |
+          VERSION=$(jq -r .version < dist/metadata.json)
+          go run generator/main.go \
+            publish \
+              --namespace=mhenselin \
+              --providerName=stackitprivatepreview \
+              --repoName=terraform-provider-stackitprivatepreview \
+              --domain=tfregistry.sysops.stackit.rocks \
+              --gpgFingerprint="${{ secrets.GPG_FINGERPRINT }}" \
+              --gpgPubKeyFile=public_key.pem \
+              --version=${VERSION}
+
+  testing:
+    name: CI run tests
+    runs-on: ubuntu-latest
+    needs:
+      - config
+      - prepare
+    env:
+      TF_ACC_PROJECT_ID: ${{ vars.TF_ACC_PROJECT_ID }}
+      TF_ACC_ORGANIZATION_ID: ${{ vars.TF_ACC_ORGANIZATION_ID }}
+      TF_ACC_REGION: ${{ vars.TF_ACC_REGION }}
+      TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL: ${{ vars.TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL }}
+      TF_ACC_SERVICE_ACCOUNT_FILE: "~/service_account.json"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Build
+        uses: ./.github/actions/build
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_wrapper: false
+
+      - name: Create service account json file
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          echo "${{ secrets.TF_ACC_SERVICE_ACCOUNT_JSON }}" >~/.service_account.json
+
+      - name: Run go mod tidy
+        if: ${{ github.event_name == 'pull_request' }}
+        run: go mod tidy
+
+      - name: Testing
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          unset TF_ACC
+          TF_ACC_SERVICE_ACCOUNT_FILE=~/.service_account.json
+          export TF_ACC_SERVICE_ACCOUNT_FILE
+          make test
+
+      - name: Testing with coverage
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          unset TF_ACC
+          TF_ACC_SERVICE_ACCOUNT_FILE=~/.service_account.json
+          export TF_ACC_SERVICE_ACCOUNT_FILE
+          make coverage
+
+#      - name: Acceptance Testing
+#        env:
+#          TF_ACC: "1"
+#        if: ${{ github.event_name == 'pull_request' }}
+#        run: |
+#          TF_ACC_SERVICE_ACCOUNT_FILE=~/.service_account.json
+#          export TF_ACC_SERVICE_ACCOUNT_FILE
+#          make test-acceptance-tf
+
+#      - name: Run Acceptance Test
+#        if: ${{ github.event_name == 'pull_request' }}
+#        uses: ./.github/actions/acc_test
+#        with:
+#          go-version: ${{ env.GO_VERSION }}
+#          project_id: ${{ vars.TF_ACC_PROJECT_ID }}
+#          region: ${{ vars.TF_ACC_REGION }}
+#          service_account_json_content_b64: "${{ secrets.TF_ACC_SERVICE_ACCOUNT_JSON_B64 }}"
+#          project_user_email: ${{ vars.TEST_PROJECT_USER_EMAIL }}
+#          tf_acc_kek_key_id: ${{ vars.TF_ACC_KEK_KEY_ID }}
+#          tf_acc_kek_key_ring_id: ${{ vars.TF_ACC_KEK_KEY_RING_ID }}
+#          tf_acc_kek_key_version: ${{ vars.TF_ACC_KEK_KEY_VERSION }}
+#          tf_acc_kek_service_account: ${{ vars.TF_ACC_KEK_SERVICE_ACCOUNT }}
+#          # service_account_json_file_path: "~/service_account.json"
+
+      - name: Check coverage threshold
+        shell: bash
+        run: |
+          make coverage
+          COVERAGE=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | sed 's/%//')
+          echo "Coverage: $COVERAGE%"
+          if (( $(echo "$COVERAGE < 80" | bc -l) )); then
+            echo "Coverage is below 80%"
+            # exit 1
+          fi
+
+      - name: Archive code coverage results
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.CODE_COVERAGE_ARTIFACT_NAME }}
+          path: "stackit/${{ env.CODE_COVERAGE_FILE_NAME }}"
+
+  main:
+    if: ${{ github.event_name != 'schedule' }}
+    name: CI run build and linting
+    runs-on: ubuntu-latest
+    needs:
+      - config
+      - prepare
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      
+#      - uses: actions/cache@v5
+#        id: cache
+#        with:
+#          path: path/to/dependencies
+#          key: ${{ runner.os }}-${{ hashFiles('**/lockfiles') }}
+
+#      - name: Install Dependencies
+#        if: steps.cache.outputs.cache-hit != 'true'
+#        run: /install.sh
+
+      - name: Build
+        uses: ./.github/actions/build
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_wrapper: false
+
+      - name: "Ensure docs are up-to-date"
+        if: ${{ github.event_name == 'pull_request' }}
+        run: ./scripts/check-docs.sh
+        continue-on-error: true
+
+      - name: "Run go mod tidy"
+        if: ${{ github.event_name == 'pull_request' }}
+        run: go mod tidy
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v9
+        with:
+          version: v2.10
+          args: --config=.golang-ci.yaml --allow-parallel-runners --timeout=5m
+        continue-on-error: true
+
+      - name: Linting terraform files
+        run: make lint-tf
+        continue-on-error: true
+
+  code_coverage:
+    name: "Code coverage report"
+    if: github.event_name == 'pull_request' # Do not run when workflow is triggered by push to main branch
+    runs-on: ubuntu-latest
+    needs:
+      - main
+      - prepare
+    permissions:
+      contents: read
+      actions: read  # to download code coverage results from "main" job
+      pull-requests: write # write permission needed to comment on PR
+    steps:
+      - name: Install needed tools
+        shell: bash
+        run: |
+          set -e
+          apt-get -y -qq update
+          apt-get -y -qq install sudo
+
+      - name: Check new code coverage
+        uses: fgrosse/go-coverage-report@v1.2.0
+        continue-on-error: true  # Add this line to prevent pipeline failures in forks
+        with:
+          coverage-artifact-name: ${{ env.CODE_COVERAGE_ARTIFACT_NAME }}
+          coverage-file-name: ${{ env.CODE_COVERAGE_FILE_NAME }}
+          root-package: 'github.com/stackitcloud/terraform-provider-stackit'
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@ -23,7 +23,7 @@ jobs:
        uses: actions/checkout@v6

      - name: Check GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
        with:
          args: check

@ -43,10 +43,15 @@ jobs:
          apt-get -y -qq update
          apt-get -y -qq install jq python3 python3-pip python-is-python3 s3cmd git make wget

+      - name: Checkout
+        uses: actions/checkout@v6
+
      - name: Setup Go
        uses: actions/setup-go@v6
        with:
-          go-version: ${{ env.GO_VERSION }}
+          # go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+          go-version-file: 'go.mod'

      - name: Install go tools
        run: |
@ -60,13 +65,6 @@ jobs:
          distribution: 'temurin' # See 'Supported distributions' for available options
          java-version: '21'

-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Run build pkg directory
-        run: |
-          go run cmd/main.go build
-
      - name: Set up s3cfg
        run: |
          cat <<'EOF' >> ~/.s3cfg
@ -90,7 +88,7 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ env.FORGEJO_TOKEN }}
          GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
        with:
          args: release --skip publish --clean --snapshot

@ -100,7 +98,7 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ env.FORGEJO_TOKEN }}
          GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
        with:
          args: release --skip publish --clean

@ -111,7 +109,7 @@ jobs:
      - name: Prepare provider directory structure
        run: |
          VERSION=$(jq -r .version < dist/metadata.json)
-          go run cmd/main.go \
+          go run generator/main.go \
            publish \
              --namespace=mhenselin \
              --providerName=stackitprivatepreview \
@ -121,9 +119,29 @@ jobs:
              --gpgPubKeyFile=public_key.pem \
              --version=${VERSION}

+      - name: Prepare documentation nav file
+        run: |
+          go run generator/main.go \
+            docs \
+            --outFile nav.md
+
      - name: Publish provider to S3
        run: |
          set -e
          cd release/
          s3cmd put --recursive v1 s3://terraform-provider-privatepreview/
          s3cmd put --recursive .well-known s3://terraform-provider-privatepreview/
+
+      - name: Import SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.DOCS_UPLOAD_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+      - name: Upload docs via scp
+        run: |
+          set -e
+          ssh -o StrictHostKeyChecking=no ubuntu@${{ vars.DOCS_SERVER_IP }} 'rm -rf /srv/www/docs'
+          echo "${{ github.ref_name }}" >docs/_version.txt
+          scp -o StrictHostKeyChecking=no -r docs ubuntu@${{ vars.DOCS_SERVER_IP }}:/srv/www/
+          scp -o StrictHostKeyChecking=no nav.md ubuntu@${{ vars.DOCS_SERVER_IP }}:/srv/www/
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -18,21 +18,23 @@ jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
        with:
          # Allow goreleaser to access older tag information.
          fetch-depth: 0
-      - uses: actions/setup-go@v5
+
+      - uses: https://code.forgejo.org/actions/setup-go@v6
        with:
          go-version-file: "go.mod"
          cache: true
+
      - name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v6
        id: import_gpg
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
        with:
          args: release --clean
        env:
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@ -11,9 +11,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+
      - name: Self-hosted Renovate
-        uses: renovatebot/github-action@v41.0.0
+        uses: renovatebot/github-action@v46.1.4
        with:
          configurationFile: .github/renovate.json
-          token: ${{ secrets.RENOVATE_TOKEN }}
+          # token: ${{ secrets.RENOVATE_TOKEN }}
+          token: ${{ env.FORGEJO_TOKEN }}
--- a/.github/workflows/runnerstats.yaml
+++ b/.github/workflows/runnerstats.yaml
@ -0,0 +1,29 @@
+name: Runner stats
+
+on:
+  workflow_dispatch:
+
+jobs:
+  stats-own:
+    name: "Get own runner stats"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install needed tools
+        run: |
+          apt-get -y -qq update
+          apt-get -y -qq install inxi
+
+      - name: Show stats
+        run: inxi -c 0
+
+  stats-stackit:
+    name: "Get STACKIT runner stats"
+    runs-on: stackit-docker
+    steps:
+      - name: Install needed tools
+        run: |
+          apt-get -y -qq update
+          apt-get -y -qq install inxi
+
+      - name: Show stats
+        run: inxi -c 0
--- a/.github/workflows/tf-acc-test.yaml
+++ b/.github/workflows/tf-acc-test.yaml
@ -1,27 +1,60 @@
 name: TF Acceptance Tests Workflow

 on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches:
+      - alpha
+      - main
  push:
    branches:
      - master
  workflow_dispatch:
+    inputs:
+      enable_debug:
+        description: "enable terraform debug logs"
+        default: 'false'
+        required: true
+      test_timeout_string:
+        description: "string that determines the timeout (default: 45m)"
+        default: '90m'
+        required: true

 jobs:
-  main:
+  acc_test:
    name: Acceptance Tests
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install project tools and dependencies
-        run: make project-tools
-      - name: Run tests
-        run: |
-          make test-acceptance-tf TF_ACC_PROJECT_ID=$${{ secrets.TF_ACC_PROJECT_ID }} TF_ACC_ORGANIZATION_ID=$${{ secrets.TF_ACC_ORGANIZATION_ID }} TF_ACC_REGION="eu01"
-        env:
-          STACKIT_SERVICE_ACCOUNT_TOKEN: ${{ secrets.TF_ACC_SERVICE_ACCOUNT_TOKEN }}
-          TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL: ${{ secrets.TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL }}
-          TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_TOKEN: ${{ secrets.TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_TOKEN }}
-          TF_ACC_TEST_PROJECT_PARENT_CONTAINER_ID: ${{ secrets.TF_ACC_TEST_PROJECT_PARENT_CONTAINER_ID }}
-          TF_ACC_TEST_PROJECT_PARENT_UUID: ${{ secrets.TF_ACC_TEST_PROJECT_PARENT_UUID }}
-          TF_ACC_TEST_PROJECT_USER_EMAIL: ${{ secrets.TF_ACC_TEST_PROJECT_USER_EMAIL }}
+        uses: actions/checkout@v6
+
+      - name: Run Test (workflow dispatch)
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        uses: ./.github/actions/acc_test
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          project_id: ${{ vars.TF_ACC_PROJECT_ID }}
+          region: 'eu01'
+          service_account_json_content_b64: "${{ secrets.TF_ACC_SERVICE_ACCOUNT_JSON_B64 }}"
+          project_user_email: ${{ vars.TEST_PROJECT_USER_EMAIL }}
+          tf_acc_kek_key_id: ${{ vars.TF_ACC_KEK_KEY_ID }}
+          tf_acc_kek_key_ring_id: ${{ vars.TF_ACC_KEK_KEY_RING_ID }}
+          tf_acc_kek_key_version: ${{ vars.TF_ACC_KEK_KEY_VERSION }}
+          tf_acc_kek_service_account: ${{ vars.TF_ACC_KEK_SERVICE_ACCOUNT }}
+          tf_debug: ${{ inputs.enable_debug }}
+          test_timeout_string: ${{ inputs.test_timeout_string }}
+
+      - name: Run Test (automatic)
+        if: ${{ github.event_name != 'workflow_dispatch' }}
+        uses: ./.github/actions/acc_test
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          project_id: ${{ vars.TF_ACC_PROJECT_ID }}
+          region: 'eu01'
+          service_account_json_content_b64: "${{ secrets.TF_ACC_SERVICE_ACCOUNT_JSON_B64 }}"
+          project_user_email: ${{ vars.TEST_PROJECT_USER_EMAIL }}
+          tf_acc_kek_key_id: ${{ vars.TF_ACC_KEK_KEY_ID }}
+          tf_acc_kek_key_ring_id: ${{ vars.TF_ACC_KEK_KEY_RING_ID }}
+          tf_acc_kek_key_version: ${{ vars.TF_ACC_KEK_KEY_VERSION }}
+          tf_acc_kek_service_account: ${{ vars.TF_ACC_KEK_SERVICE_ACCOUNT }}
+          tf_debug: ${{ inputs.enable_debug }}
--- a/.gitignore
+++ b/.gitignore
@ -40,8 +40,12 @@ coverage.out
 coverage.html
 generated
 stackit-sdk-generator
+stackit-sdk-generator/**
 dist

 .secrets

 pkg_gen
+/release/
+.env
+**/.env
--- a/.golang-ci.yaml
+++ b/.golang-ci.yaml
@ -1,7 +1,13 @@
-
 version: "2"
 run:
  concurrency: 4
+output:
+  formats:
+    text:
+      print-linter-name: true
+      print-issued-lines: true
+      colors: true
+      path: stdout
 linters:
  enable:
    - bodyclose
@ -23,7 +29,8 @@ linters:
    depguard:
      rules:
        main:
-          list-mode: lax
+          list-mode: original
+          allow: []
          deny:
            - pkg: github.com/stretchr/testify
              desc: Do not use a testing framework
@ -63,13 +70,17 @@ linters:
        - name: empty-lines
        - name: early-return
  exclusions:
-    generated: lax
    paths:
-      - third_party$
-      - builtin$
-      - examples$
-      - tools/copy.go
-      - tools/main.go
+      - generator/
+      - internal/testutils
+    generated: lax
+    warn-unused: true
+    # Excluding configuration per-path, per-linter, per-text and per-source.
+    rules:
+      # Exclude some linters from running on tests files.
+        - path: _test\.go
+          linters:
+            - gochecknoinits
 formatters:
  enable:
    - gofmt
@ -77,10 +88,4 @@ formatters:
  settings:
    goimports:
      local-prefixes:
-        - github.com/freiheit-com/nmww
-  exclusions:
-    generated: lax
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
+        - tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -19,20 +19,20 @@ builds:
  ldflags:
    - '-s -w -X main.version={{.Version}} -X main.commit={{.Commit}}'
  goos:
-#    - freebsd
-#    - windows
+    - freebsd
+    - windows
    - linux
    - darwin
  goarch:
    - amd64
-#    - '386'
-#    - arm
+    - '386'
+    - arm
    - arm64
-#  ignore:
-#    - goos: darwin
-#      goarch: '386'
-#    - goos: windows
-#      goarch: arm
+  ignore:
+    - goos: darwin
+      goarch: '386'
+    - goos: windows
+      goarch: arm
  binary: '{{ .ProjectName }}_v{{ .Version }}'
 archives:
 - formats: [ 'zip' ]
--- a/16
+++ b/16
@ -12,17 +12,20 @@ project-tools:
 # LINT
 lint-golangci-lint:
 	@echo "Linting with golangci-lint"
-	@$(SCRIPTS_BASE)/lint-golangci-lint.sh
+	@go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint run --fix --config .golang-ci.yaml

-lint-tf: 
+
+lint-tf:
 	@echo "Linting terraform files"
-	@terraform fmt -check -diff -recursive
+	@terraform fmt -check -diff -recursive examples/
+	@terraform fmt -check -diff -recursive stackit/

 lint: lint-golangci-lint lint-tf

 # DOCUMENTATION GENERATION
 generate-docs:
 	@echo "Generating documentation with tfplugindocs"
+
 	@$(SCRIPTS_BASE)/tfplugindocs.sh

 build:
@ -34,15 +37,16 @@ fmt:
 	@terraform fmt -diff -recursive

 # TEST
+.PHONY: test coverage
 test:
 	@echo "Running tests for the terraform provider"
-	@cd $(ROOT_DIR)/stackit && go test ./... -count=1 -coverprofile=coverage.out && cd $(ROOT_DIR)
+	@cd $(ROOT_DIR)/stackit && go test -timeout 0 ./... -count=1 -coverprofile=../coverage.out && cd $(ROOT_DIR)

 # Test coverage
 coverage:
 	@echo ">> Creating test coverage report for the terraform provider"
-	@cd $(ROOT_DIR)/stackit && (go test ./... -count=1 -coverprofile=coverage.out || true) && cd $(ROOT_DIR)
-	@cd $(ROOT_DIR)/stackit && go tool cover -html=coverage.out -o coverage.html && cd $(ROOT_DIR)
+	@cd $(ROOT_DIR)/stackit && (go test -timeout 0 ./... -count=1 -coverprofile=../coverage.out || true) && cd $(ROOT_DIR)
+	@cd $(ROOT_DIR)/stackit && go tool cover -html=../coverage.out -o ../coverage.html && cd $(ROOT_DIR)

 test-acceptance-tf:
 	@if [ -z $(TF_ACC_PROJECT_ID) ]; then echo "Input TF_ACC_PROJECT_ID missing"; exit 1; fi
--- a/README.md
+++ b/README.md
@ -1,15 +1,14 @@
 <div align="center">
-<br>
 <img src=".github/images/stackit-logo.svg" alt="STACKIT logo" width="50%"/>
-<br>
-<br>
 </div>

-# STACKIT Terraform Provider
+# STACKIT Terraform Provider <br />(PRIVATE PREVIEW)

-[![Go Report Card](https://goreportcard.com/badge/github.com/stackitcloud/terraform-provider-stackit)](https://goreportcard.com/report/github.com/stackitcloud/terraform-provider-stackit) [![GitHub Release](https://img.shields.io/github/v/release/stackitcloud/terraform-provider-stackit)](https://registry.terraform.io/providers/stackitcloud/stackit/latest) ![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/stackitcloud/terraform-provider-stackit) [![GitHub License](https://img.shields.io/github/license/stackitcloud/terraform-provider-stackit)](https://www.apache.org/licenses/LICENSE-2.0)
+[![GitHub Release](https://img.shields.io/github/v/release/stackitcloud/terraform-provider-stackit)](https://registry.terraform.io/providers/stackitcloud/stackit/latest) ![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/stackitcloud/terraform-provider-stackit) [![GitHub License](https://img.shields.io/github/license/stackitcloud/terraform-provider-stackit)](https://www.apache.org/licenses/LICENSE-2.0)

-This project is the official [Terraform Provider](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs) for [STACKIT](https://www.stackit.de/en/), which allows you to manage STACKIT resources through Terraform.
+This project is the **NOT** official [Terraform Provider](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs) for [STACKIT](https://www.stackit.de/en/)!
+
+This a **private preview only**, which allows you to manage STACKIT resources through Terraform.

 ## Getting Started

@ -18,26 +17,27 @@ To install the [STACKIT Terraform Provider](https://registry.terraform.io/provid
 ```hcl
 terraform {
  required_providers {
-    stackit = {
-      source = "stackitcloud/stackit"
-      version = "X.X.X"
+    stackitprivatepreview = {
+      source  = "tfregistry.sysops.stackit.rocks/mhenselin/stackitprivatepreview"
+      version = ">= 0.1.0"
    }
  }
 }

-provider "stackit" {
+provider "stackitprivatepreview" {
  # Configuration options
 }
 ```

 Check one of the examples in the [examples](examples/) folder.

+<big font-size="3rem">TODO: revise the following sections</big>
+
 ## Authentication

 To authenticate, you will need a [service account](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/). Create it in the [STACKIT Portal](https://portal.stackit.cloud/) and assign the necessary permissions to it, e.g. `project.owner`. There are multiple ways to authenticate:

 - Key flow (recommended)
- Token flow (is scheduled for deprecation and will be removed on December 17, 2025.)

 When setting up authentication, the provider will always try to use the key flow first and search for credentials in several locations, following a specific order:

@ -51,7 +51,6 @@ When setting up authentication, the provider will always try to use the key flow

   ```json
   {
-     "STACKIT_SERVICE_ACCOUNT_TOKEN": "foo_token",
     "STACKIT_SERVICE_ACCOUNT_KEY_PATH": "path/to/sa_key.json"
   }
   ```
@ -70,35 +69,41 @@ To configure the key flow, follow this steps:

 1.  Create a service account key:

- Use the [STACKIT Portal](https://portal.stackit.cloud/): go to the `Service Accounts` tab, choose a `Service Account` and go to `Service Account Keys` to create a key. For more details, see [Create a service account key](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/how-tos/manage-service-account-keys/)
+   - Use the [STACKIT Portal](https://portal.stackit.cloud/): go to the `Service Accounts` tab, choose a `Service Account` and go to `Service Account Keys` to create a key. For more details, see [Create a service account key](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/how-tos/manage-service-account-keys/)

 2.  Save the content of the service account key by copying it and saving it in a JSON file.

    The expected format of the service account key is a **JSON** with the following structure:

-```json
-{
-  "id": "uuid",
-  "publicKey": "public key",
-  "createdAt": "2023-08-24T14:15:22Z",
-  "validUntil": "2023-08-24T14:15:22Z",
-  "keyType": "USER_MANAGED",
-  "keyOrigin": "USER_PROVIDED",
-  "keyAlgorithm": "RSA_2048",
-  "active": true,
-  "credentials": {
-    "kid": "string",
-    "iss": "my-sa@sa.stackit.cloud",
-    "sub": "uuid",
-    "aud": "string",
-    (optional) "privateKey": "private key when generated by the SA service"
-  }
-}
-```
+    ```json
+    {
+      "id": "uuid",
+      "publicKey": "public key",
+      "createdAt": "2023-08-24T14:15:22Z",
+      "validUntil": "2023-08-24T14:15:22Z",
+      "keyType": "USER_MANAGED",
+      "keyOrigin": "USER_PROVIDED",
+      "keyAlgorithm": "RSA_2048",
+      "active": true,
+      "credentials": {
+        "kid": "string",
+        "iss": "my-sa@sa.stackit.cloud",
+        "sub": "uuid",
+        "aud": "string",
+        (optional) "privateKey": "private key when generated by the SA service"
+      }
+    }
+    ```

 3. Configure the service account key for authentication in the provider by following one of the alternatives below:

   - setting the fields in the provider block: `service_account_key` or `service_account_key_path`
+     ```hcl
+     provider "stackitprivatepreview" {
+        default_region           = "eu01"
+        service_account_key_path = "../service_account.json"
+     }
+     ```
   - setting the environment variable: `STACKIT_SERVICE_ACCOUNT_KEY_PATH` or `STACKIT_SERVICE_ACCOUNT_KEY`
     - ensure the set the service account key in `STACKIT_SERVICE_ACCOUNT_KEY` is correctly formatted. Use e.g.
       `$ export STACKIT_SERVICE_ACCOUNT_KEY=$(cat ./service-account-key.json)`
@ -110,16 +115,6 @@ To configure the key flow, follow this steps:
 > - setting the environment variable: `STACKIT_PRIVATE_KEY_PATH` or `STACKIT_PRIVATE_KEY`
 > - setting `STACKIT_PRIVATE_KEY_PATH` in the credentials file (see above)

-### Token flow
-
-> Is scheduled for deprecation and will be removed on December 17, 2025.
-
-Using this flow is less secure since the token is long-lived. You can provide the token in several ways:
-
-1. Setting the field `service_account_token` in the provider
-2. Setting the environment variable `STACKIT_SERVICE_ACCOUNT_TOKEN`
-3. Setting it in the credentials file (see above)
-
 ## Backend configuration

 To keep track of your terraform state, you can configure an [S3 backend](https://developer.hashicorp.com/terraform/language/settings/backends/s3) using [STACKIT Object Storage](https://docs.stackit.cloud/products/storage/object-storage).
@ -149,62 +144,6 @@ terraform {

 Note: AWS specific checks must be skipped as they do not work on STACKIT. For details on what those validations do, see [here](https://developer.hashicorp.com/terraform/language/settings/backends/s3#configuration).

-## Opting into Beta Resources
-
-To use beta resources in the STACKIT Terraform provider, follow these steps:
-
-1. **Provider Configuration Option**
-
-   Set the `enable_beta_resources` option in the provider configuration. This is a boolean attribute that can be either `true` or `false`.
-
-   ```hcl
-   provider "stackit" {
-     default_region        = "eu01"
-     enable_beta_resources = true
-   }
-   ```
-
-2. **Environment Variable**
-
-   Set the `STACKIT_TF_ENABLE_BETA_RESOURCES` environment variable to `"true"` or `"false"`. Other values will be ignored and will produce a warning.
-
-   ```sh
-   export STACKIT_TF_ENABLE_BETA_RESOURCES=true
-   ```
-
-> **Note**: The environment variable takes precedence over the provider configuration option. This means that if the `STACKIT_TF_ENABLE_BETA_RESOURCES` environment variable is set to a valid value (`"true"` or `"false"`), it will override the `enable_beta_resources` option specified in the provider configuration.
-
-For more details, please refer to the [beta resources configuration guide](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources).
-
-## Opting into Experiments
-
-Experiments are features that are even less mature and stable than Beta Resources. While there is some assumed stability in beta resources, will have to expect breaking changes while using experimental resources. Experimental Resources do not come with any support or warranty.
-
-To enable experiments set the experiments field in the provider definition:
-
-```hcl
-provider "stackit" {
-  default_region        = "eu01"
-  experiments           = ["iam", "routing-tables", "network"]
-}
-```
-
-### Available Experiments
-
-#### `iam`
-
-Enables IAM management features in the Terraform provider. The underlying IAM API is expected to undergo a redesign in the future, which leads to it being considered experimental.
-
-#### `routing-tables`
-
-This feature enables experimental routing table capabilities in the Terraform Provider, available only to designated SNAs at this time.
-
-#### `network`
-
-The `stackit_network` provides the fields `region` and `routing_table_id` when the experiment flag `network` is set. 
-The underlying API is not stable yet and could change in the future.  
-If you don't need these fields, don't set the experiment flag `network`, to use the stable api.
-
 ## Acceptance Tests

 > [!WARNING]
--- a/cmd/cmd/build/build.go
+++ b/cmd/cmd/build/build.go
@ -1,737 +0,0 @@
-package build
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"io"
-	"log"
-	"log/slog"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"regexp"
-	"strconv"
-	"strings"
-	"text/template"
-
-	"github.com/ldez/go-git-cmd-wrapper/v2/clone"
-	"github.com/ldez/go-git-cmd-wrapper/v2/git"
-)
-
-const (
-	OAS_REPO_NAME = "stackit-api-specifications"
-	OAS_REPO      = "https://github.com/stackitcloud/stackit-api-specifications.git"
-	GEN_REPO_NAME = "stackit-sdk-generator"
-	GEN_REPO      = "https://github.com/stackitcloud/stackit-sdk-generator.git"
-)
-
-type version struct {
-	verString string
-	major     int
-	minor     int
-}
-
-func Build() error {
-	slog.Info("Starting Builder")
-	root, err := getRoot()
-	if err != nil {
-		log.Fatal(err)
-	}
-	if root == nil || *root == "" {
-		return fmt.Errorf("unable to determine root directory from git")
-	}
-	slog.Info("Using root directory", "dir", *root)
-
-	slog.Info("Cleaning up old generator directory")
-	err = os.RemoveAll(path.Join(*root, GEN_REPO_NAME))
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Cleaning up old packages directory")
-	err = os.RemoveAll(path.Join(*root, "pkg_gen"))
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Creating generator dir", "dir", fmt.Sprintf("%s/%s", *root, GEN_REPO_NAME))
-	genDir, err := createGeneratorDir(*root, GEN_REPO, GEN_REPO_NAME)
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Creating oas dir", "dir", fmt.Sprintf("%s/%s", *root, OAS_REPO_NAME))
-	repoDir, err := createRepoDir(genDir, OAS_REPO, OAS_REPO_NAME)
-	if err != nil {
-		return fmt.Errorf("%s", err.Error())
-	}
-
-	slog.Info("Retrieving versions from subdirs")
-	// TODO - major
-	verMap, err := getVersions(repoDir)
-	if err != nil {
-		return fmt.Errorf("%s", err.Error())
-	}
-
-	slog.Info("Reducing to only latest or highest")
-	res, err := getOnlyLatest(verMap)
-	if err != nil {
-		return fmt.Errorf("%s", err.Error())
-	}
-
-	slog.Info("Creating OAS dir")
-	err = os.MkdirAll(path.Join(genDir, "oas"), 0755)
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Copying OAS files")
-	for service, item := range res {
-		baseService := strings.TrimSuffix(service, "alpha")
-		baseService = strings.TrimSuffix(baseService, "beta")
-		itemVersion := fmt.Sprintf("v%d%s", item.major, item.verString)
-		if item.minor != 0 {
-			itemVersion = itemVersion + "" + strconv.Itoa(item.minor)
-		}
-		srcFile := path.Join(
-			repoDir,
-			"services",
-			baseService,
-			itemVersion,
-			fmt.Sprintf("%s.json", baseService),
-		)
-		dstFile := path.Join(genDir, "oas", fmt.Sprintf("%s.json", service))
-		_, err = copyFile(srcFile, dstFile)
-		if err != nil {
-			return fmt.Errorf("%s", err.Error())
-		}
-	}
-
-	slog.Info("Cleaning up", "dir", repoDir)
-	err = os.RemoveAll(filepath.Dir(repoDir))
-	if err != nil {
-		return fmt.Errorf("%s", err.Error())
-	}
-
-	slog.Info("Changing dir", "dir", genDir)
-	err = os.Chdir(genDir)
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Calling make", "command", "generate-go-sdk")
-	cmd := exec.Command("make", "generate-go-sdk")
-	var stdOut, stdErr bytes.Buffer
-	cmd.Stdout = &stdOut
-	cmd.Stderr = &stdErr
-
-	if err = cmd.Start(); err != nil {
-		slog.Error("cmd.Start", "error", err)
-		return err
-	}
-
-	if err = cmd.Wait(); err != nil {
-		var exitErr *exec.ExitError
-		if errors.As(err, &exitErr) {
-			slog.Error("cmd.Wait", "code", exitErr.ExitCode(), "error", err, "stdout", stdOut.String(), "stderr", stdErr.String())
-			return fmt.Errorf("%s", stdErr.String())
-		}
-		if err != nil {
-			slog.Error("cmd.Wait", "err", err)
-			return err
-		}
-	}
-
-	slog.Info("Cleaning up go.mod and go.sum files")
-	cleanDir := path.Join(genDir, "sdk-repo-updated", "services")
-	dirEntries, err := os.ReadDir(cleanDir)
-	if err != nil {
-		return err
-	}
-	for _, entry := range dirEntries {
-		if entry.IsDir() {
-			err = deleteFiles(
-				path.Join(cleanDir, entry.Name(), "go.mod"),
-				path.Join(cleanDir, entry.Name(), "go.sum"),
-			)
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	slog.Info("Changing dir", "dir", *root)
-	err = os.Chdir(*root)
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Rearranging package directories")
-	err = os.MkdirAll(path.Join(*root, "pkg_gen"), 0755) // noqa:gosec
-	if err != nil {
-		return err
-	}
-	srcDir := path.Join(genDir, "sdk-repo-updated", "services")
-	items, err := os.ReadDir(srcDir)
-	if err != nil {
-		return err
-	}
-	for _, item := range items {
-		if item.IsDir() {
-			slog.Info(" -> package", "name", item.Name())
-			tgtDir := path.Join(*root, "pkg_gen", item.Name())
-			// no backup needed as we generate new
-			//bakName := fmt.Sprintf("%s.%s", item.Name(), time.Now().Format("20060102-150405"))
-			//if _, err = os.Stat(tgtDir); !os.IsNotExist(err) {
-			//	err = os.Rename(
-			//		tgtDir,
-			//		path.Join(*root, "pkg", bakName),
-			//	)
-			//	if err != nil {
-			//		return err
-			//	}
-			//}
-			err = os.Rename(path.Join(srcDir, item.Name()), tgtDir)
-			if err != nil {
-				return err
-			}
-
-			// wait is placed outside now
-			//if _, err = os.Stat(path.Join(*root, "pkg", bakName, "wait")); !os.IsNotExist(err) {
-			//	slog.Info("    Copying wait subfolder")
-			//	err = os.Rename(path.Join(*root, "pkg", bakName, "wait"), path.Join(tgtDir, "wait"))
-			//	if err != nil {
-			//		return err
-			//	}
-			//}
-		}
-	}
-
-	slog.Info("Checking needed commands available")
-	err = checkCommands([]string{"tfplugingen-framework", "tfplugingen-openapi"})
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Generating service boilerplate")
-	err = generateServiceFiles(*root, path.Join(*root, GEN_REPO_NAME))
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Copying all service files")
-	err = CopyDirectory(
-		path.Join(*root, "generated", "internal", "services"),
-		path.Join(*root, "stackit", "internal", "services"),
-	)
-	if err != nil {
-		return err
-	}
-
-	err = createBoilerplate(*root, path.Join(*root, "stackit", "internal", "services"))
-	if err != nil {
-		return err
-	}
-
-	slog.Info("Finally removing temporary files and directories")
-	//err = os.RemoveAll(path.Join(*root, "generated"))
-	//if err != nil {
-	//	slog.Error("RemoveAll", "dir", path.Join(*root, "generated"), "err", err)
-	//	return err
-	//}
-
-	err = os.RemoveAll(path.Join(*root, GEN_REPO_NAME))
-	if err != nil {
-		slog.Error("RemoveAll", "dir", path.Join(*root, GEN_REPO_NAME), "err", err)
-		return err
-	}
-
-	slog.Info("Done")
-	return nil
-}
-
-type templateData struct {
-	PackageName string
-	NameCamel   string
-	NamePascal  string
-	NameSnake   string
-}
-
-func fileExists(path string) bool {
-	_, err := os.Stat(path)
-	if os.IsNotExist(err) {
-		return false
-	}
-	if err != nil {
-		panic(err)
-	}
-	return true
-}
-
-func createBoilerplate(rootFolder, folder string) error {
-	services, err := os.ReadDir(folder)
-	if err != nil {
-		return err
-	}
-	for _, svc := range services {
-		if !svc.IsDir() {
-			continue
-		}
-		resources, err := os.ReadDir(path.Join(folder, svc.Name()))
-		if err != nil {
-			return err
-		}
-
-		var handleDS bool
-		var handleRes bool
-		var foundDS bool
-		var foundRes bool
-
-		for _, res := range resources {
-			if !res.IsDir() {
-				continue
-			}
-
-			resourceName := res.Name()
-
-			dsFile := path.Join(folder, svc.Name(), res.Name(), "datasources_gen", fmt.Sprintf("%s_data_source_gen.go", res.Name()))
-			handleDS = fileExists(dsFile)
-
-			resFile := path.Join(folder, svc.Name(), res.Name(), "resources_gen", fmt.Sprintf("%s_resource_gen.go", res.Name()))
-			handleRes = fileExists(resFile)
-
-			dsGoFile := path.Join(folder, svc.Name(), res.Name(), "datasource.go")
-			foundDS = fileExists(dsGoFile)
-
-			resGoFile := path.Join(folder, svc.Name(), res.Name(), "resource.go")
-			foundRes = fileExists(resGoFile)
-
-			if handleDS && !foundDS {
-				slog.Info("Creating missing datasource.go", "service", svc.Name(), "resource", resourceName)
-				if !ValidateSnakeCase(resourceName) {
-					return errors.New("resource name is invalid")
-				}
-
-				tplName := "data_source_scaffold.gotmpl"
-				err = writeTemplateToFile(
-					tplName,
-					path.Join(rootFolder, "tools", "templates", tplName),
-					path.Join(folder, svc.Name(), res.Name(), "datasource.go"),
-					&templateData{
-						PackageName: svc.Name(),
-						NameCamel:   ToCamelCase(resourceName),
-						NamePascal:  ToPascalCase(resourceName),
-						NameSnake:   resourceName,
-					},
-				)
-				if err != nil {
-					panic(err)
-				}
-			}
-
-			if handleRes && !foundRes {
-				slog.Info("Creating missing resource.go", "service", svc.Name(), "resource", resourceName)
-				if !ValidateSnakeCase(resourceName) {
-					return errors.New("resource name is invalid")
-				}
-
-				tplName := "resource_scaffold.gotmpl"
-				err = writeTemplateToFile(
-					tplName,
-					path.Join(rootFolder, "tools", "templates", tplName),
-					path.Join(folder, svc.Name(), res.Name(), "resource.go"),
-					&templateData{
-						PackageName: svc.Name(),
-						NameCamel:   ToCamelCase(resourceName),
-						NamePascal:  ToPascalCase(resourceName),
-						NameSnake:   resourceName,
-					},
-				)
-				if err != nil {
-					return err
-				}
-			}
-		}
-	}
-	return nil
-}
-
-func ucfirst(s string) string {
-	if len(s) == 0 {
-		return ""
-	}
-	return strings.ToUpper(s[:1]) + s[1:]
-}
-
-func writeTemplateToFile(tplName, tplFile, outFile string, data *templateData) error {
-	fn := template.FuncMap{
-		"ucfirst": ucfirst,
-	}
-
-	tmpl, err := template.New(tplName).Funcs(fn).ParseFiles(tplFile)
-	if err != nil {
-		return err
-	}
-
-	var f *os.File
-	f, err = os.Create(outFile)
-	if err != nil {
-		return err
-	}
-
-	err = tmpl.Execute(f, *data)
-	if err != nil {
-		return err
-	}
-
-	err = f.Close()
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func generateServiceFiles(rootDir, generatorDir string) error {
-	// slog.Info("Generating specs folder")
-	err := os.MkdirAll(path.Join(rootDir, "generated", "specs"), 0755)
-	if err != nil {
-		return err
-	}
-
-	specs, err := os.ReadDir(path.Join(rootDir, "service_specs"))
-	if err != nil {
-		return err
-	}
-	for _, spec := range specs {
-		if spec.IsDir() {
-			continue
-		}
-		// slog.Info("Checking spec", "name", spec.Name())
-		r := regexp.MustCompile(`^([a-z-]+)_(.*)_config.yml$`)
-		matches := r.FindAllStringSubmatch(spec.Name(), -1)
-		if matches != nil {
-			fileName := matches[0][0]
-			service := matches[0][1]
-			resource := matches[0][2]
-			slog.Info(
-				"Found service spec",
-				"name",
-				spec.Name(),
-				"service",
-				service,
-				"resource",
-				resource,
-			)
-
-			for _, part := range []string{"alpha", "beta"} {
-				oasFile := path.Join(generatorDir, "oas", fmt.Sprintf("%s%s.json", service, part))
-				if _, err = os.Stat(oasFile); !os.IsNotExist(err) {
-					slog.Info("found matching oas", "service", service, "version", part)
-					scName := fmt.Sprintf("%s%s", service, part)
-					scName = strings.ReplaceAll(scName, "-", "")
-					err = os.MkdirAll(path.Join(rootDir, "generated", "internal", "services", scName, resource), 0755)
-					if err != nil {
-						return err
-					}
-
-					// slog.Info("Generating openapi spec json")
-					specFile := path.Join(rootDir, "generated", "specs", fmt.Sprintf("%s_%s_spec.json", scName, resource))
-
-					var stdOut, stdErr bytes.Buffer
-
-					// noqa:gosec
-					cmd := exec.Command(
-						"tfplugingen-openapi",
-						"generate",
-						"--config",
-						path.Join(rootDir, "service_specs", fileName),
-						"--output",
-						specFile,
-						oasFile,
-					)
-					cmd.Stdout = &stdOut
-					cmd.Stderr = &stdErr
-
-					if err = cmd.Start(); err != nil {
-						slog.Error("tfplugingen-openapi generate", "error", err)
-						return err
-					}
-
-					if err = cmd.Wait(); err != nil {
-						var exitErr *exec.ExitError
-						if errors.As(err, &exitErr) {
-							slog.Error("tfplugingen-openapi generate", "code", exitErr.ExitCode(), "error", err, "stdout", stdOut.String(), "stderr", stdErr.String())
-							return fmt.Errorf("%s", stdErr.String())
-						}
-						if err != nil {
-							slog.Error("tfplugingen-openapi generate", "err", err, "stdout", stdOut.String(), "stderr", stdErr.String())
-							return err
-						}
-					}
-
-					// slog.Info("Creating terraform service resource files folder")
-					tgtFolder := path.Join(rootDir, "generated", "internal", "services", scName, resource, "resources_gen")
-					err = os.MkdirAll(tgtFolder, 0755)
-					if err != nil {
-						return err
-					}
-
-					// slog.Info("Generating terraform service resource files")
-
-					// noqa:gosec
-					cmd2 := exec.Command(
-						"tfplugingen-framework",
-						"generate",
-						"resources",
-						"--input",
-						specFile,
-						"--output",
-						tgtFolder,
-						"--package",
-						scName,
-					)
-
-					cmd2.Stdout = &stdOut
-					cmd2.Stderr = &stdErr
-					if err = cmd2.Start(); err != nil {
-						slog.Error("tfplugingen-framework generate resources", "error", err)
-						return err
-					}
-
-					if err = cmd2.Wait(); err != nil {
-						var exitErr *exec.ExitError
-						if errors.As(err, &exitErr) {
-							slog.Error("tfplugingen-framework generate resources", "code", exitErr.ExitCode(), "error", err, "stdout", stdOut.String(), "stderr", stdErr.String())
-							return fmt.Errorf("%s", stdErr.String())
-						}
-						if err != nil {
-							slog.Error("tfplugingen-framework generate resources", "err", err, "stdout", stdOut.String(), "stderr", stdErr.String())
-							return err
-						}
-					}
-
-					// slog.Info("Creating terraform service datasource files folder")
-					tgtFolder = path.Join(rootDir, "generated", "internal", "services", scName, resource, "datasources_gen")
-					err = os.MkdirAll(tgtFolder, 0755)
-					if err != nil {
-						return err
-					}
-
-					// slog.Info("Generating terraform service resource files")
-
-					// noqa:gosec
-					cmd3 := exec.Command(
-						"tfplugingen-framework",
-						"generate",
-						"data-sources",
-						"--input",
-						specFile,
-						"--output",
-						tgtFolder,
-						"--package",
-						scName,
-					)
-					var stdOut3, stdErr3 bytes.Buffer
-					cmd3.Stdout = &stdOut3
-					cmd3.Stderr = &stdErr3
-
-					if err = cmd3.Start(); err != nil {
-						slog.Error("tfplugingen-framework generate data-sources", "error", err)
-						return err
-					}
-
-					if err = cmd3.Wait(); err != nil {
-						var exitErr *exec.ExitError
-						if errors.As(err, &exitErr) {
-							slog.Error("tfplugingen-framework generate data-sources", "code", exitErr.ExitCode(), "error", err, "stdout", stdOut.String(), "stderr", stdErr.String())
-							return fmt.Errorf("%s", stdErr.String())
-						}
-						if err != nil {
-							slog.Error("tfplugingen-framework generate data-sources", "err", err, "stdout", stdOut.String(), "stderr", stdErr.String())
-							return err
-						}
-					}
-				}
-			}
-		}
-	}
-	return nil
-}
-
-func checkCommands(commands []string) error {
-	for _, commandName := range commands {
-		if !commandExists(commandName) {
-			return fmt.Errorf("missing command %s", commandName)
-		}
-		slog.Info("found", "command", commandName)
-	}
-	return nil
-}
-
-func commandExists(cmd string) bool {
-	_, err := exec.LookPath(cmd)
-	return err == nil
-}
-
-func deleteFiles(fNames ...string) error {
-	for _, fName := range fNames {
-		if _, err := os.Stat(fName); !os.IsNotExist(err) {
-			err = os.Remove(fName)
-			if err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-func copyFile(src, dst string) (int64, error) {
-	sourceFileStat, err := os.Stat(src)
-	if err != nil {
-		return 0, err
-	}
-
-	if !sourceFileStat.Mode().IsRegular() {
-		return 0, fmt.Errorf("%s is not a regular file", src)
-	}
-
-	source, err := os.Open(src)
-	if err != nil {
-		return 0, err
-	}
-	defer source.Close()
-
-	destination, err := os.Create(dst)
-	if err != nil {
-		return 0, err
-	}
-	defer destination.Close()
-	nBytes, err := io.Copy(destination, source)
-	return nBytes, err
-}
-
-func getOnlyLatest(m map[string]version) (map[string]version, error) {
-	tmpMap := make(map[string]version)
-	for k, v := range m {
-		item, ok := tmpMap[k]
-		if !ok {
-			tmpMap[k] = v
-		} else {
-			if item.major == v.major && item.minor < v.minor {
-				tmpMap[k] = v
-			}
-		}
-	}
-	return tmpMap, nil
-}
-
-func getVersions(dir string) (map[string]version, error) {
-	res := make(map[string]version)
-	children, err := os.ReadDir(path.Join(dir, "services"))
-	if err != nil {
-		return nil, err
-	}
-
-	for _, entry := range children {
-		if entry.IsDir() {
-			versions, err := os.ReadDir(path.Join(dir, "services", entry.Name()))
-			if err != nil {
-				return nil, err
-			}
-			m, err2 := extractVersions(entry.Name(), versions)
-			if err2 != nil {
-				return m, err2
-			}
-			for k, v := range m {
-				res[k] = v
-			}
-		}
-	}
-	return res, nil
-}
-
-func extractVersions(service string, versionDirs []os.DirEntry) (map[string]version, error) {
-	res := make(map[string]version)
-	for _, vDir := range versionDirs {
-		if vDir.IsDir() {
-			r := regexp.MustCompile(`v([0-9]+)([a-z]+)([0-9]*)`)
-			matches := r.FindAllStringSubmatch(vDir.Name(), -1)
-			if matches == nil {
-				continue
-			}
-			svc, ver, err := handleVersion(service, matches[0])
-			if err != nil {
-				return nil, err
-			}
-
-			if svc != nil && ver != nil {
-				res[*svc] = *ver
-			}
-		}
-	}
-	return res, nil
-}
-
-func handleVersion(service string, match []string) (*string, *version, error) {
-	if match == nil {
-		fmt.Println("no matches")
-		return nil, nil, nil
-	}
-	verString := match[2]
-	if verString != "alpha" && verString != "beta" {
-		return nil, nil, errors.New("unsupported version")
-	}
-	majVer, err := strconv.Atoi(match[1])
-	if err != nil {
-		return nil, nil, err
-	}
-	if match[3] == "" {
-		match[3] = "0"
-	}
-	minVer, err := strconv.Atoi(match[3])
-	if err != nil {
-		return nil, nil, err
-	}
-	resStr := fmt.Sprintf("%s%s", service, verString)
-	return &resStr, &version{verString: verString, major: majVer, minor: minVer}, nil
-}
-
-func createRepoDir(root, repoUrl, repoName string) (string, error) {
-	oasTmpDir, err := os.MkdirTemp(root, "oas-tmp")
-	if err != nil {
-		return "", err
-	}
-	targetDir := path.Join(oasTmpDir, repoName)
-	_, err = git.Clone(
-		clone.Repository(repoUrl),
-		clone.Directory(targetDir),
-	)
-	if err != nil {
-		return "", err
-	}
-	return targetDir, nil
-}
-
-func createGeneratorDir(root, repoUrl, repoName string) (string, error) {
-	targetDir := path.Join(root, repoName)
-	_, err := git.Clone(
-		clone.Repository(repoUrl),
-		clone.Directory(targetDir),
-	)
-	if err != nil {
-		return "", err
-	}
-	return targetDir, nil
-}
-
-func getRoot() (*string, error) {
-	cmd := exec.Command("git", "rev-parse", "--show-toplevel")
-	out, err := cmd.Output()
-	if err != nil {
-		return nil, err
-	}
-	lines := strings.Split(string(out), "\n")
-	return &lines[0], nil
-}
--- a/cmd/cmd/build/templates/data_source_scaffold.gotmpl
+++ b/cmd/cmd/build/templates/data_source_scaffold.gotmpl
@ -1,51 +0,0 @@
-package {{.PackageName}}
-
-import (
-	"context"
-
-	"github.com/hashicorp/terraform-plugin-framework/datasource"
-	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
-	"github.com/hashicorp/terraform-plugin-framework/types"
-
-    "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/pkg/{{.PackageName}}"
-
-    {{.PackageName}}Gen "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/services/{{.PackageName}}/{{.NameSnake}}/datasources_gen"
-)
-
-var _ datasource.DataSource = (*{{.NameCamel}}DataSource)(nil)
-
-func New{{.NamePascal}}DataSource() datasource.DataSource {
-	return &{{.NameCamel}}DataSource{}
-}
-
-type {{.NameCamel}}DataSource struct{
-	client       *{{.PackageName}}.APIClient
-	providerData core.ProviderData
-}
-
-func (d *{{.NameCamel}}DataSource) Metadata(_ context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
-	resp.TypeName = req.ProviderTypeName + "_{{.PackageName}}_{{.NameSnake}}"
-}
-
-func (d *{{.NameCamel}}DataSource) Schema(ctx context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) {
-	resp.Schema = {{.PackageName}}Gen.{{.NamePascal}}DataSourceSchema(ctx)
-}
-
-func (d *{{.NameCamel}}DataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) {
-	var data {{.PackageName}}Gen.{{.NameCamel}}Model
-
-	// Read Terraform configuration data into the model
-	resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
-
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	// Todo: Read API call logic
-
-	// Example data value setting
-	// data.Id = types.StringValue("example-id")
-
-	// Save data into Terraform state
-	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
-}
--- a/cmd/cmd/build/templates/resource_scaffold.gotmpl
+++ b/cmd/cmd/build/templates/resource_scaffold.gotmpl
@ -1,208 +0,0 @@
-package {{.PackageName}}
-
-import (
-	"context"
-
-	"github.com/hashicorp/terraform-plugin-framework/resource"
-	"github.com/hashicorp/terraform-plugin-framework/types"
-
-    "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/core"
-    "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/utils"
-
-	{{.PackageName}}Gen "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/services/{{.PackageName}}/{{.NameSnake}}/resources_gen"
-)
-
-var (
-	_ resource.Resource                = &{{.NameCamel}}Resource{}
-	_ resource.ResourceWithConfigure   = &{{.NameCamel}}Resource{}
-	_ resource.ResourceWithImportState = &{{.NameCamel}}Resource{}
-	_ resource.ResourceWithModifyPlan  = &{{.NameCamel}}Resource{}
-)
-
-func New{{.NamePascal}}Resource() resource.Resource {
-	return &{{.NameCamel}}Resource{}
-}
-
-type {{.NameCamel}}Resource struct{
-	client       *{{.PackageName}}.APIClient
-	providerData core.ProviderData
-}
-
-func (r *{{.NameCamel}}Resource) Metadata(ctx context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
-	resp.TypeName = req.ProviderTypeName + "_{{.PackageName}}_{{.NameSnake}}"
-}
-
-func (r *{{.NameCamel}}Resource) Schema(ctx context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) {
-	resp.Schema = {{.PackageName}}Gen.{{.NamePascal}}ResourceSchema(ctx)
-}
-
-// Configure adds the provider configured client to the resource.
-func (r *{{.NameCamel}}Resource) Configure(
-	ctx context.Context,
-	req resource.ConfigureRequest,
-	resp *resource.ConfigureResponse,
-) {
-	var ok bool
-	r.providerData, ok = conversion.ParseProviderData(ctx, req.ProviderData, &resp.Diagnostics)
-	if !ok {
-		return
-	}
-
-	apiClientConfigOptions := []config.ConfigurationOption{
-		config.WithCustomAuth(r.providerData.RoundTripper),
-		utils.UserAgentConfigOption(r.providerData.Version),
-	}
-	if r.providerData.PostgresFlexCustomEndpoint != "" {
-		apiClientConfigOptions = append(apiClientConfigOptions, config.WithEndpoint(r.providerData.PostgresFlexCustomEndpoint))
-	} else {
-		apiClientConfigOptions = append(apiClientConfigOptions, config.WithRegion(r.providerData.GetRegion()))
-	}
-	apiClient, err := {{.PackageName}}.NewAPIClient(apiClientConfigOptions...)
-	if err != nil {
-		resp.Diagnostics.AddError( "Error configuring API client", fmt.Sprintf("Configuring client: %v. This is an error related to the provider configuration, not to the resource configuration", err))
-		return
-	}
-	r.client = apiClient
-	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} client configured")
-}
-
-func (r *{{.NameCamel}}Resource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
-	var data {{.PackageName}}Gen.{{.NamePascal}}Model
-
-	// Read Terraform plan data into the model
-	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
-
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	// TODO: Create API call logic
-
-	// Example data value setting
-	data.{{.NameCamel | ucfirst}}Id = types.StringValue("id-from-response")
-
-	// Save data into Terraform state
-	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
-
-	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} created")
-}
-
-func (r *{{.NameCamel}}Resource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
-	var data {{.PackageName}}Gen.{{.NamePascal}}Model
-
-	// Read Terraform prior state data into the model
-	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
-
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	// Todo: Read API call logic
-
-	// Save updated data into Terraform state
-	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
-
-	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} read")
-}
-
-func (r *{{.NameCamel}}Resource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
-	var data {{.PackageName}}Gen.{{.NamePascal}}Model
-
-	// Read Terraform plan data into the model
-	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
-
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	// Todo: Update API call logic
-
-	// Save updated data into Terraform state
-	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
-
-	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} updated")
-}
-
-func (r *{{.NameCamel}}Resource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
-	var data {{.PackageName}}Gen.{{.NamePascal}}Model
-
-	// Read Terraform prior state data into the model
-	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
-
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	// Todo: Delete API call logic
-
-	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} deleted")
-}
-
-// ModifyPlan implements resource.ResourceWithModifyPlan.
-// Use the modifier to set the effective region in the current plan.
-func (r *{{.NameCamel}}Resource) ModifyPlan(
-	ctx context.Context,
-	req resource.ModifyPlanRequest,
-	resp *resource.ModifyPlanResponse,
-) { // nolint:gocritic // function signature required by Terraform
-	var configModel {{.PackageName}}Gen.{{.NamePascal}}Model
-	// skip initial empty configuration to avoid follow-up errors
-	if req.Config.Raw.IsNull() {
-		return
-	}
-	resp.Diagnostics.Append(req.Config.Get(ctx, &configModel)...)
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	var planModel {{.PackageName}}Gen.{{.NamePascal}}Model
-	resp.Diagnostics.Append(req.Plan.Get(ctx, &planModel)...)
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	utils.AdaptRegion(ctx, configModel.Region, &planModel.Region, r.providerData.GetRegion(), resp)
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	resp.Diagnostics.Append(resp.Plan.Set(ctx, planModel)...)
-	if resp.Diagnostics.HasError() {
-		return
-	}
-}
-
-// ImportState imports a resource into the Terraform state on success.
-// The expected format of the resource import identifier is: project_id,zone_id,record_set_id
-func (r *{{.NameCamel}}Resource) ImportState(
-	ctx context.Context,
-	req resource.ImportStateRequest,
-	resp *resource.ImportStateResponse,
-) {
-	idParts := strings.Split(req.ID, core.Separator)
-
-	// Todo: Import logic
-	if len(idParts) < 2 || idParts[0] == "" || idParts[1] == "" {
-		core.LogAndAddError(
-			ctx, &resp.Diagnostics,
-			"Error importing database",
-			fmt.Sprintf(
-				"Expected import identifier with format [project_id],[region],..., got %q",
-				req.ID,
-			),
-		)
-		return
-	}
-
-	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("project_id"), idParts[0])...)
-	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("region"), idParts[1])...)
-	// ... more ...
-
-	core.LogAndAddWarning(
-		ctx,
-		&resp.Diagnostics,
-		"{{.PackageName | ucfirst}} database imported with empty password",
-		"The database password is not imported as it is only available upon creation of a new database. The password field will be empty.",
-	)
-	tflog.Info(ctx, "{{.PackageName | ucfirst}} {{.NameCamel}} state imported")
-}
--- a/cmd/cmd/buildCmd.go
+++ b/cmd/cmd/buildCmd.go
@ -1,17 +0,0 @@
-package cmd
-
-import (
-	"github.com/spf13/cobra"
-	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/cmd/cmd/build"
-)
-
-func NewBuildCmd() *cobra.Command {
-	return &cobra.Command{
-		Use:   "build",
-		Short: "Build the necessary boilerplate",
-		Long:  `...`,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return build.Build()
-		},
-	}
-}
--- a/cmd/main.go
+++ b/cmd/main.go
@ -1,27 +0,0 @@
-package main
-
-import (
-	"log"
-	"os"
-
-	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/cmd/cmd"
-)
-
-func main() {
-	rootCmd := cmd.NewRootCmd()
-	//rootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is $HOME/.cobra.yaml)")
-	//rootCmd.PersistentFlags().StringP("author", "a", "YOUR NAME", "author name for copyright attribution")
-	//rootCmd.PersistentFlags().StringVarP(&userLicense, "license", "l", "", "name of license for the project")
-
-	rootCmd.SetOut(os.Stdout)
-
-	rootCmd.AddCommand(
-		cmd.NewBuildCmd(),
-		cmd.NewPublishCmd(),
-	)
-
-	err := rootCmd.Execute()
-	if err != nil {
-		log.Fatal(err)
-	}
-}
--- a/docs/data-sources/postgresflexalpha_database.md
+++ b/docs/data-sources/postgresflexalpha_database.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_postgresflexalpha_database Data Source - stackitprivatepreview"
 subcategory: ""
 description: |-
-  Postgres Flex database resource schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_postgresflexalpha_database (Data Source)

-Postgres Flex database resource schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -25,16 +25,17 @@ data "stackitprivatepreview_postgresflexalpha_database" "example" {

 ### Required

- `instance_id` (String) ID of the Postgres Flex instance.
- `project_id` (String) STACKIT project ID to which the instance is associated.
+- `database_id` (Number) The ID of the database.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.

 ### Optional

- `database_id` (Number) Database ID.
- `name` (String) Database name.
- `region` (String) The resource region. If not defined, the provider region is used.
+- `region` (String) The region which should be addressed

 ### Read-Only

- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`instance_id`,`database_id`".
- `owner` (String) Username of the database owner.
+- `id` (String) Terraform's internal resource ID. It is structured as \"`project_id`,`region`,`instance_id`,`database_id`\".",
+- `name` (String) The name of the database.
+- `owner` (String) The owner of the database.
+- `tf_original_api_id` (Number) The id of the database.
--- a/docs/data-sources/postgresflexalpha_flavor.md
+++ b/docs/data-sources/postgresflexalpha_flavor.md
@ -10,7 +10,18 @@ description: |-



+## Example Usage

+```terraform
+data "stackitprivatepreview_postgresflexalpha_flavor" "flavor" {
+  project_id    = var.project_id
+  region        = var.region
+  cpu           = 4
+  ram           = 16
+  node_type     = "Single"
+  storage_class = "premium-perf2-stackit"
+}
+```

 <!-- schema generated by tfplugindocs -->
 ## Schema
--- a/docs/data-sources/postgresflexalpha_flavors.md
+++ b/docs/data-sources/postgresflexalpha_flavors.md
@ -38,12 +38,12 @@ Read-Only:

 - `cpu` (Number) The cpu count of the instance.
 - `description` (String) The flavor description.
- `id` (String) The id of the instance flavor.
 - `max_gb` (Number) maximum storage which can be ordered for the flavor in Gigabyte.
 - `memory` (Number) The memory of the instance in Gibibyte.
 - `min_gb` (Number) minimum storage which is required to order in Gigabyte.
 - `node_type` (String) defines the nodeType it can be either single or replica
 - `storage_classes` (Attributes List) maximum storage which can be ordered for the flavor in Gigabyte. (see [below for nested schema](#nestedatt--flavors--storage_classes))
+- `tf_original_api_id` (String) The id of the instance flavor.

 <a id="nestedatt--flavors--storage_classes"></a>
 ### Nested Schema for `flavors.storage_classes`
--- a/docs/data-sources/postgresflexalpha_instance.md
+++ b/docs/data-sources/postgresflexalpha_instance.md
@ -26,17 +26,21 @@ data "stackitprivatepreview_postgresflexalpha_instance" "example" {

 - `instance_id` (String) The ID of the instance.
 - `project_id` (String) The STACKIT project ID.
+
+### Optional
+
 - `region` (String) The region which should be addressed

 ### Read-Only

- `backup_schedule` (String) The schedule for on what time and how often the database backup will be created. The schedule is written as a cron schedule.
- `connection_info` (Attributes) The DNS name and port in the instance overview (see [below for nested schema](#nestedatt--connection_info))
+- `acl` (List of String) List of IPV4 cidr.
+- `backup_schedule` (String) The schedule for when the database backup will be created. Currently, ONLY daily schedules are supported (every 24 hours). The schedule is written as a cron schedule.
+- `connection_info` (Attributes) The connection information of the instance (see [below for nested schema](#nestedatt--connection_info))
 - `encryption` (Attributes) The configuration for instance's volume and backup storage encryption.

-⚠️ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected. (see [below for nested schema](#nestedatt--encryption))
+⚠︝ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected. (see [below for nested schema](#nestedatt--encryption))
 - `flavor_id` (String) The id of the instance flavor.
- `id` (String) The ID of the instance.
+- `id` (String) internal ID
 - `is_deletable` (Boolean) Whether the instance can be deleted or not.
 - `name` (String) The name of the instance.
 - `network` (Attributes) The access configuration of the instance (see [below for nested schema](#nestedatt--network))
@ -44,6 +48,7 @@ data "stackitprivatepreview_postgresflexalpha_instance" "example" {
 - `retention_days` (Number) How long backups are retained. The value can only be between 32 and 365 days.
 - `status` (String) The current status of the instance.
 - `storage` (Attributes) The object containing information about the storage size and class. (see [below for nested schema](#nestedatt--storage))
+- `tf_original_api_id` (String) The ID of the instance.
 - `version` (String) The Postgres version used for the instance. See [Versions Endpoint](/documentation/postgres-flex-service/version/v3alpha1#tag/Version) for supported version parameters.

 <a id="nestedatt--connection_info"></a>
@ -51,10 +56,18 @@ data "stackitprivatepreview_postgresflexalpha_instance" "example" {

 Read-Only:

+- `write` (Attributes) The DNS name and port in the instance overview (see [below for nested schema](#nestedatt--connection_info--write))
+
+<a id="nestedatt--connection_info--write"></a>
+### Nested Schema for `connection_info.write`
+
+Read-Only:
+
 - `host` (String) The host of the instance.
 - `port` (Number) The port of the instance.


+
 <a id="nestedatt--encryption"></a>
 ### Nested Schema for `encryption`

--- a/docs/data-sources/postgresflexalpha_user.md
+++ b/docs/data-sources/postgresflexalpha_user.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_postgresflexalpha_user Data Source - stackitprivatepreview"
 subcategory: ""
 description: |-
-  Postgres Flex user data source schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_postgresflexalpha_user (Data Source)

-Postgres Flex user data source schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -25,20 +25,18 @@ data "stackitprivatepreview_postgresflexalpha_user" "example" {

 ### Required

- `instance_id` (String) ID of the PostgresFlex instance.
- `project_id` (String) STACKIT project ID to which the instance is associated.
- `user_id` (String) User ID.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `user_id` (Number) The ID of the user.

 ### Optional

- `region` (String) The resource region. If not defined, the provider region is used.
+- `id` (String) Terraform's internal resource ID. It is structured as \"`project_id`,`region`,`instance_id`,`user_id`\".",
+- `region` (String) The region which should be addressed

 ### Read-Only

- `connection_string` (String) The connection string for the user to the instance.
- `host` (String) The host address for the user to connect to the instance.
- `id` (String) Terraform's internal data source. ID. It is structured as "`project_id`,`region`,`instance_id`,`user_id`".
- `port` (Number) The port number for the user to connect to the instance.
- `roles` (Set of String) The roles assigned to the user.
+- `name` (String) The name of the user.
+- `roles` (List of String) A list of user roles.
 - `status` (String) The current status of the user.
- `username` (String) The name of the user.
+- `tf_original_api_id` (Number) The ID of the user.
--- a/docs/data-sources/sqlserverflexalpha_database.md
+++ b/docs/data-sources/sqlserverflexalpha_database.md
@ -26,6 +26,7 @@ description: |-

 - `collation_name` (String) The collation of the database. This database collation should match the *collation_name* of one of the collations given by the **Get database collation list** endpoint.
 - `compatibility_level` (Number) CompatibilityLevel of the Database.
- `id` (Number) The id of the database.
+- `id` (String) The terraform internal identifier.
 - `name` (String) The name of the database.
 - `owner` (String) The owner of the database.
+- `tf_original_api_id` (Number) The id of the database.
--- a/docs/data-sources/sqlserverflexalpha_flavor.md
+++ b/docs/data-sources/sqlserverflexalpha_flavor.md
@ -1,43 +0,0 @@
---
-# generated by https://github.com/hashicorp/terraform-plugin-docs
-page_title: "stackitprivatepreview_sqlserverflexalpha_flavor Data Source - stackitprivatepreview"
-subcategory: ""
-description: |-
-  
---
-
-# stackitprivatepreview_sqlserverflexalpha_flavor (Data Source)
-
-
-
-
-
-<!-- schema generated by tfplugindocs -->
-## Schema
-
-### Required
-
- `cpu` (Number) The cpu count of the instance.
- `node_type` (String) defines the nodeType it can be either single or replica
- `project_id` (String) The cpu count of the instance.
- `ram` (Number) The memory of the instance in Gibibyte.
- `region` (String) The flavor description.
- `storage_class` (String) The memory of the instance in Gibibyte.
-
-### Read-Only
-
- `description` (String) The flavor description.
- `flavor_id` (String) The flavor id of the instance flavor.
- `id` (String) The terraform id of the instance flavor.
- `max_gb` (Number) maximum storage which can be ordered for the flavor in Gigabyte.
- `min_gb` (Number) minimum storage which is required to order in Gigabyte.
- `storage_classes` (Attributes List) (see [below for nested schema](#nestedatt--storage_classes))
-
-<a id="nestedatt--storage_classes"></a>
-### Nested Schema for `storage_classes`
-
-Read-Only:
-
- `class` (String)
- `max_io_per_sec` (Number)
- `max_through_in_mb` (Number)
--- a/docs/data-sources/sqlserverflexalpha_instance.md
+++ b/docs/data-sources/sqlserverflexalpha_instance.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_sqlserverflexalpha_instance Data Source - stackitprivatepreview"
 subcategory: ""
 description: |-
-  SQLServer Flex ALPHA instance resource schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_sqlserverflexalpha_instance (Data Source)

-SQLServer Flex ALPHA instance resource schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -24,61 +24,48 @@ data "stackitprivatepreview_sqlserverflexalpha_instance" "example" {

 ### Required

- `instance_id` (String) ID of the SQLServer Flex instance.
- `project_id` (String) STACKIT project ID to which the instance is associated.
-
-### Optional
-
- `region` (String) The resource region. If not defined, the provider region is used.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed

 ### Read-Only

- `backup_schedule` (String) The backup schedule. Should follow the cron scheduling system format (e.g. "0 0 * * *")
- `edition` (String)
- `encryption` (Attributes) The encryption block. (see [below for nested schema](#nestedatt--encryption))
- `flavor` (Attributes) (see [below for nested schema](#nestedatt--flavor))
- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`instance_id`".
- `is_deletable` (Boolean)
- `name` (String) Instance name.
- `network` (Attributes) The network block. (see [below for nested schema](#nestedatt--network))
- `replicas` (Number)
- `retention_days` (Number)
+- `backup_schedule` (String) The schedule for on what time and how often the database backup will be created. The schedule is written as a cron schedule.
+- `edition` (String) Edition of the MSSQL server instance
+- `encryption` (Attributes) this defines which key to use for storage encryption (see [below for nested schema](#nestedatt--encryption))
+- `flavor_id` (String) The id of the instance flavor.
+- `is_deletable` (Boolean) Whether the instance can be deleted or not.
+- `name` (String) The name of the instance.
+- `network` (Attributes) The access configuration of the instance (see [below for nested schema](#nestedatt--network))
+- `replicas` (Number) How many replicas the instance should have.
+- `retention_days` (Number) The days for how long the backup files should be stored before cleaned up. 30 to 365
 - `status` (String)
- `storage` (Attributes) (see [below for nested schema](#nestedatt--storage))
- `version` (String)
+- `storage` (Attributes) The object containing information about the storage size and class. (see [below for nested schema](#nestedatt--storage))
+- `tf_original_api_id` (String) The ID of the instance.
+- `version` (String) The sqlserver version used for the instance.

 <a id="nestedatt--encryption"></a>
 ### Nested Schema for `encryption`

 Read-Only:

- `key_id` (String) STACKIT KMS - Key ID of the encryption key to use.
- `key_version` (String) STACKIT KMS - Key version to use in the encryption key.
- `keyring_id` (String) STACKIT KMS - KeyRing ID of the encryption key to use.
+- `kek_key_id` (String) The key identifier
+- `kek_key_ring_id` (String) The keyring identifier
+- `kek_key_version` (String) The key version
 - `service_account` (String)


-<a id="nestedatt--flavor"></a>
-### Nested Schema for `flavor`
-
-Read-Only:
-
- `cpu` (Number)
- `description` (String)
- `id` (String)
- `node_type` (String)
- `ram` (Number)
-
-
 <a id="nestedatt--network"></a>
 ### Nested Schema for `network`

 Read-Only:

- `access_scope` (String) The access scope of the instance. (e.g. SNA)
- `acl` (List of String) The Access Control List (ACL) for the SQLServer Flex instance.
- `instance_address` (String) The returned instance IP address of the SQLServer Flex instance.
- `router_address` (String) The returned router IP address of the SQLServer Flex instance.
+- `access_scope` (String) The network access scope of the instance
+
+⚠️ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected.
+- `acl` (List of String) List of IPV4 cidr.
+- `instance_address` (String)
+- `router_address` (String)


 <a id="nestedatt--storage"></a>
@ -86,5 +73,5 @@ Read-Only:

 Read-Only:

- `class` (String)
- `size` (Number)
+- `class` (String) The storage class for the storage.
+- `size` (Number) The storage size in Gigabytes.
--- a/docs/data-sources/sqlserverflexalpha_user.md
+++ b/docs/data-sources/sqlserverflexalpha_user.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_sqlserverflexalpha_user Data Source - stackitprivatepreview"
 subcategory: ""
 description: |-
-  SQLServer Flex user data source schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_sqlserverflexalpha_user (Data Source)

-SQLServer Flex user data source schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -25,20 +25,38 @@ data "stackitprivatepreview_sqlserverflexalpha_user" "example" {

 ### Required

- `instance_id` (String) ID of the SQLServer Flex instance.
- `project_id` (String) STACKIT project ID to which the instance is associated.
- `user_id` (Number) User ID.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed

 ### Optional

- `region` (String) The resource region. If not defined, the provider region is used.
+- `page` (Number) Number of the page of items list to be returned.
+- `size` (Number) Number of items to be returned on each page.
+- `sort` (String) Sorting of the users to be returned on each page.

 ### Read-Only

- `default_database` (String)
- `host` (String)
- `id` (String) Terraform's internal data source. ID. It is structured as "`project_id`,`region`,`instance_id`,`user_id`".
- `port` (Number)
- `roles` (Set of String) Database access levels for the user.
- `status` (String)
- `username` (String) Username of the SQLServer Flex instance.
+- `pagination` (Attributes) (see [below for nested schema](#nestedatt--pagination))
+- `users` (Attributes List) List of all users inside an instance (see [below for nested schema](#nestedatt--users))
+
+<a id="nestedatt--pagination"></a>
+### Nested Schema for `pagination`
+
+Read-Only:
+
+- `page` (Number)
+- `size` (Number)
+- `sort` (String)
+- `total_pages` (Number)
+- `total_rows` (Number)
+
+
+<a id="nestedatt--users"></a>
+### Nested Schema for `users`
+
+Read-Only:
+
+- `status` (String) The current status of the user.
+- `tf_original_api_id` (Number) The ID of the user.
+- `username` (String) The name of the user.
--- a/docs/data-sources/sqlserverflexalpha_version.md
+++ b/docs/data-sources/sqlserverflexalpha_version.md
@ -1,35 +0,0 @@
---
-# generated by https://github.com/hashicorp/terraform-plugin-docs
-page_title: "stackitprivatepreview_sqlserverflexalpha_version Data Source - stackitprivatepreview"
-subcategory: ""
-description: |-
-  
---
-
-# stackitprivatepreview_sqlserverflexalpha_version (Data Source)
-
-
-
-
-
-<!-- schema generated by tfplugindocs -->
-## Schema
-
-### Required
-
- `project_id` (String) The STACKIT project ID.
- `region` (String) The region which should be addressed
-
-### Read-Only
-
- `versions` (Attributes List) A list containing available sqlserver versions. (see [below for nested schema](#nestedatt--versions))
-
-<a id="nestedatt--versions"></a>
-### Nested Schema for `versions`
-
-Read-Only:
-
- `beta` (Boolean) Flag if the version is a beta version. If set the version may contain bugs and is not fully tested.
- `deprecated` (String) Timestamp in RFC3339 format which says when the version will no longer be supported by STACKIT.
- `recommend` (Boolean) Flag if the version is recommend by the STACKIT Team.
- `version` (String) The sqlserver version used for the instance.
--- a/docs/data-sources/sqlserverflexbeta_database.md
+++ b/docs/data-sources/sqlserverflexbeta_database.md
@ -0,0 +1,40 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackitprivatepreview_sqlserverflexbeta_database Data Source - stackitprivatepreview"
+subcategory: ""
+description: |-
+  
+---
+
+# stackitprivatepreview_sqlserverflexbeta_database (Data Source)
+
+
+
+## Example Usage
+
+```terraform
+data "stackitprivatepreview_sqlserverflexbeta_database" "example" {
+  project_id    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  database_name = "dbname"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `database_name` (String) The name of the database.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+
+### Read-Only
+
+- `collation_name` (String) The collation of the database. This database collation should match the *collation_name* of one of the collations given by the **Get database collation list** endpoint.
+- `compatibility_level` (Number) CompatibilityLevel of the Database.
+- `id` (String) The terraform internal identifier.
+- `name` (String) The name of the database.
+- `owner` (String) The owner of the database.
+- `tf_original_api_id` (Number) The id of the database.
--- a/docs/data-sources/sqlserverflexbeta_instance.md
+++ b/docs/data-sources/sqlserverflexbeta_instance.md
@ -0,0 +1,77 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackitprivatepreview_sqlserverflexbeta_instance Data Source - stackitprivatepreview"
+subcategory: ""
+description: |-
+  
+---
+
+# stackitprivatepreview_sqlserverflexbeta_instance (Data Source)
+
+
+
+## Example Usage
+
+```terraform
+data "stackitprivatepreview_sqlserverflexbeta_instance" "example" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+
+### Read-Only
+
+- `backup_schedule` (String) The schedule for on what time and how often the database backup will be created. The schedule is written as a cron schedule.
+- `edition` (String) Edition of the MSSQL server instance
+- `encryption` (Attributes) this defines which key to use for storage encryption (see [below for nested schema](#nestedatt--encryption))
+- `flavor_id` (String) The id of the instance flavor.
+- `is_deletable` (Boolean) Whether the instance can be deleted or not.
+- `name` (String) The name of the instance.
+- `network` (Attributes) The access configuration of the instance (see [below for nested schema](#nestedatt--network))
+- `replicas` (Number) How many replicas the instance should have.
+- `retention_days` (Number) The days for how long the backup files should be stored before cleaned up. 30 to 365
+- `status` (String)
+- `storage` (Attributes) The object containing information about the storage size and class. (see [below for nested schema](#nestedatt--storage))
+- `tf_original_api_id` (String) The ID of the instance.
+- `version` (String) The sqlserver version used for the instance.
+
+<a id="nestedatt--encryption"></a>
+### Nested Schema for `encryption`
+
+Read-Only:
+
+- `kek_key_id` (String) The key identifier
+- `kek_key_ring_id` (String) The keyring identifier
+- `kek_key_version` (String) The key version
+- `service_account` (String)
+
+
+<a id="nestedatt--network"></a>
+### Nested Schema for `network`
+
+Read-Only:
+
+- `access_scope` (String) The network access scope of the instance
+
+⚠️ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected.
+- `acl` (List of String) List of IPV4 cidr.
+- `instance_address` (String)
+- `router_address` (String)
+
+
+<a id="nestedatt--storage"></a>
+### Nested Schema for `storage`
+
+Read-Only:
+
+- `class` (String) The storage class for the storage.
+- `size` (Number) The storage size in Gigabytes.
--- a/docs/data-sources/sqlserverflexbeta_user.md
+++ b/docs/data-sources/sqlserverflexbeta_user.md
@ -0,0 +1,54 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackitprivatepreview_sqlserverflexbeta_user Data Source - stackitprivatepreview"
+subcategory: ""
+description: |-
+  
+---
+
+# stackitprivatepreview_sqlserverflexbeta_user (Data Source)
+
+
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+
+### Optional
+
+- `page` (Number) Number of the page of items list to be returned.
+- `size` (Number) Number of items to be returned on each page.
+- `sort` (String) Sorting of the users to be returned on each page.
+
+### Read-Only
+
+- `pagination` (Attributes) (see [below for nested schema](#nestedatt--pagination))
+- `users` (Attributes List) List of all users inside an instance (see [below for nested schema](#nestedatt--users))
+
+<a id="nestedatt--pagination"></a>
+### Nested Schema for `pagination`
+
+Read-Only:
+
+- `page` (Number)
+- `size` (Number)
+- `sort` (String)
+- `total_pages` (Number)
+- `total_rows` (Number)
+
+
+<a id="nestedatt--users"></a>
+### Nested Schema for `users`
+
+Read-Only:
+
+- `status` (String) The current status of the user.
+- `tf_original_api_id` (Number) The ID of the user.
+- `username` (String) The name of the user.
--- a/docs/index.md
+++ b/docs/index.md
@ -16,14 +16,13 @@ provider "stackitprivatepreview" {
  default_region = "eu01"
 }

-# Authentication
-
-# Token flow (scheduled for deprecation and will be removed on December 17, 2025)
 provider "stackitprivatepreview" {
-  default_region        = "eu01"
-  service_account_token = var.service_account_token
+  default_region           = "eu01"
+  service_account_key_path = "service_account.json"
 }

+# Authentication
+
 # Key flow
 provider "stackitprivatepreview" {
  default_region      = "eu01"
--- a/docs/resources/postgresflexalpha_database.md
+++ b/docs/resources/postgresflexalpha_database.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_postgresflexalpha_database Resource - stackitprivatepreview"
 subcategory: ""
 description: |-
-  Postgres Flex database resource schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_postgresflexalpha_database (Resource)

-Postgres Flex database resource schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -25,6 +25,16 @@ import {
  to = stackitprivatepreview_postgresflexalpha_database.import-example
  id = "${var.project_id},${var.region},${var.postgres_instance_id},${var.postgres_database_id}"
 }
+
+import {
+  to = stackitprivatepreview_postgresflexalpha_database.import-example
+  identity = {
+    project_id  = "project_id"
+    region      = "region"
+    instance_id = "instance_id"
+    database_id = "database_id"
+  }
+}
 ```

 <!-- schema generated by tfplugindocs -->
@ -32,16 +42,16 @@ import {

 ### Required

- `instance_id` (String) ID of the Postgres Flex instance.
- `name` (String) Database name.
- `owner` (String) Username of the database owner.
- `project_id` (String) STACKIT project ID to which the instance is associated.
+- `name` (String) The name of the database.

 ### Optional

- `region` (String) The resource region. If not defined, the provider region is used.
+- `database_id` (Number) The ID of the database.
+- `instance_id` (String) The ID of the instance.
+- `owner` (String) The owner of the database.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed

 ### Read-Only

- `database_id` (Number) Database ID.
- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`instance_id`,`database_id`".
+- `id` (String) The id of the database.
--- a/docs/resources/postgresflexalpha_instance.md
+++ b/docs/resources/postgresflexalpha_instance.md
@ -13,21 +13,29 @@ description: |-
 ## Example Usage

 ```terraform
-resource "stackitprivatepreview_postgresflexalpha_instance" "example" {
+resource "stackitprivatepreview_postgresflexalpha_instance" "example-instance" {
  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  name            = "example-instance"
  acl             = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
-  backup_schedule = "00 00 * * *"
-  flavor = {
-    cpu = 2
-    ram = 4
-  }
-  replicas = 3
+  backup_schedule = "0 0 * * *"
+  retention_days  = 30
+  flavor_id       = "flavor.id"
+  replicas        = 1
  storage = {
-    class = "class"
-    size  = 5
+    performance_class = "premium-perf2-stackit"
+    size              = 10
  }
-  version = 14
+  encryption = {
+    kek_key_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_ring_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_version = 1
+    service_account = "service@account.email"
+  }
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "PUBLIC"
+  }
+  version = 17
 }

 # Only use the import statement, if you want to import an existing postgresflex instance
@ -35,6 +43,15 @@ import {
  to = stackitprivatepreview_postgresflexalpha_instance.import-example
  id = "${var.project_id},${var.region},${var.postgres_instance_id}"
 }
+
+import {
+  to = stackitprivatepreview_postgresflexalpha_instance.import-example
+  identity = {
+    project_id  = var.project_id
+    region      = var.region
+    instance_id = var.postgres_instance_id
+  }
+}
 ```

 <!-- schema generated by tfplugindocs -->
@ -42,7 +59,7 @@ import {

 ### Required

- `backup_schedule` (String) The schedule for on what time and how often the database backup will be created. The schedule is written as a cron schedule.
+- `backup_schedule` (String) The schedule for when the database backup will be created. Currently, ONLY daily schedules are supported (every 24 hours). The schedule is written as a cron schedule.
 - `flavor_id` (String) The id of the instance flavor.
 - `name` (String) The name of the instance.
 - `network` (Attributes) The access configuration of the instance (see [below for nested schema](#nestedatt--network))
@ -55,14 +72,15 @@ import {

 - `encryption` (Attributes) The configuration for instance's volume and backup storage encryption.

-⚠️ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected. (see [below for nested schema](#nestedatt--encryption))
+⚠︝ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected. (see [below for nested schema](#nestedatt--encryption))
 - `instance_id` (String) The ID of the instance.
 - `project_id` (String) The STACKIT project ID.
 - `region` (String) The region which should be addressed

 ### Read-Only

- `connection_info` (Attributes) The DNS name and port in the instance overview (see [below for nested schema](#nestedatt--connection_info))
+- `acl` (List of String) List of IPV4 cidr.
+- `connection_info` (Attributes) The connection information of the instance (see [below for nested schema](#nestedatt--connection_info))
 - `id` (String) The ID of the instance.
 - `is_deletable` (Boolean) Whether the instance can be deleted or not.
 - `status` (String) The current status of the instance.
@ -77,6 +95,9 @@ Required:
 Optional:

 - `access_scope` (String) The access scope of the instance. It defines if the instance is public or airgapped.
+
+Read-Only:
+
 - `instance_address` (String)
 - `router_address` (String)

@ -106,5 +127,12 @@ Required:

 Read-Only:

+- `write` (Attributes) The DNS name and port in the instance overview (see [below for nested schema](#nestedatt--connection_info--write))
+
+<a id="nestedatt--connection_info--write"></a>
+### Nested Schema for `connection_info.write`
+
+Read-Only:
+
 - `host` (String) The host of the instance.
 - `port` (Number) The port of the instance.
--- a/docs/resources/postgresflexalpha_user.md
+++ b/docs/resources/postgresflexalpha_user.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_postgresflexalpha_user Resource - stackitprivatepreview"
 subcategory: ""
 description: |-
-  Postgres Flex user resource schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_postgresflexalpha_user (Resource)

-Postgres Flex user resource schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -16,7 +16,7 @@ Postgres Flex user resource schema. Must have a `region` specified in the provid
 resource "stackitprivatepreview_postgresflexalpha_user" "example" {
  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-  username    = "username"
+  name        = "username"
  roles       = ["role"]
 }

@ -25,6 +25,16 @@ import {
  to = stackitprivatepreview_postgresflexalpha_user.import-example
  id = "${var.project_id},${var.region},${var.postgres_instance_id},${var.user_id}"
 }
+
+import {
+  to = stackitprivatepreview_postgresflexalpha_user.import-example
+  identity = {
+    project_id  = "project.id"
+    region      = "region"
+    instance_id = "instance.id"
+    user_id     = "user.id"
+  }
+}
 ```

 <!-- schema generated by tfplugindocs -->
@ -32,21 +42,18 @@ import {

 ### Required

- `instance_id` (String) ID of the PostgresFlex instance.
- `project_id` (String) STACKIT project ID to which the instance is associated.
- `roles` (Set of String) Database access levels for the user. Possible values are: `login`, `createdb`, `createrole`.
- `username` (String) The name of the user.
+- `name` (String) The name of the user.

 ### Optional

- `region` (String) The resource region. If not defined, the provider region is used.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+- `roles` (List of String) A list containing the user roles for the instance.
+- `user_id` (Number) The ID of the user.

 ### Read-Only

- `connection_string` (String) The connection string for the user to the instance.
- `host` (String) The host of the Postgres Flex instance.
- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`instance_id`,`user_id`".
- `password` (String, Sensitive) The password for the user. This is only set upon creation.
- `port` (Number) The port of the Postgres Flex instance.
+- `id` (String) The ID of the user.
+- `password` (String) The password for the user.
 - `status` (String) The current status of the user.
- `user_id` (Number) User ID.
--- a/docs/resources/sqlserverflexalpha_database.md
+++ b/docs/resources/sqlserverflexalpha_database.md
@ -10,7 +10,34 @@ description: |-



+## Example Usage

+```terraform
+resource "stackitprivatepreview_sqlserverflexalpha_database" "example" {
+  project_id    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  collation     = ""
+  compatibility = "160"
+  name          = ""
+  owner         = ""
+}
+
+# Only use the import statement, if you want to import a existing sqlserverflex database
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_database.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id},${var.sql_user_id}"
+}
+
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_database.import-example
+  identity = {
+    project_id  = "project.id"
+    region      = "region"
+    instance_id = "instance.id"
+    database_id = "database.id"
+  }
+}
+```

 <!-- schema generated by tfplugindocs -->
 ## Schema
--- a/docs/resources/sqlserverflexalpha_instance.md
+++ b/docs/resources/sqlserverflexalpha_instance.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_sqlserverflexalpha_instance Resource - stackitprivatepreview"
 subcategory: ""
 description: |-
-  SQLServer Flex ALPHA instance resource schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_sqlserverflexalpha_instance (Resource)

-SQLServer Flex ALPHA instance resource schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -41,41 +41,55 @@ import {

 ### Required

- `flavor_id` (String)
- `name` (String) Instance name.
- `network` (Attributes) The network block. (see [below for nested schema](#nestedatt--network))
- `project_id` (String) STACKIT project ID to which the instance is associated.
+- `backup_schedule` (String) The schedule for on what time and how often the database backup will be created. The schedule is written as a cron schedule.
+- `flavor_id` (String) The id of the instance flavor.
+- `name` (String) The name of the instance.
+- `network` (Attributes) the network configuration of the instance. (see [below for nested schema](#nestedatt--network))
+- `retention_days` (Number) The days for how long the backup files should be stored before cleaned up. 30 to 365
+- `storage` (Attributes) The object containing information about the storage size and class. (see [below for nested schema](#nestedatt--storage))
+- `version` (String) The sqlserver version used for the instance.

 ### Optional

- `backup_schedule` (String) The backup schedule. Should follow the cron scheduling system format (e.g. "0 0 * * *")
- `encryption` (Attributes) The encryption block. (see [below for nested schema](#nestedatt--encryption))
- `is_deletable` (Boolean)
- `region` (String) The resource region. If not defined, the provider region is used.
- `retention_days` (Number)
- `status` (String)
- `storage` (Attributes) (see [below for nested schema](#nestedatt--storage))
- `version` (String)
+- `encryption` (Attributes) this defines which key to use for storage encryption (see [below for nested schema](#nestedatt--encryption))
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed

 ### Read-Only

- `edition` (String)
- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`instance_id`".
- `instance_id` (String) ID of the SQLServer Flex instance.
- `replicas` (Number)
+- `edition` (String) Edition of the MSSQL server instance
+- `id` (String) The ID of the instance.
+- `is_deletable` (Boolean) Whether the instance can be deleted or not.
+- `replicas` (Number) How many replicas the instance should have.
+- `status` (String)

 <a id="nestedatt--network"></a>
 ### Nested Schema for `network`

 Required:

- `access_scope` (String) The access scope of the instance. (SNA | PUBLIC)
- `acl` (List of String) The Access Control List (ACL) for the SQLServer Flex instance.
+- `acl` (List of String) List of IPV4 cidr.
+
+Optional:
+
+- `access_scope` (String) The network access scope of the instance
+
+⚠️ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected.

 Read-Only:

- `instance_address` (String) The returned instance IP address of the SQLServer Flex instance.
- `router_address` (String) The returned router IP address of the SQLServer Flex instance.
+- `instance_address` (String)
+- `router_address` (String)
+
+
+<a id="nestedatt--storage"></a>
+### Nested Schema for `storage`
+
+Required:
+
+- `class` (String) The storage class for the storage.
+- `size` (Number) The storage size in Gigabytes.


 <a id="nestedatt--encryption"></a>
@ -83,16 +97,7 @@ Read-Only:

 Required:

- `key_id` (String) STACKIT KMS - Key ID of the encryption key to use.
- `key_version` (String) STACKIT KMS - Key version to use in the encryption key.
- `keyring_id` (String) STACKIT KMS - KeyRing ID of the encryption key to use.
+- `kek_key_id` (String) The key identifier
+- `kek_key_ring_id` (String) The keyring identifier
+- `kek_key_version` (String) The key version
 - `service_account` (String)
-
-
-<a id="nestedatt--storage"></a>
-### Nested Schema for `storage`
-
-Optional:
-
- `class` (String)
- `size` (Number)
--- a/docs/resources/sqlserverflexalpha_user.md
+++ b/docs/resources/sqlserverflexalpha_user.md
@ -3,12 +3,12 @@
 page_title: "stackitprivatepreview_sqlserverflexalpha_user Resource - stackitprivatepreview"
 subcategory: ""
 description: |-
-  SQLServer Flex user resource schema. Must have a region specified in the provider configuration.
+  
 ---

 # stackitprivatepreview_sqlserverflexalpha_user (Resource)

-SQLServer Flex user resource schema. Must have a `region` specified in the provider configuration.
+

 ## Example Usage

@ -32,21 +32,22 @@ import {

 ### Required

- `instance_id` (String) ID of the SQLServer Flex instance.
- `project_id` (String) STACKIT project ID to which the instance is associated.
- `roles` (Set of String) Database access levels for the user. The values for the default roles are: `##STACKIT_DatabaseManager##`, `##STACKIT_LoginManager##`, `##STACKIT_ProcessManager##`, `##STACKIT_ServerManager##`, `##STACKIT_SQLAgentManager##`, `##STACKIT_SQLAgentUser##`
- `username` (String) Username of the SQLServer Flex instance.
+- `roles` (List of String) A list containing the user roles for the instance. A list with the valid user roles can be retrieved using the List Roles endpoint.
+- `username` (String) The name of the user.

 ### Optional

- `region` (String)
+- `default_database` (String) The default database for a user of the instance.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+- `user_id` (Number) The ID of the user.

 ### Read-Only

- `default_database` (String)
- `host` (String)
- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`instance_id`,`user_id`".
- `password` (String, Sensitive) Password of the user account.
- `port` (Number)
- `status` (String)
- `user_id` (Number) User ID.
+- `host` (String) The host of the instance in which the user belongs to.
+- `id` (Number) The ID of the user.
+- `password` (String) The password for the user.
+- `port` (Number) The port of the instance in which the user belongs to.
+- `status` (String) The current status of the user.
+- `uri` (String) The connection string for the user to the instance.
--- a/docs/resources/sqlserverflexbeta_database.md
+++ b/docs/resources/sqlserverflexbeta_database.md
@ -0,0 +1,51 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackitprivatepreview_sqlserverflexbeta_database Resource - stackitprivatepreview"
+subcategory: ""
+description: |-
+  
+---
+
+# stackitprivatepreview_sqlserverflexbeta_database (Resource)
+
+
+
+## Example Usage
+
+```terraform
+resource "stackitprivatepreview_sqlserverflexalpha_user" "example" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  username    = "username"
+  roles       = ["role"]
+}
+
+# Only use the import statement, if you want to import an existing sqlserverflex user
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_user.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id},${var.sql_user_id}"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name of the database.
+- `owner` (String) The owner of the database.
+
+### Optional
+
+- `collation` (String) The collation of the database. This database collation should match the *collation_name* of one of the collations given by the **Get database collation list** endpoint.
+- `compatibility` (Number) CompatibilityLevel of the Database.
+- `database_name` (String) The name of the database.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+
+### Read-Only
+
+- `collation_name` (String) The collation of the database. This database collation should match the *collation_name* of one of the collations given by the **Get database collation list** endpoint.
+- `compatibility_level` (Number) CompatibilityLevel of the Database.
+- `id` (Number) The id of the database.
--- a/docs/resources/sqlserverflexbeta_instance.md
+++ b/docs/resources/sqlserverflexbeta_instance.md
@ -0,0 +1,158 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackitprivatepreview_sqlserverflexbeta_instance Resource - stackitprivatepreview"
+subcategory: ""
+description: |-
+  
+---
+
+# stackitprivatepreview_sqlserverflexbeta_instance (Resource)
+
+
+
+## Example Usage
+
+```terraform
+# without encryption and SNA
+resource "stackitprivatepreview_sqlserverflexbeta_instance" "instance" {
+  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name            = "example-instance"
+  backup_schedule = "0 3 * * *"
+  retention_days  = 31
+  flavor_id       = "flavor_id"
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 50
+  }
+  version = 2022
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "SNA"
+  }
+}
+
+# without encryption and PUBLIC
+resource "stackitprivatepreview_sqlserverflexbeta_instance" "instance" {
+  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name            = "example-instance"
+  backup_schedule = "0 3 * * *"
+  retention_days  = 31
+  flavor_id       = "flavor_id"
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 50
+  }
+  version = 2022
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "PUBLIC"
+  }
+}
+
+# with encryption and SNA
+resource "stackitprivatepreview_sqlserverflexbeta_instance" "instance" {
+  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name            = "example-instance"
+  backup_schedule = "0 3 * * *"
+  retention_days  = 31
+  flavor_id       = "flavor_id"
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 50
+  }
+  version = 2022
+  encryption = {
+    kek_key_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_ring_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_version = 1
+    service_account = "service_account@email"
+  }
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "SNA"
+  }
+}
+
+
+# Only use the import statement, if you want to import an existing sqlserverflex instance
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_instance.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id}"
+}
+
+# import with identity
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_instance.import-example
+  identity = {
+    project_id  = var.project_id
+    region      = var.region
+    instance_id = var.sql_instance_id
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `backup_schedule` (String) The schedule for on what time and how often the database backup will be created. The schedule is written as a cron schedule.
+- `flavor_id` (String) The id of the instance flavor.
+- `name` (String) The name of the instance.
+- `network` (Attributes) the network configuration of the instance. (see [below for nested schema](#nestedatt--network))
+- `retention_days` (Number) The days for how long the backup files should be stored before cleaned up. 30 to 365
+- `storage` (Attributes) The object containing information about the storage size and class. (see [below for nested schema](#nestedatt--storage))
+- `version` (String) The sqlserver version used for the instance.
+
+### Optional
+
+- `encryption` (Attributes) this defines which key to use for storage encryption (see [below for nested schema](#nestedatt--encryption))
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+
+### Read-Only
+
+- `edition` (String) Edition of the MSSQL server instance
+- `id` (String) The ID of the instance.
+- `is_deletable` (Boolean) Whether the instance can be deleted or not.
+- `replicas` (Number) How many replicas the instance should have.
+- `status` (String)
+
+<a id="nestedatt--network"></a>
+### Nested Schema for `network`
+
+Required:
+
+- `acl` (List of String) List of IPV4 cidr.
+
+Optional:
+
+- `access_scope` (String) The network access scope of the instance
+
+⚠️ **Note:** This feature is in private preview. Supplying this object is only permitted for enabled accounts. If your account does not have access, the request will be rejected.
+
+Read-Only:
+
+- `instance_address` (String)
+- `router_address` (String)
+
+
+<a id="nestedatt--storage"></a>
+### Nested Schema for `storage`
+
+Required:
+
+- `class` (String) The storage class for the storage.
+- `size` (Number) The storage size in Gigabytes.
+
+
+<a id="nestedatt--encryption"></a>
+### Nested Schema for `encryption`
+
+Required:
+
+- `kek_key_id` (String) The key identifier
+- `kek_key_ring_id` (String) The keyring identifier
+- `kek_key_version` (String) The key version
+- `service_account` (String)
--- a/docs/resources/sqlserverflexbeta_user.md
+++ b/docs/resources/sqlserverflexbeta_user.md
@ -0,0 +1,53 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackitprivatepreview_sqlserverflexbeta_user Resource - stackitprivatepreview"
+subcategory: ""
+description: |-
+  
+---
+
+# stackitprivatepreview_sqlserverflexbeta_user (Resource)
+
+
+
+## Example Usage
+
+```terraform
+resource "stackitprivatepreview_sqlserverflexalpha_user" "example" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  username    = "username"
+  roles       = ["role"]
+}
+
+# Only use the import statement, if you want to import an existing sqlserverflex user
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_user.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id},${var.sql_user_id}"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `roles` (List of String) A list containing the user roles for the instance. A list with the valid user roles can be retrieved using the List Roles endpoint.
+- `username` (String) The name of the user.
+
+### Optional
+
+- `default_database` (String) The default database for a user of the instance.
+- `instance_id` (String) The ID of the instance.
+- `project_id` (String) The STACKIT project ID.
+- `region` (String) The region which should be addressed
+- `user_id` (Number) The ID of the user.
+
+### Read-Only
+
+- `host` (String) The host of the instance in which the user belongs to.
+- `id` (Number) The ID of the user.
+- `password` (String) The password for the user.
+- `port` (Number) The port of the instance in which the user belongs to.
+- `status` (String) The current status of the user.
+- `uri` (String) The connection string for the user to the instance.
--- a/examples/data-sources/stackitprivatepreview_postgresflexalpha_flavor/data-source.tf
+++ b/examples/data-sources/stackitprivatepreview_postgresflexalpha_flavor/data-source.tf
@ -0,0 +1,8 @@
+data "stackitprivatepreview_postgresflexalpha_flavor" "flavor" {
+  project_id    = var.project_id
+  region        = var.region
+  cpu           = 4
+  ram           = 16
+  node_type     = "Single"
+  storage_class = "premium-perf2-stackit"
+}
--- a/examples/data-sources/stackitprivatepreview_sqlserverflexalpha_flavor/data-source.tf
+++ b/examples/data-sources/stackitprivatepreview_sqlserverflexalpha_flavor/data-source.tf
@ -0,0 +1,8 @@
+data "stackitprivatepreview_sqlserverflexalpha_flavor" "flavor" {
+  project_id    = var.project_id
+  region        = var.region
+  cpu           = 4
+  ram           = 16
+  node_type     = "Single"
+  storage_class = "premium-perf2-stackit"
+}
--- a/examples/data-sources/stackitprivatepreview_sqlserverflexbeta_database/data-source.tf
+++ b/examples/data-sources/stackitprivatepreview_sqlserverflexbeta_database/data-source.tf
@ -0,0 +1,5 @@
+data "stackitprivatepreview_sqlserverflexbeta_database" "example" {
+  project_id    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  database_name = "dbname"
+}
--- a/examples/data-sources/stackitprivatepreview_sqlserverflexbeta_flavor/data-source.tf
+++ b/examples/data-sources/stackitprivatepreview_sqlserverflexbeta_flavor/data-source.tf
@ -0,0 +1,8 @@
+data "stackitprivatepreview_sqlserverflexbeta_flavor" "flavor" {
+  project_id    = var.project_id
+  region        = var.region
+  cpu           = 4
+  ram           = 16
+  node_type     = "Single"
+  storage_class = "premium-perf2-stackit"
+}
--- a/examples/data-sources/stackitprivatepreview_sqlserverflexbeta_instance/data-source.tf
+++ b/examples/data-sources/stackitprivatepreview_sqlserverflexbeta_instance/data-source.tf
@ -0,0 +1,4 @@
+data "stackitprivatepreview_sqlserverflexbeta_instance" "example" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
--- a/examples/provider/provider.tf
+++ b/examples/provider/provider.tf
@ -2,14 +2,13 @@ provider "stackitprivatepreview" {
  default_region = "eu01"
 }

-# Authentication
-
-# Token flow (scheduled for deprecation and will be removed on December 17, 2025)
 provider "stackitprivatepreview" {
-  default_region        = "eu01"
-  service_account_token = var.service_account_token
+  default_region           = "eu01"
+  service_account_key_path = "service_account.json"
 }

+# Authentication
+
 # Key flow
 provider "stackitprivatepreview" {
  default_region      = "eu01"
@ -23,4 +22,3 @@ provider "stackitprivatepreview" {
  service_account_key_path = var.service_account_key_path
  private_key_path         = var.private_key_path
 }
-
--- a/examples/resources/stackitprivatepreview_postgresflexalpha_database/resource.tf
+++ b/examples/resources/stackitprivatepreview_postgresflexalpha_database/resource.tf
@ -9,4 +9,14 @@ resource "stackitprivatepreview_postgresflexalpha_database" "example" {
 import {
  to = stackitprivatepreview_postgresflexalpha_database.import-example
  id = "${var.project_id},${var.region},${var.postgres_instance_id},${var.postgres_database_id}"
-}
+}
+
+import {
+  to = stackitprivatepreview_postgresflexalpha_database.import-example
+  identity = {
+    project_id  = "project_id"
+    region      = "region"
+    instance_id = "instance_id"
+    database_id = "database_id"
+  }
+}
--- a/examples/resources/stackitprivatepreview_postgresflexalpha_instance/resource.tf
+++ b/examples/resources/stackitprivatepreview_postgresflexalpha_instance/resource.tf
@ -1,22 +1,39 @@
-resource "stackitprivatepreview_postgresflexalpha_instance" "example" {
+resource "stackitprivatepreview_postgresflexalpha_instance" "example-instance" {
  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  name            = "example-instance"
  acl             = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
-  backup_schedule = "00 00 * * *"
-  flavor = {
-    cpu = 2
-    ram = 4
-  }
-  replicas = 3
+  backup_schedule = "0 0 * * *"
+  retention_days  = 30
+  flavor_id       = "flavor.id"
+  replicas        = 1
  storage = {
-    class = "class"
-    size  = 5
+    performance_class = "premium-perf2-stackit"
+    size              = 10
  }
-  version = 14
+  encryption = {
+    kek_key_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_ring_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_version = 1
+    service_account = "service@account.email"
+  }
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "PUBLIC"
+  }
+  version = 17
 }

 # Only use the import statement, if you want to import an existing postgresflex instance
 import {
  to = stackitprivatepreview_postgresflexalpha_instance.import-example
  id = "${var.project_id},${var.region},${var.postgres_instance_id}"
-}
+}
+
+import {
+  to = stackitprivatepreview_postgresflexalpha_instance.import-example
+  identity = {
+    project_id  = var.project_id
+    region      = var.region
+    instance_id = var.postgres_instance_id
+  }
+}
--- a/examples/resources/stackitprivatepreview_postgresflexalpha_user/resource.tf
+++ b/examples/resources/stackitprivatepreview_postgresflexalpha_user/resource.tf
@ -1,7 +1,7 @@
 resource "stackitprivatepreview_postgresflexalpha_user" "example" {
  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-  username    = "username"
+  name        = "username"
  roles       = ["role"]
 }

@ -9,4 +9,14 @@ resource "stackitprivatepreview_postgresflexalpha_user" "example" {
 import {
  to = stackitprivatepreview_postgresflexalpha_user.import-example
  id = "${var.project_id},${var.region},${var.postgres_instance_id},${var.user_id}"
-}
+}
+
+import {
+  to = stackitprivatepreview_postgresflexalpha_user.import-example
+  identity = {
+    project_id  = "project.id"
+    region      = "region"
+    instance_id = "instance.id"
+    user_id     = "user.id"
+  }
+}
--- a/examples/resources/stackitprivatepreview_sqlserverflexalpha_database/resource.tf
+++ b/examples/resources/stackitprivatepreview_sqlserverflexalpha_database/resource.tf
@ -0,0 +1,24 @@
+resource "stackitprivatepreview_sqlserverflexalpha_database" "example" {
+  project_id    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  collation     = ""
+  compatibility = "160"
+  name          = ""
+  owner         = ""
+}
+
+# Only use the import statement, if you want to import a existing sqlserverflex database
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_database.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id},${var.sql_user_id}"
+}
+
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_database.import-example
+  identity = {
+    project_id  = "project.id"
+    region      = "region"
+    instance_id = "instance.id"
+    database_id = "database.id"
+  }
+}
--- a/examples/resources/stackitprivatepreview_sqlserverflexbeta_database/resource.tf
+++ b/examples/resources/stackitprivatepreview_sqlserverflexbeta_database/resource.tf
@ -0,0 +1,12 @@
+resource "stackitprivatepreview_sqlserverflexalpha_user" "example" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  username    = "username"
+  roles       = ["role"]
+}
+
+# Only use the import statement, if you want to import an existing sqlserverflex user
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_user.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id},${var.sql_user_id}"
+}
--- a/examples/resources/stackitprivatepreview_sqlserverflexbeta_instance/resource.tf
+++ b/examples/resources/stackitprivatepreview_sqlserverflexbeta_instance/resource.tf
@ -0,0 +1,76 @@
+# without encryption and SNA
+resource "stackitprivatepreview_sqlserverflexbeta_instance" "instance" {
+  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name            = "example-instance"
+  backup_schedule = "0 3 * * *"
+  retention_days  = 31
+  flavor_id       = "flavor_id"
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 50
+  }
+  version = 2022
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "SNA"
+  }
+}
+
+# without encryption and PUBLIC
+resource "stackitprivatepreview_sqlserverflexbeta_instance" "instance" {
+  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name            = "example-instance"
+  backup_schedule = "0 3 * * *"
+  retention_days  = 31
+  flavor_id       = "flavor_id"
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 50
+  }
+  version = 2022
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "PUBLIC"
+  }
+}
+
+# with encryption and SNA
+resource "stackitprivatepreview_sqlserverflexbeta_instance" "instance" {
+  project_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name            = "example-instance"
+  backup_schedule = "0 3 * * *"
+  retention_days  = 31
+  flavor_id       = "flavor_id"
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 50
+  }
+  version = 2022
+  encryption = {
+    kek_key_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_ring_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kek_key_version = 1
+    service_account = "service_account@email"
+  }
+  network = {
+    acl          = ["XXX.XXX.XXX.X/XX", "XX.XXX.XX.X/XX"]
+    access_scope = "SNA"
+  }
+}
+
+
+# Only use the import statement, if you want to import an existing sqlserverflex instance
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_instance.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id}"
+}
+
+# import with identity
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_instance.import-example
+  identity = {
+    project_id  = var.project_id
+    region      = var.region
+    instance_id = var.sql_instance_id
+  }
+}
--- a/examples/resources/stackitprivatepreview_sqlserverflexbeta_user/resource.tf
+++ b/examples/resources/stackitprivatepreview_sqlserverflexbeta_user/resource.tf
@ -0,0 +1,12 @@
+resource "stackitprivatepreview_sqlserverflexalpha_user" "example" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  username    = "username"
+  roles       = ["role"]
+}
+
+# Only use the import statement, if you want to import an existing sqlserverflex user
+import {
+  to = stackitprivatepreview_sqlserverflexalpha_user.import-example
+  id = "${var.project_id},${var.region},${var.sql_instance_id},${var.sql_user_id}"
+}
--- a/generator/cmd/build/build.go
+++ b/generator/cmd/build/build.go
@ -0,0 +1,341 @@
+package build
+
+import (
+	"errors"
+	"fmt"
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"log/slog"
+	"os"
+	"path"
+	"regexp"
+	"strings"
+
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/generator/cmd/tools"
+)
+
+type Builder struct {
+	rootDir      string
+	SkipClone    bool
+	SkipCleanup  bool
+	PackagesOnly bool
+	Verbose      bool
+	Debug        bool
+}
+
+func (b *Builder) Build() error {
+	slog.Info("Starting Builder")
+	if b.PackagesOnly {
+		slog.Info("  >>> only generating pkg_gen <<<")
+	}
+
+	rootErr := b.determineRoot()
+	if rootErr != nil {
+		return rootErr
+	}
+
+	if !b.PackagesOnly {
+		if b.Verbose {
+			slog.Info("  ... Checking needed commands available")
+		}
+		chkErr := checkCommands([]string{})
+		if chkErr != nil {
+			return chkErr
+		}
+	}
+
+	// if !b.SkipCleanup {
+	//	slog.Info("Cleaning up old packages directory")
+	//	err := os.RemoveAll(path.Join(b.rootDir, "pkg_gen"))
+	//	if err != nil {
+	//		return err
+	//	}
+	//}
+	//
+	// if !b.SkipCleanup && !b.PackagesOnly {
+	//	slog.Info("Cleaning up old packages directory")
+	//	err := os.RemoveAll(path.Join(b.rootDir, "pkg_gen"))
+	//	if err != nil {
+	//		return err
+	//	}
+	//}
+
+	// slog.Info("Creating generator dir", "dir", fmt.Sprintf("%s/%s", *root, GEN_REPO_NAME))
+	// genDir := path.Join(*root, GEN_REPO_NAME)
+	// if !b.SkipClone {
+	//	err = createGeneratorDir(GEN_REPO, genDir, b.SkipClone)
+	//	if err != nil {
+	//		return err
+	//	}
+	//}
+
+	oasHandlerErr := b.oasHandler(path.Join(b.rootDir, "service_specs"))
+	if oasHandlerErr != nil {
+		return oasHandlerErr
+	}
+
+	// if !b.PackagesOnly {
+	//	slog.Info("Generating service boilerplate")
+	//	err = generateServiceFiles(*root, path.Join(*root, GEN_REPO_NAME))
+	//	if err != nil {
+	//		return err
+	//	}
+	//
+	//	slog.Info("Copying all service files")
+	//	err = CopyDirectory(
+	//		path.Join(*root, "generated", "internal", "services"),
+	//		path.Join(*root, "stackit", "internal", "services"),
+	//	)
+	//	if err != nil {
+	//		return err
+	//	}
+	//
+	//	err = createBoilerplate(*root, path.Join(*root, "stackit", "internal", "services"))
+	//	if err != nil {
+	//		return err
+	//	}
+	//}
+
+	// workaround to remove linter complain :D
+	if b.PackagesOnly && b.Verbose && b.SkipClone && b.SkipCleanup {
+		bpErr := createBoilerplate(b.rootDir, "boilerplate")
+		if bpErr != nil {
+			return bpErr
+		}
+	}
+
+	slog.Info("Done")
+	return nil
+}
+
+type templateData struct {
+	PackageName       string
+	PackageNameCamel  string
+	PackageNamePascal string
+	NameCamel         string
+	NamePascal        string
+	NameSnake         string
+	Fields            []string
+}
+
+func createBoilerplate(rootFolder, folder string) error {
+	services, err := os.ReadDir(folder)
+	if err != nil {
+		return err
+	}
+	for _, svc := range services {
+		if !svc.IsDir() {
+			continue
+		}
+		resources, err := os.ReadDir(path.Join(folder, svc.Name()))
+		if err != nil {
+			return err
+		}
+
+		var handleDS bool
+		var handleRes bool
+		var foundDS bool
+		var foundRes bool
+
+		for _, res := range resources {
+			if !res.IsDir() {
+				continue
+			}
+
+			resourceName := res.Name()
+
+			dsFile := path.Join(
+				folder,
+				svc.Name(),
+				res.Name(),
+				"datasources_gen",
+				fmt.Sprintf("%s_data_source_gen.go", res.Name()),
+			)
+			handleDS = FileExists(dsFile)
+
+			resFile := path.Join(
+				folder,
+				svc.Name(),
+				res.Name(),
+				"resources_gen",
+				fmt.Sprintf("%s_resource_gen.go", res.Name()),
+			)
+			handleRes = FileExists(resFile)
+
+			dsGoFile := path.Join(folder, svc.Name(), res.Name(), "datasource.go")
+			foundDS = FileExists(dsGoFile)
+
+			resGoFile := path.Join(folder, svc.Name(), res.Name(), "resource.go")
+			foundRes = FileExists(resGoFile)
+
+			if handleDS && !foundDS {
+				slog.Info("  creating missing datasource.go", "service", svc.Name(), "resource", resourceName)
+				if !ValidateSnakeCase(resourceName) {
+					return errors.New("resource name is invalid")
+				}
+
+				fields, tokenErr := getTokens(dsFile)
+				if tokenErr != nil {
+					return fmt.Errorf("error reading tokens: %w", tokenErr)
+				}
+
+				tplName := "data_source_scaffold.gotmpl"
+				err = writeTemplateToFile(
+					tplName,
+					path.Join(rootFolder, "cmd", "cmd", "build", "templates", tplName),
+					dsGoFile,
+					&templateData{
+						PackageName:       svc.Name(),
+						PackageNameCamel:  ToCamelCase(svc.Name()),
+						PackageNamePascal: ToPascalCase(svc.Name()),
+						NameCamel:         ToCamelCase(resourceName),
+						NamePascal:        ToPascalCase(resourceName),
+						NameSnake:         resourceName,
+						Fields:            fields,
+					},
+				)
+				if err != nil {
+					panic(err)
+				}
+			}
+
+			if handleRes && !foundRes {
+				slog.Info("  creating missing resource.go", "service", svc.Name(), "resource", resourceName)
+				if !ValidateSnakeCase(resourceName) {
+					return errors.New("resource name is invalid")
+				}
+
+				fields, tokenErr := getTokens(resFile)
+				if tokenErr != nil {
+					return fmt.Errorf("error reading tokens: %w", tokenErr)
+				}
+
+				tplName := "resource_scaffold.gotmpl"
+				err = writeTemplateToFile(
+					tplName,
+					path.Join(rootFolder, "cmd", "cmd", "build", "templates", tplName),
+					resGoFile,
+					&templateData{
+						PackageName:       svc.Name(),
+						PackageNameCamel:  ToCamelCase(svc.Name()),
+						PackageNamePascal: ToPascalCase(svc.Name()),
+						NameCamel:         ToCamelCase(resourceName),
+						NamePascal:        ToPascalCase(resourceName),
+						NameSnake:         resourceName,
+						Fields:            fields,
+					},
+				)
+				if err != nil {
+					return err
+				}
+
+				if !FileExists(path.Join(folder, svc.Name(), res.Name(), "functions.go")) {
+					slog.Info("  creating missing functions.go", "service", svc.Name(), "resource", resourceName)
+					if !ValidateSnakeCase(resourceName) {
+						return errors.New("resource name is invalid")
+					}
+					fncTplName := "functions_scaffold.gotmpl"
+					err = writeTemplateToFile(
+						fncTplName,
+						path.Join(rootFolder, "cmd", "cmd", "build", "templates", fncTplName),
+						path.Join(folder, svc.Name(), res.Name(), "functions.go"),
+						&templateData{
+							PackageName:       svc.Name(),
+							PackageNameCamel:  ToCamelCase(svc.Name()),
+							PackageNamePascal: ToPascalCase(svc.Name()),
+							NameCamel:         ToCamelCase(resourceName),
+							NamePascal:        ToPascalCase(resourceName),
+							NameSnake:         resourceName,
+						},
+					)
+					if err != nil {
+						return err
+					}
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func handleLine(line string) (string, error) {
+	schemaRegex := regexp.MustCompile(`(\s+")(id)(": schema.[a-zA-Z0-9]+Attribute{)`)
+
+	schemaMatches := schemaRegex.FindAllStringSubmatch(line, -1)
+	if schemaMatches != nil {
+		return fmt.Sprintf("%stf_original_api_id%s", schemaMatches[0][1], schemaMatches[0][3]), nil
+	}
+
+	modelRegex := regexp.MustCompile(`(\s+Id\s+types.[a-zA-Z0-9]+\s+.tfsdk:")(id)(".)`)
+	modelMatches := modelRegex.FindAllStringSubmatch(line, -1)
+	if modelMatches != nil {
+		return fmt.Sprintf("%stf_original_api_id%s", modelMatches[0][1], modelMatches[0][3]), nil
+	}
+
+	return line, nil
+}
+
+func (b *Builder) determineRoot() error {
+	root, err := tools.GetGitRoot()
+	if err != nil {
+		return err
+	}
+	b.rootDir = root
+	if b.Verbose {
+		slog.Info("  ... using root", "dir", b.rootDir)
+	}
+	return nil
+}
+
+// func createGeneratorDir(repoUrl, targetDir string, skipClone bool) error {
+//	if !skipClone {
+//		if FileExists(targetDir) {
+//			remErr := os.RemoveAll(targetDir)
+//			if remErr != nil {
+//				return remErr
+//			}
+//		}
+//		_, cloneErr := git.Clone(
+//			clone.Repository(repoUrl),
+//			clone.Directory(targetDir),
+//		)
+//		if cloneErr != nil {
+//			return cloneErr
+//		}
+//	}
+//	return nil
+//}
+
+func getTokens(fileName string) ([]string, error) {
+	fset := token.NewFileSet()
+
+	var result []string
+
+	node, err := parser.ParseFile(fset, fileName, nil, parser.ParseComments)
+	if err != nil {
+		return nil, err
+	}
+
+	ast.Inspect(
+		node, func(n ast.Node) bool {
+			// Suche nach Typ-Deklarationen (structs)
+			ts, ok := n.(*ast.TypeSpec)
+			if ok {
+				if strings.Contains(ts.Name.Name, "Model") {
+					ast.Inspect(
+						ts, func(sn ast.Node) bool {
+							tts, tok := sn.(*ast.Field)
+							if tok {
+								result = append(result, tts.Names[0].String())
+							}
+							return true
+						},
+					)
+				}
+			}
+			return true
+		},
+	)
+	return result, nil
+}
--- a/generator/cmd/build/copy.go
+++ b/generator/cmd/build/copy.go
@ -3,6 +3,7 @@ package build
 import (
 	"fmt"
 	"io"
+	"log/slog"
 	"os"
 	"path/filepath"
 	"syscall"
@ -74,14 +75,24 @@ func Copy(srcFile, dstFile string) error {
 		return err
 	}

-	defer out.Close()
+	defer func(out *os.File) {
+		err := out.Close()
+		if err != nil {
+			slog.Error("failed to close file", slog.Any("err", err))
+		}
+	}(out)

 	in, err := os.Open(srcFile)
 	if err != nil {
 		return err
 	}

-	defer in.Close()
+	defer func(in *os.File) {
+		err := in.Close()
+		if err != nil {
+			slog.Error("error closing destination file", slog.Any("err", err))
+		}
+	}(in)

 	_, err = io.Copy(out, in)
 	if err != nil {
--- a/generator/cmd/build/formats.go
+++ b/generator/cmd/build/formats.go
--- a/generator/cmd/build/functions.go
+++ b/generator/cmd/build/functions.go
@ -0,0 +1,120 @@
+package build
+
+import (
+	"fmt"
+	"log/slog"
+	"os"
+	"os/exec"
+	"strings"
+	"text/template"
+)
+
+func FileExists(pathValue string) bool {
+	_, err := os.Stat(pathValue)
+	if os.IsNotExist(err) {
+		return false
+	}
+	if err != nil {
+		panic(err)
+	}
+	return true
+}
+
+func ucfirst(s string) string {
+	if s == "" {
+		return ""
+	}
+	return strings.ToUpper(s[:1]) + s[1:]
+}
+
+func writeTemplateToFile(tplName, tplFile, outFile string, data *templateData) error {
+	fn := template.FuncMap{
+		"ucfirst": ucfirst,
+	}
+
+	tmpl, err := template.New(tplName).Funcs(fn).ParseFiles(tplFile)
+	if err != nil {
+		return err
+	}
+
+	var f *os.File
+	f, err = os.Create(outFile)
+	if err != nil {
+		return err
+	}
+
+	err = tmpl.Execute(f, *data)
+	if err != nil {
+		return err
+	}
+
+	err = f.Close()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+/* saved for later
+func deleteFiles(fNames ...string) error {
+	for _, fName := range fNames {
+		if _, err := os.Stat(fName); !os.IsNotExist(err) {
+			err = os.Remove(fName)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func copyFile(src, dst string) (int64, error) {
+	sourceFileStat, err := os.Stat(src)
+	if err != nil {
+		return 0, err
+	}
+
+	if !sourceFileStat.Mode().IsRegular() {
+		return 0, fmt.Errorf("%s is not a regular file", src)
+	}
+
+	source, err := os.Open(src)
+	if err != nil {
+		return 0, err
+	}
+	defer func(source *os.File) {
+		err := source.Close()
+		if err != nil {
+			slog.Error("copyFile", "err", err)
+		}
+	}(source)
+
+	destination, err := os.Create(dst)
+	if err != nil {
+		return 0, err
+	}
+	defer func(destination *os.File) {
+		err := destination.Close()
+		if err != nil {
+			slog.Error("copyFile", "err", err)
+		}
+	}(destination)
+	nBytes, err := io.Copy(destination, source)
+	return nBytes, err
+}
+*/
+
+func checkCommands(commands []string) error {
+	for _, commandName := range commands {
+		if !commandExists(commandName) {
+			return fmt.Errorf("missing command %s", commandName)
+		}
+		slog.Info("        found", "command", commandName)
+	}
+	return nil
+}
+
+func commandExists(cmd string) bool {
+	_, err := exec.LookPath(cmd)
+	return err == nil
+}
--- a/generator/cmd/build/oas-handler.go
+++ b/generator/cmd/build/oas-handler.go
@ -0,0 +1,446 @@
+package build
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"fmt"
+	"log"
+	"log/slog"
+	"os"
+	"os/exec"
+	"path"
+	"regexp"
+	"strings"
+
+	"gopkg.in/yaml.v3"
+
+	"github.com/ldez/go-git-cmd-wrapper/v2/clone"
+	"github.com/ldez/go-git-cmd-wrapper/v2/git"
+)
+
+const (
+	OasRepoName = "stackit-api-specifications"
+	OasRepo     = "https://github.com/stackitcloud/stackit-api-specifications.git"
+
+	ResTypeResource   = "resources"
+	ResTypeDataSource = "datasources"
+)
+
+type Data struct {
+	ServiceName string    `yaml:",omitempty" json:",omitempty"`
+	Versions    []Version `yaml:"versions" json:"versions"`
+}
+
+type Version struct {
+	Name string `yaml:"name" json:"name"`
+	Path string `yaml:"path" json:"path"`
+}
+
+var oasTempDir string
+
+func (b *Builder) oasHandler(specDir string) error {
+	if b.Verbose {
+		slog.Info("creating schema files", "dir", specDir)
+	}
+	if _, err := os.Stat(specDir); os.IsNotExist(err) {
+		return fmt.Errorf("spec files directory does not exist")
+	}
+
+	err := b.createRepoDir(b.SkipClone)
+	if err != nil {
+		return fmt.Errorf("%s", err.Error())
+	}
+
+	err2 := b.handleServices(specDir)
+	if err2 != nil {
+		return err2
+	}
+
+	if !b.SkipCleanup {
+		if b.Verbose {
+			slog.Info("Finally removing temporary files and directories")
+		}
+		err := os.RemoveAll(path.Join(b.rootDir, "generated"))
+		if err != nil {
+			slog.Error("RemoveAll", "dir", path.Join(b.rootDir, "generated"), "err", err)
+			return err
+		}
+
+		err = os.RemoveAll(oasTempDir)
+		if err != nil {
+			slog.Error("RemoveAll", "dir", oasTempDir, "err", err)
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (b *Builder) handleServices(specDir string) error {
+	services, err := os.ReadDir(specDir)
+	if err != nil {
+		return err
+	}
+
+	for _, svc := range services {
+		if !svc.IsDir() {
+			continue
+		}
+
+		if b.Verbose {
+			slog.Info("  ... found", "service", svc.Name())
+		}
+		var svcVersions Data
+		svcVersions.ServiceName = svc.Name()
+
+		versionsErr := b.getServiceVersions(path.Join(specDir, svc.Name(), "generator_settings.yml"), &svcVersions)
+		if versionsErr != nil {
+			return versionsErr
+		}
+
+		oasSpecErr := b.generateServiceFiles(&svcVersions)
+		if oasSpecErr != nil {
+			return oasSpecErr
+		}
+	}
+	return nil
+}
+
+func (b *Builder) getServiceVersions(confFile string, data *Data) error {
+	if _, cfgFileErr := os.Stat(confFile); os.IsNotExist(cfgFileErr) {
+		return fmt.Errorf("config file does not exist")
+	}
+
+	fileContent, fileErr := os.ReadFile(confFile)
+	if fileErr != nil {
+		return fileErr
+	}
+	convErr := yaml.Unmarshal(fileContent, &data)
+	if convErr != nil {
+		return convErr
+	}
+
+	return nil
+}
+
+func (b *Builder) createRepoDir(skipClone bool) error {
+	tmpDirName, err := os.MkdirTemp("", "oasbuild")
+	if err != nil {
+		return err
+	}
+	oasTempDir = path.Join(tmpDirName, OasRepoName)
+	slog.Info("Creating oas repo dir", "dir", oasTempDir)
+	if !skipClone {
+		if FileExists(oasTempDir) {
+			slog.Warn("target dir exists - skipping", "targetDir", oasTempDir)
+			return nil
+		}
+		out, cloneErr := git.Clone(
+			clone.Repository(OasRepo),
+			clone.Directory(oasTempDir),
+		)
+		if cloneErr != nil {
+			slog.Error("git clone error", "output", out)
+			return cloneErr
+		}
+		if b.Verbose {
+			slog.Info("git clone result", "output", out)
+		}
+	}
+	return nil
+}
+
+func (b *Builder) generateServiceFiles(data *Data) error {
+	err := os.MkdirAll(path.Join(b.rootDir, "generated", "specs"), 0o750)
+	if err != nil {
+		return err
+	}
+
+	for _, v := range data.Versions {
+		specFiles, specsErr := os.ReadDir(path.Join(b.rootDir, "service_specs", data.ServiceName, v.Name))
+		if specsErr != nil {
+			return specsErr
+		}
+		for _, specFile := range specFiles {
+			if specFile.IsDir() {
+				continue
+			}
+			r := regexp.MustCompile(`^(.*)_config.yml$`)
+			matches := r.FindAllStringSubmatch(specFile.Name(), -1)
+			if matches == nil {
+				slog.Warn("    skipping file (no regex match)", "file", specFile.Name())
+				continue
+			}
+
+			srcSpecFile := path.Join(b.rootDir, "service_specs", data.ServiceName, v.Name, specFile.Name())
+
+			if matches[0][0] != specFile.Name() {
+				return fmt.Errorf("matched filename differs from original filename - this should not happen")
+			}
+			resource := matches[0][1]
+			if b.Verbose {
+				slog.Info(
+					"    found service spec",
+					"service",
+					data.ServiceName,
+					"resource",
+					resource,
+					"file",
+					specFile.Name(),
+				)
+			}
+
+			oasFile := path.Join(
+				oasTempDir,
+				"services",
+				data.ServiceName,
+				v.Path,
+				fmt.Sprintf("%s.json", data.ServiceName),
+			)
+			if _, oasErr := os.Stat(oasFile); os.IsNotExist(oasErr) {
+				slog.Warn(
+					"        could not find matching oas",
+					"svc",
+					data.ServiceName,
+					"version",
+					v.Name,
+				)
+				continue
+			}
+
+			// determine correct target service name
+			scName := fmt.Sprintf("%s%s", data.ServiceName, v.Name)
+			scName = strings.ReplaceAll(scName, "-", "")
+
+			specJSONFile := path.Join(
+				b.rootDir,
+				"generated",
+				"specs",
+				fmt.Sprintf("%s_%s_spec.json", scName, resource),
+			)
+
+			cmdErr := b.runTerraformPluginGenOpenAPI(srcSpecFile, specJSONFile, oasFile)
+			if cmdErr != nil {
+				return cmdErr
+			}
+
+			cmdResGenErr := b.runTerraformPluginGenFramework(ResTypeResource, scName, resource, specJSONFile)
+			if cmdResGenErr != nil {
+				return cmdResGenErr
+			}
+
+			cmdDsGenErr := b.runTerraformPluginGenFramework(ResTypeDataSource, scName, resource, specJSONFile)
+			if cmdDsGenErr != nil {
+				return cmdDsGenErr
+			}
+		}
+	}
+
+	return nil
+}
+
+func (b *Builder) runTerraformPluginGenFramework(resType, svcName, resource, specJSONFile string) error {
+	var stdOut, stdErr bytes.Buffer
+	tgtFolder := path.Join(
+		b.rootDir,
+		"stackit",
+		"internal",
+		"services",
+		svcName,
+		resource,
+		fmt.Sprintf("%s_gen", resType),
+	)
+
+	//nolint:gosec // this file is not sensitive, so we can use 0755
+	err := os.MkdirAll(tgtFolder, 0o755)
+	if err != nil {
+		return err
+	}
+
+	var subCmd string
+	switch resType {
+	case ResTypeResource:
+		subCmd = "resources"
+	case ResTypeDataSource:
+		subCmd = "data-sources"
+	default:
+		return fmt.Errorf("unknown resource type given: %s", resType)
+	}
+
+	// nolint:gosec // #nosec this command is not using any untrusted input, so we can ignore gosec warning
+	cmd := exec.Command(
+		"tfplugingen-framework",
+		"generate",
+		subCmd,
+		"--input",
+		specJSONFile,
+		"--output",
+		tgtFolder,
+		"--package",
+		svcName,
+	)
+
+	cmd.Stdout = &stdOut
+	cmd.Stderr = &stdErr
+	if err = cmd.Start(); err != nil {
+		slog.Error(fmt.Sprintf("tfplugingen-framework generate %s", resType), "error", err)
+		return err
+	}
+
+	if err = cmd.Wait(); err != nil {
+		var exitErr *exec.ExitError
+		if errors.As(err, &exitErr) {
+			slog.Error(
+				fmt.Sprintf("tfplugingen-framework generate %s", resType),
+				"code",
+				exitErr.ExitCode(),
+				"error",
+				err,
+				"stdout",
+				stdOut.String(),
+				"stderr",
+				stdErr.String(),
+			)
+			return fmt.Errorf("%s", stdErr.String())
+		}
+		if err != nil {
+			slog.Error(
+				fmt.Sprintf("tfplugingen-framework generate %s", resType),
+				"err",
+				err,
+				"stdout",
+				stdOut.String(),
+				"stderr",
+				stdErr.String(),
+			)
+			return err
+		}
+	}
+
+	if resType == ResTypeDataSource {
+		tfAnoErr := b.handleTfTagForDatasourceFile(
+			path.Join(tgtFolder, fmt.Sprintf("%s_data_source_gen.go", resource)),
+			svcName,
+			resource,
+		)
+		if tfAnoErr != nil {
+			return tfAnoErr
+		}
+	}
+
+	return nil
+}
+
+func (b *Builder) runTerraformPluginGenOpenAPI(srcSpecFile, specJSONFile, oasFile string) error {
+	var stdOut, stdErr bytes.Buffer
+
+	// nolint:gosec // #nosec this command is not using any untrusted input, so we can ignore gosec warning
+	cmd := exec.Command(
+		"tfplugingen-openapi",
+		"generate",
+		"--config",
+		srcSpecFile,
+		"--output",
+		specJSONFile,
+		oasFile,
+	)
+	cmd.Stdout = &stdOut
+	cmd.Stderr = &stdErr
+
+	if err := cmd.Start(); err != nil {
+		slog.Error(
+			"tfplugingen-openapi generate",
+			"error",
+			err,
+			"stdOut",
+			stdOut.String(),
+			"stdErr",
+			stdErr.String(),
+		)
+		return err
+	}
+
+	if err := cmd.Wait(); err != nil {
+		var exitErr *exec.ExitError
+		if errors.As(err, &exitErr) {
+			slog.Error(
+				"tfplugingen-openapi generate",
+				"code",
+				exitErr.ExitCode(),
+				"error",
+				err,
+				"stdout",
+				stdOut.String(),
+				"stderr",
+				stdErr.String(),
+			)
+			return fmt.Errorf("%s", stdErr.String())
+		}
+		if err != nil {
+			slog.Error(
+				"tfplugingen-openapi generate",
+				"err",
+				err,
+				"stdout",
+				stdOut.String(),
+				"stderr",
+				stdErr.String(),
+			)
+			return err
+		}
+	}
+	if stdOut.Len() > 0 {
+		slog.Warn("    command output", "stdout", stdOut.String(), "stderr", stdErr.String())
+	}
+
+	return nil
+}
+
+// handleTfTagForDatasourceFile replaces existing "id" with "stf_original_api_id"
+func (b *Builder) handleTfTagForDatasourceFile(filePath, service, resource string) error {
+	if b.Verbose {
+		slog.Info("   handle terraform tag for datasource", "service", service, "resource", resource)
+	}
+	if !FileExists(filePath) {
+		slog.Warn("        could not find file, skipping", "path", filePath)
+		return nil
+	}
+	f, err := os.Open(filePath)
+	if err != nil {
+		return err
+	}
+
+	tmp, err := os.CreateTemp(b.rootDir, "replace-*")
+	if err != nil {
+		return err
+	}
+
+	sc := bufio.NewScanner(f)
+	for sc.Scan() {
+		resLine, err := handleLine(sc.Text())
+		if err != nil {
+			return err
+		}
+		if _, err := tmp.WriteString(resLine + "\n"); err != nil {
+			return err
+		}
+	}
+	if scErr := sc.Err(); scErr != nil {
+		return scErr
+	}
+
+	if err := tmp.Close(); err != nil {
+		return err
+	}
+
+	if err := f.Close(); err != nil {
+		return err
+	}
+
+	//nolint:gosec // path traversal is not a concern here
+	if err := os.Rename(tmp.Name(), filePath); err != nil {
+		log.Fatal(err)
+	}
+	return nil
+}
--- a/generator/cmd/build/templates/data_source_scaffold.gotmpl
+++ b/generator/cmd/build/templates/data_source_scaffold.gotmpl
@ -0,0 +1,148 @@
+package {{.PackageName}}
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/hashicorp/terraform-plugin-framework/datasource"
+	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/stackitcloud/stackit-sdk-go/core/config"
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/conversion"
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/core"
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/utils"
+
+    {{.PackageName}}Pkg "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/pkg_gen/{{.PackageName}}"
+
+    {{.PackageName}}Gen "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/services/{{.PackageName}}/{{.NameSnake}}/datasources_gen"
+)
+
+var _ datasource.DataSource = (*{{.NameCamel}}DataSource)(nil)
+
+const errorPrefix = "[{{.PackageNamePascal}} - {{.NamePascal}}]"
+
+func New{{.NamePascal}}DataSource() datasource.DataSource {
+	return &{{.NameCamel}}DataSource{}
+}
+
+type dsModel struct {
+	{{.PackageName}}Gen.{{.NamePascal}}Model
+	TfId types.String `tfsdk:"id"`
+}
+
+type {{.NameCamel}}DataSource struct{
+	client       *{{.PackageName}}Pkg.APIClient
+	providerData core.ProviderData
+}
+
+func (d *{{.NameCamel}}DataSource) Metadata(_ context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_{{.PackageName}}_{{.NameSnake}}"
+}
+
+func (d *{{.NameCamel}}DataSource) Schema(ctx context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) {
+	resp.Schema = {{.PackageName}}Gen.{{.NamePascal}}DataSourceSchema(ctx)
+    resp.Schema.Attributes["id"] = schema.StringAttribute{
+        Computed:            true,
+        Description:         "The terraform internal identifier.",
+        MarkdownDescription: "The terraform internal identifier.",
+    }
+}
+
+// Configure adds the provider configured client to the data source.
+func (d *{{.NameCamel}}DataSource) Configure(
+	ctx context.Context,
+	req datasource.ConfigureRequest,
+	resp *datasource.ConfigureResponse,
+) {
+	var ok bool
+	d.providerData, ok = conversion.ParseProviderData(ctx, req.ProviderData, &resp.Diagnostics)
+	if !ok {
+		return
+	}
+
+	apiClientConfigOptions := []config.ConfigurationOption{
+		config.WithCustomAuth(d.providerData.RoundTripper),
+		utils.UserAgentConfigOption(d.providerData.Version),
+	}
+	if d.providerData.{{.PackageNamePascal}}CustomEndpoint != "" {
+		apiClientConfigOptions = append(
+			apiClientConfigOptions,
+			config.WithEndpoint(d.providerData.{{.PackageNamePascal}}CustomEndpoint),
+		)
+	} else {
+		apiClientConfigOptions = append(
+			apiClientConfigOptions,
+			config.WithRegion(d.providerData.GetRegion()),
+		)
+	}
+	apiClient, err := {{.PackageName}}Pkg.NewAPIClient(apiClientConfigOptions...)
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error configuring API client",
+			fmt.Sprintf(
+				"Configuring client: %v. This is an error related to the provider configuration, not to the resource configuration",
+				err,
+			),
+		)
+		return
+	}
+	d.client = apiClient
+	tflog.Info(ctx, fmt.Sprintf("%s client configured", errorPrefix))
+}
+
+func (d *{{.NameCamel}}DataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) {
+	var data dsModel
+
+	// Read Terraform configuration data into the model
+	resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
+
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	ctx = core.InitProviderContext(ctx)
+
+	projectId := data.ProjectId.ValueString()
+	region := d.providerData.GetRegionWithOverride(data.Region)
+	{{.NameCamel}}Id := data.{{.NamePascal}}Id.ValueString()
+
+	ctx = tflog.SetField(ctx, "project_id", projectId)
+	ctx = tflog.SetField(ctx, "region", region)
+
+	// TODO: implement needed fields
+	ctx = tflog.SetField(ctx, "{{.NameCamel}}_id", {{.NameCamel}}Id)
+
+    // TODO: refactor to correct implementation
+	{{.NameCamel}}Resp, err := d.client.Get{{.NamePascal}}Request(ctx, projectId, region, {{.NameCamel}}Id).Execute()
+	if err != nil {
+		utils.LogError(
+			ctx,
+			&resp.Diagnostics,
+			err,
+			"Reading {{.NameCamel}}",
+			fmt.Sprintf("{{.NameCamel}} with ID %q does not exist in project %q.", {{.NameCamel}}Id, projectId),
+			map[int]string{
+				http.StatusForbidden: fmt.Sprintf("Project with ID %q not found or forbidden access", projectId),
+			},
+		)
+		resp.State.RemoveResource(ctx)
+		return
+	}
+
+	ctx = core.LogResponse(ctx)
+
+
+	data.TfId = utils.BuildInternalTerraformId(projectId, region, ..)
+
+	// TODO: fill remaining fields
+{{- range .Fields }}
+    // data.{{.}} = types.Sometype(apiResponse.Get{{.}}())
+{{- end -}}
+
+	// Save data into Terraform state
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+
+	tflog.Info(ctx, fmt.Sprintf("%s read successful", errorPrefix))
+}
--- a/generator/cmd/build/templates/functions_scaffold.gotmpl
+++ b/generator/cmd/build/templates/functions_scaffold.gotmpl
@ -0,0 +1,98 @@
+package {{.PackageName}}
+
+import (
+	"context"
+	"fmt"
+	"math"
+
+	"github.com/hashicorp/terraform-plugin-framework/attr"
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/conversion"
+
+	{{.PackageName}} "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/pkg_gen/{{.PackageName}}"
+	{{.PackageName}}ResGen "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/services/{{.PackageName}}/instance/resources_gen"
+)
+
+func mapResponseToModel(
+	ctx context.Context,
+	resp *{{.PackageName}}.Get{{.NamePascal}}Response,
+	m *{{.PackageName}}ResGen.{{.NamePascal}}Model,
+	tfDiags diag.Diagnostics,
+) error {
+    // TODO: complete and refactor
+	m.Id = types.StringValue(resp.GetId())
+
+    /*
+	sampleList, diags := types.ListValueFrom(ctx, types.StringType, resp.GetList())
+	tfDiags.Append(diags...)
+	if diags.HasError() {
+		return fmt.Errorf(
+			"error converting list response value",
+		)
+	}
+	sample, diags := {{.PackageName}}ResGen.NewSampleValue(
+		{{.PackageName}}ResGen.SampleValue{}.AttributeTypes(ctx),
+		map[string]attr.Value{
+			"field":     types.StringValue(string(resp.GetField())),
+		},
+	)
+	tfDiags.Append(diags...)
+	if diags.HasError() {
+		return fmt.Errorf(
+			"error converting sample response value",
+			"sample",
+			types.StringValue(string(resp.GetField())),
+		)
+	}
+	m.Sample = sample
+	*/
+	return nil
+}
+
+func handleEncryption(
+	m *{{.PackageName}}ResGen.{{.NamePascal}}Model,
+	resp *{{.PackageName}}.Get{{.NamePascal}}Response,
+) {{.PackageName}}ResGen.EncryptionValue {
+	if !resp.HasEncryption() ||
+		resp.Encryption == nil ||
+		resp.Encryption.KekKeyId == nil ||
+		resp.Encryption.KekKeyRingId == nil ||
+		resp.Encryption.KekKeyVersion == nil ||
+		resp.Encryption.ServiceAccount == nil {
+
+		if m.Encryption.IsNull() || m.Encryption.IsUnknown() {
+			return {{.PackageName}}ResGen.NewEncryptionValueNull()
+		}
+		return m.Encryption
+	}
+
+	enc := {{.PackageName}}ResGen.NewEncryptionValueNull()
+	if kVal, ok := resp.Encryption.GetKekKeyIdOk(); ok {
+		enc.KekKeyId = types.StringValue(kVal)
+	}
+	if kkVal, ok := resp.Encryption.GetKekKeyRingIdOk(); ok {
+		enc.KekKeyRingId = types.StringValue(kkVal)
+	}
+	if kkvVal, ok := resp.Encryption.GetKekKeyVersionOk(); ok {
+		enc.KekKeyVersion = types.StringValue(kkvVal)
+	}
+	if sa, ok := resp.Encryption.GetServiceAccountOk(); ok {
+		enc.ServiceAccount = types.StringValue(sa)
+	}
+	return enc
+}
+
+func toCreatePayload(
+	ctx context.Context,
+	model *{{.PackageName}}ResGen.{{.NamePascal}}Model,
+) (*{{.PackageName}}.Create{{.NamePascal}}RequestPayload, error) {
+	if model == nil {
+		return nil, fmt.Errorf("nil model")
+	}
+
+	return &{{.PackageName}}.Create{{.NamePascal}}RequestPayload{
+	    // TODO: fill fields
+	}, nil
+}
--- a/generator/cmd/build/templates/provider_scaffold.gotmpl
+++ b/generator/cmd/build/templates/provider_scaffold.gotmpl
--- a/generator/cmd/build/templates/resource_scaffold.gotmpl
+++ b/generator/cmd/build/templates/resource_scaffold.gotmpl
@ -0,0 +1,429 @@
+package {{.PackageName}}
+
+import (
+	"context"
+	_ "embed"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-framework/path"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/resource/identityschema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/stackitcloud/stackit-sdk-go/core/config"
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/conversion"
+
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/pkg_gen/{{.PackageName}}"
+
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/core"
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/utils"
+
+	{{.PackageName}}ResGen "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/services/{{.PackageName}}/{{.NameSnake}}/resources_gen"
+)
+
+var (
+	_ resource.Resource                = &{{.NameCamel}}Resource{}
+	_ resource.ResourceWithConfigure   = &{{.NameCamel}}Resource{}
+	_ resource.ResourceWithImportState = &{{.NameCamel}}Resource{}
+	_ resource.ResourceWithModifyPlan  = &{{.NameCamel}}Resource{}
+	_ resource.ResourceWithIdentity    = &{{.NameCamel}}Resource{}
+)
+
+func New{{.NamePascal}}Resource() resource.Resource {
+	return &{{.NameCamel}}Resource{}
+}
+
+type {{.NameCamel}}Resource struct{
+	client       *{{.PackageName}}.APIClient
+	providerData core.ProviderData
+}
+
+// resourceModel represents the Terraform resource state
+type resourceModel = {{.PackageName}}.{{.NamePascal}}Model
+
+type {{.NamePascal}}ResourceIdentityModel struct {
+	ProjectID  types.String `tfsdk:"project_id"`
+	Region     types.String `tfsdk:"region"`
+	// TODO: implement further needed parts
+	{{.NamePascal}}ID types.String `tfsdk:"{{.NameSnake}}_id"`
+}
+
+// Metadata defines terraform resource name
+func (r *{{.NameCamel}}Resource) Metadata(ctx context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_{{.PackageName}}_{{.NameSnake}}"
+}
+
+//go:embed planModifiers.yaml
+var modifiersFileByte []byte
+
+// Schema loads the schema from generated files and adds plan modifiers
+func (r *{{.NameCamel}}Resource) Schema(ctx context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) {
+	schema = {{.PackageName}}ResGen.{{.NamePascal}}ResourceSchema(ctx)
+
+    fields, err := {{.PackageName}}Utils.ReadModifiersConfig(modifiersFileByte)
+    if err != nil {
+        resp.Diagnostics.AddError("error during read modifiers config file", err.Error())
+        return
+    }
+
+    err = {{.PackageName}}Utils.AddPlanModifiersToResourceSchema(fields, &schema)
+    if err != nil {
+        resp.Diagnostics.AddError("error adding plan modifiers", err.Error())
+        return
+    }
+    resp.Schema = schema
+}
+
+// IdentitySchema defines the identity schema
+func (r *instanceResource) IdentitySchema(_ context.Context, _ resource.IdentitySchemaRequest, resp *resource.IdentitySchemaResponse) {
+	resp.IdentitySchema = identityschema.Schema{
+		Attributes: map[string]identityschema.Attribute{
+			"project_id": identityschema.StringAttribute{
+				RequiredForImport: true, // must be set during import by the practitioner
+			},
+			"region": identityschema.StringAttribute{
+				RequiredForImport: true, // can be defaulted by the provider configuration
+			},
+			"instance_id": identityschema.StringAttribute{
+				RequiredForImport: true, // can be defaulted by the provider configuration
+			},
+			// TODO: implement remaining schema parts
+		},
+	}
+}
+
+// Configure adds the provider configured client to the resource.
+func (r *{{.NameCamel}}Resource) Configure(
+	ctx context.Context,
+	req resource.ConfigureRequest,
+	resp *resource.ConfigureResponse,
+) {
+	var ok bool
+	r.providerData, ok = conversion.ParseProviderData(ctx, req.ProviderData, &resp.Diagnostics)
+	if !ok {
+		return
+	}
+
+	apiClientConfigOptions := []config.ConfigurationOption{
+		config.WithCustomAuth(r.providerData.RoundTripper),
+		utils.UserAgentConfigOption(r.providerData.Version),
+	}
+	if r.providerData.{{.PackageNamePascal}}CustomEndpoint != "" {
+		apiClientConfigOptions = append(apiClientConfigOptions, config.WithEndpoint(r.providerData.{{.PackageName}}CustomEndpoint))
+	} else {
+		apiClientConfigOptions = append(apiClientConfigOptions, config.WithRegion(r.providerData.GetRegion()))
+	}
+	apiClient, err := {{.PackageName}}.NewAPIClient(apiClientConfigOptions...)
+	if err != nil {
+		resp.Diagnostics.AddError(
+		    "Error configuring API client",
+		    fmt.Sprintf(
+		        "Configuring client: %v. This is an error related to the provider configuration, not to the resource configuration",
+		        err,
+            ),
+        )
+		return
+	}
+	r.client = apiClient
+	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} client configured")
+}
+
+// ModifyPlan implements resource.ResourceWithModifyPlan.
+// Use the modifier to set the effective region in the current plan.
+func (r *{{.NameCamel}}Resource) ModifyPlan(
+	ctx context.Context,
+	req resource.ModifyPlanRequest,
+	resp *resource.ModifyPlanResponse,
+) { // nolint:gocritic // function signature required by Terraform
+
+	// skip initial empty configuration to avoid follow-up errors
+	if req.Config.Raw.IsNull() {
+		return
+	}
+	var configModel {{.PackageName}}ResGen.{{.NamePascal}}Model
+	resp.Diagnostics.Append(req.Config.Get(ctx, &configModel)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if req.Plan.Raw.IsNull() {
+		return
+	}
+	var planModel {{.PackageName}}ResGen.{{.NamePascal}}Model
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &planModel)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	utils.AdaptRegion(ctx, configModel.Region, &planModel.Region, r.providerData.GetRegion(), resp)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	resp.Diagnostics.Append(resp.Plan.Set(ctx, planModel)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+}
+
+// Create creates a new resource
+func (r *{{.NameCamel}}Resource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	var data {{.PackageName}}ResGen.{{.NamePascal}}Model
+
+	// Read Terraform plan data into the model
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
+
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	ctx = core.InitProviderContext(ctx)
+
+	projectId := data.ProjectId.ValueString()
+	region := data.Region.ValueString()
+	ctx = tflog.SetField(ctx, "project_id", projectId)
+	ctx = tflog.SetField(ctx, "region", region)
+	// TODO: add remaining fields
+
+	// TODO: Create API call logic
+	/*
+		// Generate API request body from model
+    	payload, err := toCreatePayload(ctx, &model)
+    	if err != nil {
+    		core.LogAndAddError(
+    			ctx,
+    			&resp.Diagnostics,
+    			"Error creating {{.NamePascal}}",
+    			fmt.Sprintf("Creating API payload: %v", err),
+    		)
+    		return
+    	}
+    	// Create new {{.NamePascal}}
+    	createResp, err := r.client.Create{{.NamePascal}}Request(
+    		ctx,
+    		projectId,
+    		region,
+    	).Create{{.NamePascal}}RequestPayload(*payload).Execute()
+    	if err != nil {
+    		core.LogAndAddError(ctx, &resp.Diagnostics, "Error creating {{.NamePascal}}", fmt.Sprintf("Calling API: %v", err))
+    		return
+    	}
+
+    	ctx = core.LogResponse(ctx)
+
+    	{{.NamePascal}}Id := *createResp.Id
+    */
+
+	// Example data value setting
+	data.{{.NameCamel | ucfirst}}Id = types.StringValue("id-from-response")
+
+	// TODO: Set data returned by API in identity
+	identity := {{.NamePascal}}ResourceIdentityModel{
+		ProjectID:  types.StringValue(projectId),
+		Region:     types.StringValue(region),
+		// TODO: add missing values
+		{{.NamePascal}}ID: types.StringValue({{.NamePascal}}Id),
+	}
+	resp.Diagnostics.Append(resp.Identity.Set(ctx, identity)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// TODO: implement wait handler if needed
+	/*
+
+		waitResp, err := wait.Create{{.NamePascal}}WaitHandler(
+    		ctx,
+    		r.client,
+    		projectId,
+    		{{.NamePascal}}Id,
+    		region,
+    	).SetSleepBeforeWait(
+    		30 * time.Second,
+    	).SetTimeout(
+    		90 * time.Minute,
+    	).WaitWithContext(ctx)
+    	if err != nil {
+    		core.LogAndAddError(
+    			ctx,
+    			&resp.Diagnostics,
+    			"Error creating {{.NamePascal}}",
+    			fmt.Sprintf("{{.NamePascal}} creation waiting: %v", err),
+    		)
+    		return
+    	}
+
+    	if waitResp.Id == nil {
+    		core.LogAndAddError(
+    			ctx,
+    			&resp.Diagnostics,
+    			"Error creating {{.NamePascal}}",
+    			"{{.NamePascal}} creation waiting: returned id is nil",
+    		)
+    		return
+    	}
+
+    	// Map response body to schema
+    	err = mapResponseToModel(ctx, waitResp, &model, resp.Diagnostics)
+    	if err != nil {
+    		core.LogAndAddError(
+    			ctx,
+    			&resp.Diagnostics,
+    			"Error creating {{.NamePascal}}",
+    			fmt.Sprintf("Processing API payload: %v", err),
+    		)
+    		return
+    	}
+
+	*/
+
+	// Save data into Terraform state
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+
+	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} created")
+}
+
+func (r *{{.NameCamel}}Resource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+	var data {{.PackageName}}ResGen.{{.NamePascal}}Model
+
+	// Read Terraform prior state data into the model
+	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// Read identity data
+	var identityData {{.NamePascal}}ResourceIdentityModel
+	resp.Diagnostics.Append(req.Identity.Get(ctx, &identityData)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+
+	ctx = core.InitProviderContext(ctx)
+
+	projectId := identityData.ProjectID.ValueString()
+	region := identityData.Region.ValueString()
+	ctx = tflog.SetField(ctx, "project_id", projectId)
+	ctx = tflog.SetField(ctx, "region", region)
+
+	// TODO: Read API call logic
+
+	// Save updated data into Terraform state
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+
+	// TODO: Set data returned by API in identity
+	identity := {{.NamePascal}}ResourceIdentityModel{
+		ProjectID:  types.StringValue(projectId),
+		Region:     types.StringValue(region),
+		// InstanceID: types.StringValue(instanceId),
+	}
+	resp.Diagnostics.Append(resp.Identity.Set(ctx, identity)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} read")
+}
+
+func (r *{{.NameCamel}}Resource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
+	var data {{.PackageName}}ResGen.{{.NamePascal}}Model
+
+	// Read Terraform prior state data into the model
+	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	ctx = core.InitProviderContext(ctx)
+
+	projectId := data.ProjectId.ValueString()
+	region := data.Region.ValueString()
+	ctx = tflog.SetField(ctx, "project_id", projectId)
+	ctx = tflog.SetField(ctx, "region", region)
+
+	// TODO: Update API call logic
+
+	// TODO: Set data returned by API in identity
+	identity := {{.NamePascal}}ResourceIdentityModel{
+		ProjectID:  types.StringValue(projectId),
+		Region:     types.StringValue(region),
+		// TODO: add missing values
+		{{.NamePascal}}ID: types.StringValue({{.NamePascal}}Id),
+	}
+	resp.Diagnostics.Append(resp.Identity.Set(ctx, identity)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// Save updated data into Terraform state
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+
+	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} updated")
+}
+
+func (r *{{.NameCamel}}Resource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
+	var data {{.PackageName}}ResGen.{{.NamePascal}}Model
+
+	// Read Terraform prior state data into the model
+	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// Read identity data
+	var identityData {{.NamePascal}}ResourceIdentityModel
+	resp.Diagnostics.Append(req.Identity.Get(ctx, &identityData)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+
+	ctx = core.InitProviderContext(ctx)
+
+	projectId := identityData.ProjectID.ValueString()
+	region := identityData.Region.ValueString()
+	ctx = tflog.SetField(ctx, "project_id", projectId)
+	ctx = tflog.SetField(ctx, "region", region)
+
+	// TODO: Delete API call logic
+
+	tflog.Info(ctx, "{{.PackageName}}.{{.NamePascal}} deleted")
+}
+
+// ImportState imports a resource into the Terraform state on success.
+// The expected format of the resource import identifier is: project_id,zone_id,record_set_id
+func (r *{{.NameCamel}}Resource) ImportState(
+	ctx context.Context,
+	req resource.ImportStateRequest,
+	resp *resource.ImportStateResponse,
+) {
+	idParts := strings.Split(req.ID, core.Separator)
+
+	// TODO: Import logic
+	// TODO: fix len and parts itself
+	if len(idParts) < 2 || idParts[0] == "" || idParts[1] == "" {
+		core.LogAndAddError(
+			ctx, &resp.Diagnostics,
+			"Error importing database",
+			fmt.Sprintf(
+				"Expected import identifier with format [project_id],[region],..., got %q",
+				req.ID,
+			),
+		)
+		return
+	}
+
+	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("project_id"), idParts[0])...)
+	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("region"), idParts[1])...)
+	// ... more ...
+
+	core.LogAndAddWarning(
+		ctx,
+		&resp.Diagnostics,
+		"{{.PackageName | ucfirst}} database imported with empty password",
+		"The database password is not imported as it is only available upon creation of a new database. The password field will be empty.",
+	)
+	tflog.Info(ctx, "{{.PackageName | ucfirst}} {{.NameCamel}} state imported")
+}
--- a/generator/cmd/build/templates/util.gotmpl
+++ b/generator/cmd/build/templates/util.gotmpl
@ -0,0 +1,47 @@
+package utils
+
+import (
+	"context"
+	"fmt"
+
+	{{.PackageName}} "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/pkg_gen/{{.PackageName}}"
+
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/stackitcloud/stackit-sdk-go/core/config"
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/core"
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/utils"
+)
+
+func ConfigureClient(
+	ctx context.Context,
+	providerData *core.ProviderData,
+	diags *diag.Diagnostics,
+) *{{.PackageName}}.APIClient {
+	apiClientConfigOptions := []config.ConfigurationOption{
+		config.WithCustomAuth(providerData.RoundTripper),
+		utils.UserAgentConfigOption(providerData.Version),
+	}
+	if providerData.{{.PackageName}}CustomEndpoint != "" {
+		apiClientConfigOptions = append(
+			apiClientConfigOptions,
+			config.WithEndpoint(providerData.{{.PackageName}}CustomEndpoint),
+		)
+	} else {
+		apiClientConfigOptions = append(apiClientConfigOptions, config.WithRegion(providerData.GetRegion()))
+	}
+	apiClient, err := {{.PackageName}}.NewAPIClient(apiClientConfigOptions...)
+	if err != nil {
+		core.LogAndAddError(
+			ctx,
+			diags,
+			"Error configuring API client",
+			fmt.Sprintf(
+				"Configuring client: %v. This is an error related to the provider configuration, not to the resource configuration",
+				err,
+			),
+		)
+		return nil
+	}
+
+	return apiClient
+}
--- a/generator/cmd/build/templates/util_test.gotmpl
+++ b/generator/cmd/build/templates/util_test.gotmpl
@ -0,0 +1,97 @@
+package utils
+
+import (
+	"context"
+	"os"
+	"reflect"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	sdkClients "github.com/stackitcloud/stackit-sdk-go/core/clients"
+	"github.com/stackitcloud/stackit-sdk-go/core/config"
+	{{.PackageName}} "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/pkg_gen/{{.PackageName}}"
+
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/core"
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit/internal/utils"
+)
+
+const (
+	testVersion        = "1.2.3"
+	testCustomEndpoint = "https://sqlserverflex-custom-endpoint.api.stackit.cloud"
+)
+
+func TestConfigureClient(t *testing.T) {
+	/* mock authentication by setting service account token env variable */
+	os.Clearenv()
+	err := os.Setenv(sdkClients.ServiceAccountToken, "mock-val")
+	if err != nil {
+		t.Errorf("error setting env variable: %v", err)
+	}
+
+	type args struct {
+		providerData *core.ProviderData
+	}
+	tests := []struct {
+		name     string
+		args     args
+		wantErr  bool
+		expected *sqlserverflex.APIClient
+	}{
+		{
+			name: "default endpoint",
+			args: args{
+				providerData: &core.ProviderData{
+					Version: testVersion,
+				},
+			},
+			expected: func() *sqlserverflex.APIClient {
+				apiClient, err := sqlserverflex.NewAPIClient(
+					config.WithRegion("eu01"),
+					utils.UserAgentConfigOption(testVersion),
+				)
+				if err != nil {
+					t.Errorf("error configuring client: %v", err)
+				}
+				return apiClient
+			}(),
+			wantErr: false,
+		},
+		{
+			name: "custom endpoint",
+			args: args{
+				providerData: &core.ProviderData{
+					Version:                     testVersion,
+					SQLServerFlexCustomEndpoint: testCustomEndpoint,
+				},
+			},
+			expected: func() *sqlserverflex.APIClient {
+				apiClient, err := sqlserverflex.NewAPIClient(
+					utils.UserAgentConfigOption(testVersion),
+					config.WithEndpoint(testCustomEndpoint),
+				)
+				if err != nil {
+					t.Errorf("error configuring client: %v", err)
+				}
+				return apiClient
+			}(),
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(
+			tt.name, func(t *testing.T) {
+				ctx := context.Background()
+				diags := diag.Diagnostics{}
+
+				actual := ConfigureClient(ctx, tt.args.providerData, &diags)
+				if diags.HasError() != tt.wantErr {
+					t.Errorf("ConfigureClient() error = %v, want %v", diags.HasError(), tt.wantErr)
+				}
+
+				if !reflect.DeepEqual(actual, tt.expected) {
+					t.Errorf("ConfigureClient() = %v, want %v", actual, tt.expected)
+				}
+			},
+		)
+	}
+}
--- a/generator/cmd/buildCmd.go
+++ b/generator/cmd/buildCmd.go
@ -0,0 +1,43 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/generator/cmd/build"
+)
+
+var (
+	skipCleanup  bool
+	skipClone    bool
+	packagesOnly bool
+	verbose      bool
+	debug        bool
+)
+
+var buildCmd = &cobra.Command{
+	Use:   "build",
+	Short: "Build the necessary boilerplate",
+	Long:  `...`,
+	RunE: func(_ *cobra.Command, _ []string) error {
+		b := build.Builder{
+			SkipClone:    skipClone,
+			SkipCleanup:  skipCleanup,
+			PackagesOnly: packagesOnly,
+			Verbose:      verbose,
+			Debug:        debug,
+		}
+		return b.Build()
+	},
+}
+
+func NewBuildCmd() *cobra.Command {
+	return buildCmd
+}
+
+func init() { //nolint:gochecknoinits // This is the standard way to set up Cobra commands
+	buildCmd.Flags().BoolVarP(&skipCleanup, "skip-clean", "c", false, "Skip cleanup steps")
+	buildCmd.Flags().BoolVarP(&debug, "debug", "d", false, "Enable debug output")
+	buildCmd.Flags().BoolVarP(&skipClone, "skip-clone", "g", false, "Skip cloning from git")
+	buildCmd.Flags().BoolVarP(&packagesOnly, "packages-only", "p", false, "Only generate packages")
+	buildCmd.Flags().BoolVarP(&verbose, "verbose", "v", false, "verbose - show more logs")
+}
--- a/generator/cmd/docCmd.go
+++ b/generator/cmd/docCmd.go
@ -0,0 +1,247 @@
+package cmd
+
+import (
+	"fmt"
+	"log/slog"
+	"os"
+	"path"
+	"regexp"
+	"sort"
+	"strings"
+	"text/template"
+
+	"github.com/spf13/cobra"
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/generator/cmd/tools"
+)
+
+var outFile string
+
+var docsCmd = &cobra.Command{
+	Use:   "docs",
+	Short: "handle documentation",
+	Long:  `...`,
+	RunE: func(_ *cobra.Command, _ []string) error {
+		// filePathStr := "stackit/internal/services/postgresflexalpha/database/datasources_gen/database_data_source_gen.go"
+		//
+		// src, err := os.ReadFile(filePathStr)
+		// if err != nil {
+		//	return err
+		//}
+		//
+		// i := interp.New(
+		//	interp.Options{
+		//		GoPath:               "/home/henselinm/.asdf/installs/golang/1.25.6/packages",
+		//		BuildTags:            nil,
+		//		Stdin:                nil,
+		//		Stdout:               nil,
+		//		Stderr:               nil,
+		//		Args:                 nil,
+		//		Env:                  nil,
+		//		SourcecodeFilesystem: nil,
+		//		Unrestricted:         false,
+		//	},
+		//)
+		// err = i.Use(i.Symbols("github.com/hashicorp/terraform-plugin-framework-validators"))
+		// if err != nil {
+		//	return err
+		//}
+		// err = i.Use(stdlib.Symbols)
+		// if err != nil {
+		//	return err
+		//}
+		// _, err = i.Eval(string(src))
+		// if err != nil {
+		//	return err
+		//}
+		//
+		// v, err := i.Eval("DatabaseDataSourceSchema")
+		// if err != nil {
+		//	return err
+		//}
+		//
+		// bar := v.Interface().(func(string) string)
+		//
+		// r := bar("Kung")
+		// println(r)
+		//
+		// evalPath, err := i.EvalPath(filePathStr)
+		// if err != nil {
+		//	return err
+		//}
+		//
+		// fmt.Printf("%+v\n", evalPath)
+
+		// _, err = i.Eval(`import "fmt"`)
+		// if err != nil {
+		//	return err
+		//}
+		// _, err = i.Eval(`func Hallo() { fmt.Println("Hi!") }`)
+		// if err != nil {
+		//	return err
+		//}
+
+		// v = i.Symbols("Hallo")
+
+		// fmt.Println(v)
+		return workDocs()
+	},
+}
+
+type NavDocs struct {
+	PageTitle       string
+	Description     string
+	NavigationTitle string
+	ProviderTitle   string
+	IndexFound      bool
+	Services        []Service
+}
+
+type Service struct {
+	ServiceTitle string
+	DataSources  []ResItem
+	Resources    []ResItem
+}
+
+type ResItem struct {
+	ItemName string
+	ItemLink string
+}
+
+func workDocs() error {
+	slog.Info("creating docs navigation")
+	root, err := tools.GetGitRoot()
+	if err != nil {
+		slog.Error("ERROR", "err", err)
+		return err
+	}
+
+	nav := NavDocs{
+		PageTitle:       "STACKIT terraform provider PRIVATE-PREVIEW",
+		Description:     "",
+		NavigationTitle: "Navigation",
+		ProviderTitle:   "Provider",
+		IndexFound:      false,
+	}
+	startPath := path.Join(root, "docs")
+
+	docs, err := os.ReadDir(startPath)
+	if err != nil {
+		return err
+	}
+
+	services := make(map[string]Service)
+	dataSources := make(map[string][]ResItem)
+	resources := make(map[string][]ResItem)
+
+	for _, entry := range docs {
+		if !entry.IsDir() {
+			if entry.Name() == "index.md" {
+				slog.Debug("  found provider index file")
+				nav.IndexFound = true
+				continue
+			}
+			slog.Debug("  found am ignored file", "fileName", entry.Name())
+			continue
+		}
+
+		if entry.Name() != "data-sources" && entry.Name() != "resources" {
+			slog.Error("unable to handle entry, skipping", "entry", entry.Name())
+			continue
+		}
+
+		elements, err := os.ReadDir(path.Join(startPath, entry.Name()))
+		if err != nil {
+			return err
+		}
+		for _, res := range elements {
+			if res.IsDir() {
+				slog.Warn("found unexpected directory", "dir", res.Name())
+				continue
+			}
+
+			re := regexp.MustCompile(`([a-z]+)_([a-z]+).md`)
+			matches := re.FindAllStringSubmatch(res.Name(), -1)
+			if matches == nil {
+				slog.Error("unable to identify resource", "item", res.Name())
+				continue
+			}
+			services[matches[0][1]] = Service{
+				ServiceTitle: matches[0][1],
+			}
+			switch entry.Name() {
+			case "data-sources":
+				dataSources[matches[0][1]] = append(dataSources[matches[0][1]], ResItem{
+					ItemName: matches[0][2],
+					ItemLink: fmt.Sprintf("docs/%s/%s", entry.Name(), matches[0][0]),
+				})
+			case "resources":
+				resources[matches[0][1]] = append(resources[matches[0][1]], ResItem{
+					ItemName: matches[0][2],
+					ItemLink: fmt.Sprintf("docs/%s/%s", entry.Name(), matches[0][0]),
+				})
+			default:
+				return fmt.Errorf("this should never have happened")
+			}
+		}
+
+	}
+
+	keys := make([]string, 0, len(services))
+	for k := range services {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+
+	for _, name := range keys {
+		item := services[name]
+		item.DataSources = dataSources[name]
+		item.Resources = resources[name]
+		nav.Services = append(nav.Services, item)
+	}
+
+	fn := template.FuncMap{
+		"ucfirst": ucfirst,
+	}
+
+	tmpl, err := template.
+		New("nav.md.gompl").
+		Funcs(fn).
+		ParseFiles(path.Join(root, "generator", "cmd", "docs", "templates", "nav.md.gompl"))
+	if err != nil {
+		return err
+	}
+
+	var f *os.File
+	f, err = os.Create(outFile)
+	if err != nil {
+		return err
+	}
+
+	err = tmpl.Execute(f, nav)
+	if err != nil {
+		return err
+	}
+
+	err = f.Close()
+	if err != nil {
+		return err
+	}
+
+	slog.Info("finished")
+	return nil
+}
+
+func NewDocsCmd() *cobra.Command {
+	return docsCmd
+}
+
+func ucfirst(s string) string {
+	if s == "" {
+		return ""
+	}
+	return strings.ToUpper(s[:1]) + s[1:]
+}
+
+func init() { // nolint: gochecknoinits
+	docsCmd.Flags().StringVarP(&outFile, "outFile", "o", "nav.md", "nav.md")
+}
--- a/generator/cmd/docs/templates/nav.md.gompl
+++ b/generator/cmd/docs/templates/nav.md.gompl
@ -0,0 +1,27 @@
+---
+page_title: {{ .PageTitle }}
+description: {{ .Description }}
+---
+## {{ .NavigationTitle }}
+### {{ .ProviderTitle }}
+{{ if .IndexFound }}
+[Provider](/docs/docs/index.md)
+{{ end }}
+{{- range $index, $service := .Services }}
+### {{ $service.ServiceTitle }}
+<details>
+
+#### data sources
+
+{{- range $service.DataSources }}
+- [{{ .ItemName }}]({{ .ItemLink }})
+{{- end }}
+
+#### resources
+
+{{- range $service.Resources }}
+- [{{ .ItemName }}]({{ .ItemLink }})
+{{- end }}
+</details>
+
+{{ end }}
--- a/generator/cmd/examplesCmd.go
+++ b/generator/cmd/examplesCmd.go
@ -0,0 +1,114 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"path"
+
+	"github.com/spf13/cobra"
+)
+
+var examplesCmd = &cobra.Command{
+	Use:   "examples",
+	Short: "create examples",
+	Long:  `...`,
+	RunE: func(_ *cobra.Command, _ []string) error {
+		// filePathStr := "stackit/internal/services/postgresflexalpha/database/datasources_gen/database_data_source_gen.go"
+		//
+		// src, err := os.ReadFile(filePathStr)
+		// if err != nil {
+		//	return err
+		//}
+		//
+		// i := interp.New(
+		//	interp.Options{
+		//		GoPath:               "/home/henselinm/.asdf/installs/golang/1.25.6/packages",
+		//		BuildTags:            nil,
+		//		Stdin:                nil,
+		//		Stdout:               nil,
+		//		Stderr:               nil,
+		//		Args:                 nil,
+		//		Env:                  nil,
+		//		SourcecodeFilesystem: nil,
+		//		Unrestricted:         false,
+		//	},
+		//)
+		// err = i.Use(i.Symbols("github.com/hashicorp/terraform-plugin-framework-validators"))
+		// if err != nil {
+		//	return err
+		//}
+		// err = i.Use(stdlib.Symbols)
+		// if err != nil {
+		//	return err
+		//}
+		// _, err = i.Eval(string(src))
+		// if err != nil {
+		//	return err
+		//}
+		//
+		// v, err := i.Eval("DatabaseDataSourceSchema")
+		// if err != nil {
+		//	return err
+		//}
+		//
+		// bar := v.Interface().(func(string) string)
+		//
+		// r := bar("Kung")
+		// println(r)
+		//
+		// evalPath, err := i.EvalPath(filePathStr)
+		// if err != nil {
+		//	return err
+		//}
+		//
+		// fmt.Printf("%+v\n", evalPath)
+
+		// _, err = i.Eval(`import "fmt"`)
+		// if err != nil {
+		//	return err
+		//}
+		// _, err = i.Eval(`func Hallo() { fmt.Println("Hi!") }`)
+		// if err != nil {
+		//	return err
+		//}
+
+		// v = i.Symbols("Hallo")
+
+		// fmt.Println(v)
+		return workServices()
+	},
+}
+
+func workServices() error {
+	startPath := path.Join("stackit", "internal", "services")
+
+	services, err := os.ReadDir(startPath)
+	if err != nil {
+		return err
+	}
+
+	for _, entry := range services {
+		if !entry.IsDir() {
+			continue
+		}
+		resources, err := os.ReadDir(path.Join(startPath, entry.Name()))
+		if err != nil {
+			return err
+		}
+		for _, res := range resources {
+			if !res.IsDir() {
+				continue
+			}
+			fmt.Println("Gefunden:", startPath, "subdir", entry.Name(), "resource", res.Name())
+		}
+	}
+	return nil
+}
+
+func NewExamplesCmd() *cobra.Command {
+	return examplesCmd
+}
+
+// func init() { // nolint: gochecknoinits
+//	examplesCmd.Flags().BoolVarP(&example, "example", "e", false, "example")
+//}
--- a/generator/cmd/getFieldsCmd.go
+++ b/generator/cmd/getFieldsCmd.go
@ -0,0 +1,148 @@
+package cmd
+
+import (
+	"fmt"
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	inFile   string
+	svcName  string
+	resName  string
+	resType  string
+	filePath string
+)
+
+var getFieldsCmd = &cobra.Command{
+	Use:   "get-fields",
+	Short: "get fields from file",
+	Long:  `...`,
+	PreRunE: func(_ *cobra.Command, _ []string) error {
+		typeStr := "data_source"
+		if resType != "resource" && resType != "datasource" {
+			return fmt.Errorf("--type can only be resource or datasource")
+		}
+
+		if resType == "resource" {
+			typeStr = resType
+		}
+
+		if inFile == "" && svcName == "" && resName == "" {
+			return fmt.Errorf("--infile or --service and --resource must be provided")
+		}
+
+		if inFile != "" {
+			if svcName != "" || resName != "" {
+				return fmt.Errorf("--infile is provided and excludes --service and --resource")
+			}
+			p, err := filepath.Abs(inFile)
+			if err != nil {
+				return err
+			}
+			filePath = p
+			return nil
+		}
+
+		if svcName != "" && resName == "" {
+			return fmt.Errorf("if --service is provided, you MUST also provide --resource")
+		}
+
+		if svcName == "" && resName != "" {
+			return fmt.Errorf("if --resource is provided, you MUST also provide --service")
+		}
+
+		p, err := filepath.Abs(
+			path.Join(
+				"stackit",
+				"internal",
+				"services",
+				svcName,
+				resName,
+				fmt.Sprintf("%ss_gen", resType),
+				fmt.Sprintf("%s_%s_gen.go", resName, typeStr),
+			),
+		)
+		if err != nil {
+			return err
+		}
+		filePath = p
+
+		//// Enum check
+		// switch format {
+		// case "json", "yaml":
+		//default:
+		//	return fmt.Errorf("invalid --format: %s (want json|yaml)", format)
+		//}
+		return nil
+	},
+	RunE: func(_ *cobra.Command, _ []string) error {
+		return getFields(filePath)
+	},
+}
+
+func getFields(f string) error {
+	tokens, err := getTokens(f)
+	if err != nil {
+		return err
+	}
+	for _, item := range tokens {
+		fmt.Printf("%s \n", item)
+	}
+	return nil
+}
+
+func getTokens(fileName string) ([]string, error) {
+	fset := token.NewFileSet()
+	var result []string
+
+	node, err := parser.ParseFile(fset, fileName, nil, parser.ParseComments)
+	if err != nil {
+		return nil, err
+	}
+
+	ast.Inspect(
+		node, func(n ast.Node) bool {
+			// Suche nach Typ-Deklarationen (structs)
+			ts, ok := n.(*ast.TypeSpec)
+			if ok {
+				if strings.Contains(ts.Name.Name, "Model") {
+					ast.Inspect(
+						ts, func(sn ast.Node) bool {
+							tts, tok := sn.(*ast.Field)
+							if tok {
+								result = append(result, tts.Names[0].String())
+							}
+							return true
+						},
+					)
+				}
+			}
+			return true
+		},
+	)
+	return result, nil
+}
+
+func NewGetFieldsCmd() *cobra.Command {
+	return getFieldsCmd
+}
+
+func init() { //nolint:gochecknoinits //this is the only way to add the command to the rootCmd
+	getFieldsCmd.Flags().StringVarP(&inFile, "infile", "i", "", "input filename incl path")
+	getFieldsCmd.Flags().StringVarP(&svcName, "service", "s", "", "service name")
+	getFieldsCmd.Flags().StringVarP(&resName, "resource", "r", "", "resource name")
+	getFieldsCmd.Flags().StringVarP(
+		&resType,
+		"type",
+		"t",
+		"resource",
+		"resource type (data-source or resource [default])",
+	)
+}
--- a/generator/cmd/publish/architecture.go
+++ b/generator/cmd/publish/architecture.go
@ -35,36 +35,27 @@ type GpgPublicKey struct {
 }

 func (p *Provider) CreateArchitectureFiles() error {
-	// var namespace, provider, distPath, repoName, version, gpgFingerprint, gpgPubKeyFile, domain string
-
 	log.Println("* Creating architecture files in target directories")

-	// filename = terraform-provider-[provider]_0.0.1_darwin_amd64.zip - provider_name + version + target + architecture + .zip
-	// prefix := fmt.Sprintf("v1/providers/%s/%s/%s/", namespace, provider, version)
 	prefix := path.Join("v1", "providers", p.Namespace, p.Provider, p.Version)

-	// pathPrefix := fmt.Sprintf("release/%s", prefix)
 	pathPrefix := path.Join("release", prefix)

-	// urlPrefix := fmt.Sprintf("https://%s/%s", domain, prefix)
 	urlPrefix, err := url.JoinPath("https://", p.Domain, prefix)
 	if err != nil {
 		return fmt.Errorf("error creating base url: %w", err)
 	}

-	// download url = https://example.com/v1/providers/namespace/provider/0.0.1/download/terraform-provider_0.0.1_darwin_amd64.zip
 	downloadUrlPrefix, err := url.JoinPath(urlPrefix, "download")
 	if err != nil {
 		return fmt.Errorf("error crearting download url: %w", err)
 	}
 	downloadPathPrefix := path.Join(pathPrefix, "download")

-	// shasums url = https://example.com/v1/providers/namespace/provider/0.0.1/terraform-provider_0.0.1_SHA256SUMS
 	shasumsUrl, err := url.JoinPath(urlPrefix, fmt.Sprintf("%s_%s_SHA256SUMS", p.RepoName, p.Version))
 	if err != nil {
 		return fmt.Errorf("error creating shasums url: %w", err)
 	}
-	// shasums_signature_url = https://example.com/v1/providers/namespace/provider/0.0.1/terraform-provider_0.0.1_SHA256SUMS.sig
 	shasumsSigUrl := shasumsUrl + ".sig"

 	gpgAsciiPub, err := p.ReadGpgFile()
@ -94,7 +85,7 @@ func (p *Provider) CreateArchitectureFiles() error {
 		archFileName := path.Join(downloadPathPrefix, target, arch)

 		a := Architecture{
-			Protocols:           []string{"5.1"},
+			Protocols:           []string{"5.1", "6.0"},
 			OS:                  target,
 			Arch:                arch,
 			FileName:            sum.Path,
@ -116,33 +107,6 @@ func (p *Provider) CreateArchitectureFiles() error {
 				},
 			},
 		}
-		//		var architectureTemplate = []byte(fmt.Sprintf(`
-		//{
-		//  "protocols": [
-		//    "4.0",
-		//    "5.1",
-		//    "6.0"
-		//  ],
-		//  "os": "%s",
-		//  "arch": "%s",
-		//  "filename": "%s",
-		//  "download_url": "%s",
-		//  "shasums_url": "%s",
-		//  "shasums_signature_url": "%s",
-		//  "shasum": "%s",
-		//  "signing_keys": {
-		//    "gpg_public_keys": [
-		//      {
-		//        "key_id": "%s",
-		//        "ascii_armor": "%s",
-		//        "trust_signature": "",
-		//        "source": "",
-		//        "source_url": ""
-		//      }
-		//    ]
-		//  }
-		//}
-		//`, target, arch, fileName, downloadUrl, shasumsUrl, shasumsSigUrl, shasum, gpgFingerprint, gpgAsciiPub))

 		log.Printf("  - Arch file: %s", archFileName)

@ -160,8 +124,12 @@ func WriteArchitectureFile(filePath string, arch Architecture) error {
 	if err != nil {
 		return fmt.Errorf("error encoding data: %w", err)
 	}
-
-	err = os.WriteFile(filePath, jsonString, os.ModePerm)
+	//nolint:gosec // this file is not sensitive, so we can use os.ModePerm
+	err = os.WriteFile(
+		filePath,
+		jsonString,
+		os.ModePerm,
+	)
 	if err != nil {
 		return fmt.Errorf("error writing data: %w", err)
 	}
--- a/generator/cmd/publish/gpg.go
+++ b/generator/cmd/publish/gpg.go
--- a/generator/cmd/publish/provider.go
+++ b/generator/cmd/publish/provider.go
@ -143,7 +143,7 @@ func (p *Provider) createVersionsFile() error {
 	// Build the versions file...
 	version := Version{
 		Version:   p.Version,
-		Protocols: []string{"5.1"},
+		Protocols: []string{"5.1", "6.1"},
 		Platforms: nil,
 	}
 	for _, sum := range shasums {
@ -161,10 +161,12 @@ func (p *Provider) createVersionsFile() error {
 		target := fileNameSplit[2]
 		arch := fileNameSplit[3]

-		version.Platforms = append(version.Platforms, Platform{
-			OS:   target,
-			Arch: arch,
-		})
+		version.Platforms = append(
+			version.Platforms, Platform{
+				OS:   target,
+				Arch: arch,
+			},
+		)
 	}

 	data := Data{}
@ -206,16 +208,19 @@ func (p *Provider) CreateWellKnown() error {
 	log.Println("* Creating .well-known directory")
 	pathString := path.Join(p.RootPath, "release", ".well-known")

+	//nolint:gosec // this file is not sensitive, so we can use ModePerm
 	err := os.MkdirAll(pathString, os.ModePerm)
 	if err != nil && !errors.Is(err, fs.ErrExist) {
 		return fmt.Errorf("error creating '%s' dir: %w", pathString, err)
 	}

 	log.Println("  - Writing to .well-known/terraform.json file")
+
+	//nolint:gosec // this file is not sensitive, so we can use 0644
 	err = os.WriteFile(
 		fmt.Sprintf("%s/terraform.json", pathString),
 		[]byte(`{"providers.v1": "/v1/providers/"}`),
-		0644,
+		0o644,
 	)
 	if err != nil {
 		return err
@ -224,9 +229,10 @@ func (p *Provider) CreateWellKnown() error {
 	return nil
 }

-func CreateDir(path string) error {
-	log.Printf("* Creating %s directory", path)
-	err := os.MkdirAll(path, os.ModePerm)
+func CreateDir(pathValue string) error {
+	log.Printf("* Creating %s directory", pathValue)
+	//nolint:gosec // this file is not sensitive, so we can use ModePerm
+	err := os.MkdirAll(pathValue, os.ModePerm)
 	if errors.Is(err, fs.ErrExist) {
 		return nil
 	}
@ -269,13 +275,23 @@ func CopyFile(src, dst string) (int64, error) {
 	if err != nil {
 		return 0, err
 	}
-	defer source.Close()
+	defer func(source *os.File) {
+		err := source.Close()
+		if err != nil {
+			slog.Error("error closing source file", slog.Any("err", err))
+		}
+	}(source)

 	destination, err := os.Create(dst)
 	if err != nil {
 		return 0, err
 	}
-	defer destination.Close()
+	defer func(destination *os.File) {
+		err := destination.Close()
+		if err != nil {
+			slog.Error("error closing destination file", slog.Any("err", err))
+		}
+	}(destination)
 	nBytes, err := io.Copy(destination, source)
 	return nBytes, err
 }
--- a/generator/cmd/publish/shasums.go
+++ b/generator/cmd/publish/shasums.go
--- a/generator/cmd/publish/templates/Caddyfile
+++ b/generator/cmd/publish/templates/Caddyfile
@ -0,0 +1,38 @@
+{
+    log {
+            level debug
+        }
+
+
+    filesystem tf s3 {
+                         bucket "terraform-provider-privatepreview"
+                         region eu01
+                         endpoint https://object.storage.eu01.onstackit.cloud
+                         use_path_style
+                     }
+}
+
+tfregistry.sysops.stackit.rocks {
+    encode zstd gzip
+
+    handle_path /docs/* {
+                            root /srv/www
+                            templates
+
+                            @md {
+                                    file {path}
+                                    path *.md
+                                }
+
+                            rewrite @md /markdown.html
+
+                            file_server {
+                                            browse
+                                        }
+                        }
+
+    file_server {
+                    fs tf
+                    browse
+                }
+}
--- a/generator/cmd/publish/templates/index.html.gompl
+++ b/generator/cmd/publish/templates/index.html.gompl
@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html lang="de">
+<head>
+    <title>Forwarding | Weiterleitung</title>
+    <meta http-equiv="refresh" content="0; URL=index.md">
+</head>
+<body>
+<a href="index.md">Falls Sie nicht automatisch weitergeleitet werden, klicken Sie bitte hier.</a><br />
+Sie gelangen dann auf unsere Hauptseite
+</body>
+</html>
--- a/generator/cmd/publish/templates/index.md.gompl
+++ b/generator/cmd/publish/templates/index.md.gompl
@ -0,0 +1,34 @@
+---
+page_title: STACKIT provider PrivatePreview
+description: none
+---
+
+# provider
+[Provider](docs/index.md)
+
+## PostGreSQL alpha
+### data sources
+
+- [Flavor](docs/data-sources/postgresflexalpha_flavor.md)
+- [Database](docs/data-sources/postgresflexalpha_database.md)
+- [Instance](docs/data-sources/postgresflexalpha_instance.md)
+- [Flavors](docs/data-sources/postgresflexalpha_flavors.md)
+- [User](docs/data-sources/postgresflexalpha_user.md)
+
+### resources
+- [Database](docs/resources/postgresflexalpha_database.md)
+- [Instance](docs/resources/postgresflexalpha_instance.md)
+- [User](docs/resources/postgresflexalpha_user.md)
+
+## SQL Server alpha
+### data sources
+- [Database](docs/data-sources/sqlserverflexalpha_database.md)
+- [Version](docs/data-sources/sqlserverflexalpha_version.md)
+- [User](docs/data-sources/sqlserverflexalpha_user.md)
+- [Flavor](docs/data-sources/sqlserverflexalpha_flavor.md)
+- [Instance](docs/data-sources/sqlserverflexalpha_instance.md)
+
+### resources
+- [Database](docs/resources/sqlserverflexalpha_database.md)
+- [User](docs/resources/sqlserverflexalpha_user.md)
+- [Instance](docs/resources/sqlserverflexalpha_instance.md)
--- a/generator/cmd/publish/templates/markdown.html.gompl
+++ b/generator/cmd/publish/templates/markdown.html.gompl
@ -0,0 +1,79 @@
+<!DOCTYPE html>
+{{ $mdFile := .OriginalReq.URL.Path | trimPrefix "/docs" }}
+{{ $md := (include $mdFile | splitFrontMatter) }}
+<html lang="en">
+<head>
+    <title>{{$md.Meta.page_title}}</title>
+    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
+    <link rel="stylesheet" href="/docs/terraform-registry.css">
+</head>
+<body>
+<h1>{{$md.Meta.page_title}}</h1>
+<div class="provider-view">
+    <div class="provider-nav">
+        <nav class="bread-crumbs is-light" aria-label="Provider">
+            <div class="container is-widescreen">
+                <div class="level">
+                    <ul class="provider-nav-breadcrumbs bread-crumbs-list">
+                        <li class="bread-crumbs-item">
+                            <a id="ember20" class="ember-view bread-crumbs-link" href="/">
+                                Main
+                            </a>
+                        </li>
+                    </ul>
+                </div>
+            </div>
+        </nav>
+        <nav class="block-border section-navbar section-header" aria-label="Provider details">
+            <div class="container">
+                <div class="columns is-vcentered">
+                    <div class="column is-4">
+                          <div class="provider-nav-info-header">
+                              <div class="provider-overview-logo">
+                                <span class="provider-logo">
+                                    <img class="github-image" src="https://avatars3.githubusercontent.com/stackitcloud" alt="stackitcloud">
+                                </span>
+                              </div>
+                              <div class="provider-nav-info-origin">
+                                  <h1>PRIVATE PREVIEW</h1>
+                              </div>
+                          </div>
+                    </div>
+                    <div class="column is-8">
+
+                        <ul class="nav-tabs-list nav-tabs tabs">
+
+                            <li class="nav-tabs-item">
+                                <a id="ember30" class="ember-view navbar-item" href="/">
+                                    Overview
+                                </a>
+                            </li>
+
+                        </ul>
+
+                        <div class="provider-nav-provision-wrapper">
+                            <!---->          </div>
+                    </div>
+                </div>
+            </div>
+        </nav>
+    </div>
+
+    <div class="section block-border block-white section-content">
+        <div class="container">
+            <div class="columns columns-provider-docs">
+                <div class="column is-3 column-provider-docs-menu"></div>
+                <article id="provider-docs-content" class="column is-6  provider-docs-content">
+                    <div class="markdown">
+                        <div class="highlighted-code-wrapper">
+                            {{markdown $md.Body}}
+                        </div>
+                    </div>
+                </article>
+                <div class="column is-3 column-provider-docs-menu"></div>
+            </div>
+        </div>
+    </div>
+</div>
+</body>
+</html>
--- a/generator/cmd/publish/versions.go
+++ b/generator/cmd/publish/versions.go
@ -22,16 +22,25 @@ type Platform struct {
 }

 type Data struct {
+	Id       string    `json:"id,omitempty"`
 	Versions []Version `json:"versions"`
 }

 func (d *Data) WriteToFile(filePath string) error {
+	// TODO: make it variable
+	d.Id = "tfregistry.sysops.stackit.rocks/mhenselin/stackitprivatepreview"
+
 	jsonString, err := json.Marshal(d)
 	if err != nil {
 		return fmt.Errorf("error encoding data: %w", err)
 	}

-	err = os.WriteFile(filePath, jsonString, os.ModePerm)
+	//nolint:gosec // this file is not sensitive, so we can use os.ModePerm
+	err = os.WriteFile(
+		filePath,
+		jsonString,
+		os.ModePerm,
+	)
 	if err != nil {
 		return fmt.Errorf("error writing data: %w", err)
 	}
@ -82,7 +91,13 @@ func (d *Data) LoadFromUrl(uri string) error {
 	if err != nil {
 		return err
 	}
-	defer os.Remove(file.Name()) // Clean up
+	defer func(name string) {
+		//nolint:gosec // The file path is generated by os.CreateTemp and is not user-controllable
+		err := os.Remove(name)
+		if err != nil {
+			slog.Error("failed to remove temporary file", slog.Any("err", err))
+		}
+	}(file.Name()) // Clean up

 	err = DownloadFile(
 		u.String(),
@ -119,20 +134,30 @@ func (v *Version) AddProtocol(p string) error {
 // DownloadFile will download a url and store it in local filepath.
 // It writes to the destination file as it downloads it, without
 // loading the entire file into memory.
-func DownloadFile(url string, filepath string) error {
+func DownloadFile(urlValue, filepath string) error {
 	// Create the file
+	//nolint:gosec // path traversal is not a concern here, as the filepath is generated by us and not user input
 	out, err := os.Create(filepath)
 	if err != nil {
 		return err
 	}
-	defer out.Close()
+	defer func(out *os.File) {
+		err := out.Close()
+		if err != nil {
+			slog.Error("failed to close file", slog.Any("err", err))
+		}
+	}(out)

 	// Get the data
-	resp, err := http.Get(url)
+
+	//nolint:gosec,bodyclose // this is a controlled URL, not user input
+	resp, err := http.Get(urlValue)
 	if err != nil {
 		return err
 	}
-	defer resp.Body.Close()
+	defer func(Body io.ReadCloser) {
+		_ = Body.Close()
+	}(resp.Body)

 	// Write the body to file
 	_, err = io.Copy(out, resp.Body)
--- a/generator/cmd/publishCmd.go
+++ b/generator/cmd/publishCmd.go
@ -10,7 +10,8 @@ import (
 	"path/filepath"

 	"github.com/spf13/cobra"
-	publish2 "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/cmd/cmd/publish"
+
+	publish2 "tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/generator/cmd/publish"
 )

 var (
@ -28,20 +29,32 @@ var publishCmd = &cobra.Command{
 	Use:   "publish",
 	Short: "Publish terraform provider",
 	Long:  `...`,
-	RunE: func(_ *cobra.Command, args []string) error {
+	RunE: func(_ *cobra.Command, _ []string) error {
 		return publish()
 	},
 }

-func init() { // nolint: gochecknoinits
+func init() { //nolint:gochecknoinits //this is the standard way to set up cobra commands
 	publishCmd.Flags().StringVarP(&namespace, "namespace", "n", "", "Namespace for the Terraform registry.")
 	publishCmd.Flags().StringVarP(&domain, "domain", "d", "", "Domain for the Terraform registry.")
 	publishCmd.Flags().StringVarP(&providerName, "providerName", "p", "", "ProviderName for the Terraform registry.")
 	publishCmd.Flags().StringVarP(&distPath, "distPath", "x", "dist", "Dist Path for the Terraform registry.")
 	publishCmd.Flags().StringVarP(&repoName, "repoName", "r", "", "RepoName for the Terraform registry.")
 	publishCmd.Flags().StringVarP(&version, "version", "v", "", "Version for the Terraform registry.")
-	publishCmd.Flags().StringVarP(&gpgFingerprint, "gpgFingerprint", "f", "", "GPG Fingerprint for the Terraform registry.")
-	publishCmd.Flags().StringVarP(&gpgPubKeyFile, "gpgPubKeyFile", "k", "", "GPG PubKey file name for the Terraform registry.")
+	publishCmd.Flags().StringVarP(
+		&gpgFingerprint,
+		"gpgFingerprint",
+		"f",
+		"",
+		"GPG Fingerprint for the Terraform registry.",
+	)
+	publishCmd.Flags().StringVarP(
+		&gpgPubKeyFile,
+		"gpgPubKeyFile",
+		"k",
+		"",
+		"GPG PubKey file name for the Terraform registry.",
+	)

 	err := publishCmd.MarkFlagRequired("namespace")
 	if err != nil {
@ -104,6 +117,7 @@ func publish() error {

 	// Create release dir - only the contents of this need to be uploaded to S3
 	log.Printf("* Creating release directory")
+	//nolint:gosec // this directory is not sensitive, so we can use 0750
 	err = os.MkdirAll(path.Join(p.RootPath, "release"), os.ModePerm)
 	if err != nil && !errors.Is(err, fs.ErrExist) {
 		return fmt.Errorf("error creating '%s' dir: %w", path.Join(p.RootPath, "release"), err)
--- a/generator/cmd/rootCmd.go
+++ b/generator/cmd/rootCmd.go
@ -6,7 +6,7 @@ import (

 func NewRootCmd() *cobra.Command {
 	return &cobra.Command{
-		Use:               "build-tools",
+		Use:               "generator",
 		Short:             "...",
 		Long:              "...",
 		SilenceErrors:     true, // Error is beautified in a custom way before being printed
--- a/generator/cmd/tools/tools.go
+++ b/generator/cmd/tools/tools.go
@ -0,0 +1,20 @@
+package tools
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+)
+
+func GetGitRoot() (string, error) {
+	cmd := exec.Command("git", "rev-parse", "--show-toplevel")
+	out, err := cmd.Output()
+	if err != nil {
+		return "", err
+	}
+	lines := strings.Split(string(out), "\n")
+	if lines[0] == "" {
+		return "", fmt.Errorf("unable to determine root directory from git")
+	}
+	return lines[0], nil
+}
--- a/generator/main.go
+++ b/generator/main.go
@ -0,0 +1,41 @@
+package main
+
+import (
+	"log"
+	"log/slog"
+	"os"
+
+	"github.com/SladkyCitron/slogcolor"
+	cc "github.com/ivanpirog/coloredcobra"
+
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/generator/cmd"
+)
+
+func main() {
+	slog.SetDefault(slog.New(slogcolor.NewHandler(os.Stderr, slogcolor.DefaultOptions)))
+
+	rootCmd := cmd.NewRootCmd()
+
+	cc.Init(&cc.Config{
+		RootCmd:  rootCmd,
+		Headings: cc.HiCyan + cc.Bold + cc.Underline,
+		Commands: cc.HiYellow + cc.Bold,
+		Example:  cc.Italic,
+		ExecName: cc.Bold,
+		Flags:    cc.Bold,
+	})
+	rootCmd.SetOut(os.Stdout)
+
+	rootCmd.AddCommand(
+		cmd.NewBuildCmd(),
+		cmd.NewPublishCmd(),
+		cmd.NewGetFieldsCmd(),
+		cmd.NewExamplesCmd(),
+		cmd.NewDocsCmd(),
+	)
+
+	err := rootCmd.Execute()
+	if err != nil {
+		log.Fatal(err)
+	}
+}
--- a/go.mod
+++ b/go.mod
@ -3,82 +3,286 @@ module tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stac
 go 1.25.6

 require (
+	github.com/SladkyCitron/slogcolor v1.8.0
+	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
-	github.com/hashicorp/terraform-plugin-framework v1.17.0
+	github.com/hashicorp/terraform-plugin-framework v1.18.0
 	github.com/hashicorp/terraform-plugin-framework-validators v0.19.0
-	github.com/hashicorp/terraform-plugin-go v0.29.0
+	github.com/hashicorp/terraform-plugin-go v0.30.0
 	github.com/hashicorp/terraform-plugin-log v0.10.0
 	github.com/hashicorp/terraform-plugin-testing v1.14.0
 	github.com/iancoleman/strcase v0.3.0
+	github.com/ivanpirog/coloredcobra v1.0.1
+	github.com/jarcoal/httpmock v1.4.1
+	github.com/joho/godotenv v1.5.1
 	github.com/ldez/go-git-cmd-wrapper/v2 v2.9.1
 	github.com/spf13/cobra v1.10.2
-	github.com/stackitcloud/stackit-sdk-go/core v0.21.0
-	github.com/stackitcloud/stackit-sdk-go/services/iaasalpha v0.1.23-alpha
-	github.com/stackitcloud/stackit-sdk-go/services/sqlserverflex v1.4.1
+	github.com/stackitcloud/stackit-sdk-go/core v0.22.0
+	github.com/stackitcloud/stackit-sdk-go/services/postgresflex v1.4.0
+	github.com/stackitcloud/stackit-sdk-go/services/sqlserverflex v1.5.0
 	github.com/teambition/rrule-go v1.8.2
 	gopkg.in/yaml.v3 v3.0.1
 )

-require (
-	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
-	golang.org/x/telemetry v0.0.0-20260116145544-c6413dc483f5 // indirect
-)
+require github.com/hashicorp/go-retryablehttp v0.7.8 // indirect

 require (
+	4d63.com/gocheckcompilerdirectives v1.3.0 // indirect
+	4d63.com/gochecknoglobals v0.2.2 // indirect
+	codeberg.org/chavacava/garif v0.2.0 // indirect
+	codeberg.org/polyfloyd/go-errorlint v1.9.0 // indirect
 	dario.cat/mergo v1.0.1 // indirect
-	github.com/ProtonMail/go-crypto v1.3.0 // indirect
+	dev.gaijin.team/go/exhaustruct/v4 v4.0.0 // indirect
+	dev.gaijin.team/go/golib v0.6.0 // indirect
+	github.com/4meepo/tagalign v1.4.3 // indirect
+	github.com/Abirdcfly/dupword v0.1.7 // indirect
+	github.com/AdminBenni/iota-mixing v1.0.0 // indirect
+	github.com/AlwxSin/noinlineerr v1.0.5 // indirect
+	github.com/Antonboom/errname v1.1.1 // indirect
+	github.com/Antonboom/nilnil v1.1.1 // indirect
+	github.com/Antonboom/testifylint v1.6.4 // indirect
+	github.com/BurntSushi/toml v1.6.0 // indirect
+	github.com/Djarvur/go-err113 v0.1.1 // indirect
+	github.com/Kunde21/markdownfmt/v3 v3.1.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
+	github.com/MirrexOne/unqueryvet v1.5.4 // indirect
+	github.com/OpenPeeDeeP/depguard/v2 v2.2.1 // indirect
+	github.com/ProtonMail/go-crypto v1.4.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/alecthomas/chroma/v2 v2.23.1 // indirect
+	github.com/alecthomas/go-check-sumtype v0.3.1 // indirect
+	github.com/alexkohler/nakedret/v2 v2.0.6 // indirect
+	github.com/alexkohler/prealloc v1.1.0 // indirect
+	github.com/alfatraining/structtag v1.0.0 // indirect
+	github.com/alingse/asasalint v0.0.11 // indirect
+	github.com/alingse/nilnesserr v0.2.0 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
-	github.com/cloudflare/circl v1.6.2 // indirect
+	github.com/armon/go-radix v1.0.0 // indirect
+	github.com/ashanbrown/forbidigo/v2 v2.3.0 // indirect
+	github.com/ashanbrown/makezero/v2 v2.1.0 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bgentry/speakeasy v0.1.0 // indirect
+	github.com/bkielbasa/cyclop v1.2.3 // indirect
+	github.com/blizzy78/varnamelen v0.8.0 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.9.1 // indirect
+	github.com/bombsimon/wsl/v4 v4.7.0 // indirect
+	github.com/bombsimon/wsl/v5 v5.6.0 // indirect
+	github.com/breml/bidichk v0.3.3 // indirect
+	github.com/breml/errchkjson v0.4.1 // indirect
+	github.com/butuzov/ireturn v0.4.0 // indirect
+	github.com/butuzov/mirror v1.3.0 // indirect
+	github.com/catenacyber/perfsprint v0.10.1 // indirect
+	github.com/ccojocar/zxcvbn-go v1.0.4 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/charithe/durationcheck v0.0.11 // indirect
+	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
+	github.com/charmbracelet/lipgloss v1.1.0 // indirect
+	github.com/charmbracelet/x/ansi v0.10.1 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
+	github.com/charmbracelet/x/term v0.2.1 // indirect
+	github.com/ckaznocha/intrange v0.3.1 // indirect
+	github.com/cloudflare/circl v1.6.3 // indirect
+	github.com/curioswitch/go-reassign v0.3.0 // indirect
+	github.com/daixiang0/gci v0.13.7 // indirect
+	github.com/dave/dst v0.27.3 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/denis-tingaikin/go-header v0.5.0 // indirect
+	github.com/dlclark/regexp2 v1.11.5 // indirect
+	github.com/ettle/strcase v0.2.0 // indirect
 	github.com/fatih/color v1.18.0 // indirect
-	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
+	github.com/fatih/structtag v1.2.0 // indirect
+	github.com/firefart/nonamedreturns v1.0.6 // indirect
+	github.com/fsnotify/fsnotify v1.5.4 // indirect
+	github.com/fzipp/gocyclo v0.6.0 // indirect
+	github.com/ghostiam/protogetter v0.3.20 // indirect
+	github.com/go-critic/go-critic v0.14.3 // indirect
+	github.com/go-toolsmith/astcast v1.1.0 // indirect
+	github.com/go-toolsmith/astcopy v1.1.0 // indirect
+	github.com/go-toolsmith/astequal v1.2.0 // indirect
+	github.com/go-toolsmith/astfmt v1.1.0 // indirect
+	github.com/go-toolsmith/astp v1.1.0 // indirect
+	github.com/go-toolsmith/strparse v1.1.0 // indirect
+	github.com/go-toolsmith/typep v1.1.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
+	github.com/go-xmlfmt/xmlfmt v1.1.3 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/godoc-lint/godoc-lint v0.11.2 // indirect
+	github.com/gofrs/flock v0.13.0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/golangci/asciicheck v0.5.0 // indirect
+	github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 // indirect
+	github.com/golangci/go-printf-func-name v0.1.1 // indirect
+	github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d // indirect
+	github.com/golangci/golangci-lint/v2 v2.11.2 // indirect
+	github.com/golangci/golines v0.15.0 // indirect
+	github.com/golangci/misspell v0.8.0 // indirect
+	github.com/golangci/plugin-module-register v0.1.2 // indirect
+	github.com/golangci/revgrep v0.8.0 // indirect
+	github.com/golangci/swaggoswag v0.0.0-20250504205917-77f2aca3143e // indirect
+	github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e // indirect
+	github.com/gordonklaus/ineffassign v0.2.0 // indirect
+	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
+	github.com/gostaticanalysis/comment v1.5.0 // indirect
+	github.com/gostaticanalysis/forcetypeassert v0.2.0 // indirect
+	github.com/gostaticanalysis/nilerr v0.1.2 // indirect
+	github.com/hashicorp/cli v1.1.7 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-checkpoint v0.5.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-cty v1.5.0 // indirect
 	github.com/hashicorp/go-hclog v1.6.3 // indirect
+	github.com/hashicorp/go-immutable-radix/v2 v2.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-plugin v1.7.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.8.0 // indirect
-	github.com/hashicorp/hc-install v0.9.2 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/hashicorp/hc-install v0.9.3 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/hcl/v2 v2.24.0 // indirect
 	github.com/hashicorp/logutils v1.0.0 // indirect
-	github.com/hashicorp/terraform-exec v0.24.0 // indirect
+	github.com/hashicorp/terraform-exec v0.25.0 // indirect
 	github.com/hashicorp/terraform-json v0.27.2 // indirect
-	github.com/hashicorp/terraform-plugin-sdk/v2 v2.38.1 // indirect
+	github.com/hashicorp/terraform-plugin-docs v0.24.0 // indirect
+	github.com/hashicorp/terraform-plugin-sdk/v2 v2.39.0 // indirect
 	github.com/hashicorp/terraform-registry-address v0.4.0 // indirect
-	github.com/hashicorp/terraform-svchost v0.2.0 // indirect
+	github.com/hashicorp/terraform-svchost v0.2.1 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
+	github.com/hexops/gotextdiff v1.0.3 // indirect
+	github.com/huandu/xstrings v1.3.3 // indirect
+	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jgautheron/goconst v1.8.2 // indirect
+	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
+	github.com/jjti/go-spancheck v0.6.5 // indirect
+	github.com/julz/importas v0.2.0 // indirect
+	github.com/karamaru-alpha/copyloopvar v1.2.2 // indirect
+	github.com/kisielk/errcheck v1.10.0 // indirect
+	github.com/kkHAIKE/contextcheck v1.1.6 // indirect
 	github.com/kr/text v0.2.0 // indirect
+	github.com/kulti/thelper v0.7.1 // indirect
+	github.com/kunwardeep/paralleltest v1.0.15 // indirect
+	github.com/lasiar/canonicalheader v1.1.2 // indirect
+	github.com/ldez/exptostd v0.4.5 // indirect
+	github.com/ldez/gomoddirectives v0.8.0 // indirect
+	github.com/ldez/grignotin v0.10.1 // indirect
+	github.com/ldez/structtags v0.6.1 // indirect
+	github.com/ldez/tagliatelle v0.7.2 // indirect
+	github.com/ldez/usetesting v0.5.0 // indirect
+	github.com/leonklingele/grouper v1.1.2 // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/macabu/inamedparam v0.2.0 // indirect
+	github.com/magiconair/properties v1.8.6 // indirect
+	github.com/manuelarte/embeddedstructfieldcheck v0.4.0 // indirect
+	github.com/manuelarte/funcorder v0.5.0 // indirect
+	github.com/maratori/testableexamples v1.0.1 // indirect
+	github.com/maratori/testpackage v1.1.2 // indirect
+	github.com/matoous/godox v1.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/mgechev/revive v1.15.0 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moricho/tparallel v0.3.2 // indirect
+	github.com/muesli/termenv v0.16.0 // indirect
+	github.com/nakabonne/nestif v0.3.1 // indirect
+	github.com/nishanths/exhaustive v0.12.0 // indirect
+	github.com/nishanths/predeclared v0.2.2 // indirect
+	github.com/nunnatsa/ginkgolinter v0.23.0 // indirect
 	github.com/oklog/run v1.2.0 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/posener/complete v1.2.3 // indirect
+	github.com/prometheus/client_golang v1.12.1 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/quasilyte/go-ruleguard v0.4.5 // indirect
+	github.com/quasilyte/go-ruleguard/dsl v0.3.23 // indirect
+	github.com/quasilyte/gogrep v0.5.0 // indirect
+	github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
+	github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect
+	github.com/raeperd/recvcheck v0.2.0 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/ryancurrah/gomodguard v1.4.1 // indirect
+	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
+	github.com/sanposhiho/wastedassign/v2 v2.1.0 // indirect
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
+	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
+	github.com/sashamelentyev/usestdlibvars v1.29.0 // indirect
+	github.com/securego/gosec/v2 v2.24.7 // indirect
+	github.com/shopspring/decimal v1.3.1 // indirect
+	github.com/sirupsen/logrus v1.9.4 // indirect
+	github.com/sivchari/containedctx v1.0.3 // indirect
+	github.com/sonatard/noctx v0.5.0 // indirect
+	github.com/sourcegraph/go-diff v0.7.0 // indirect
+	github.com/spf13/afero v1.15.0 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/spf13/viper v1.12.0 // indirect
+	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
+	github.com/stbenjam/no-sprintf-host-port v0.3.1 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/stretchr/testify v1.11.1 // indirect
+	github.com/subosito/gotenv v1.4.1 // indirect
+	github.com/tetafro/godot v1.5.4 // indirect
+	github.com/timakin/bodyclose v0.0.0-20241222091800-1db5c5ca4d67 // indirect
+	github.com/timonwong/loggercheck v0.11.0 // indirect
+	github.com/tomarrell/wrapcheck/v2 v2.12.0 // indirect
+	github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect
+	github.com/ultraware/funlen v0.2.0 // indirect
+	github.com/ultraware/whitespace v0.2.0 // indirect
+	github.com/uudashr/gocognit v1.2.1 // indirect
+	github.com/uudashr/iface v1.4.1 // indirect
 	github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
 	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
-	github.com/zclconf/go-cty v1.17.0 // indirect
-	golang.org/x/crypto v0.47.0 // indirect
-	golang.org/x/mod v0.32.0 // indirect
-	golang.org/x/net v0.49.0 // indirect
+	github.com/xen0n/gosmopolitan v1.3.0 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	github.com/yagipy/maintidx v1.0.0 // indirect
+	github.com/yeya24/promlinter v0.3.0 // indirect
+	github.com/ykadowak/zerologlint v0.1.5 // indirect
+	github.com/yuin/goldmark v1.7.7 // indirect
+	github.com/yuin/goldmark-meta v1.1.0 // indirect
+	github.com/zclconf/go-cty v1.18.0 // indirect
+	gitlab.com/bosi/decorder v0.4.2 // indirect
+	go-simpler.org/musttag v0.14.0 // indirect
+	go-simpler.org/sloglint v0.11.1 // indirect
+	go.abhg.dev/goldmark/frontmatter v0.2.0 // indirect
+	go.augendre.info/arangolint v0.4.0 // indirect
+	go.augendre.info/fatcontext v0.9.0 // indirect
+	go.uber.org/multierr v1.10.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/crypto v0.48.0 // indirect
+	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
+	golang.org/x/exp/typeparams v0.0.0-20260209203927-2842357ff358 // indirect
+	golang.org/x/mod v0.33.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.40.0 // indirect
-	golang.org/x/text v0.33.0 // indirect
-	golang.org/x/tools v0.41.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/tools v0.42.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516 // indirect
-	google.golang.org/grpc v1.78.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
+	google.golang.org/grpc v1.79.2 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	honnef.co/go/tools v0.7.0 // indirect
+	mvdan.cc/gofumpt v0.9.2 // indirect
+	mvdan.cc/unparam v0.0.0-20251027182757-5beb8c8f8f15 // indirect
 )
-
-tool golang.org/x/tools/cmd/goimports
--- a/go.sum
+++ b/go.sum
--- a/golang-ci.yaml.bak
+++ b/golang-ci.yaml.bak
@ -0,0 +1,97 @@
+
+version: "2"
+run:
+  concurrency: 4
+output:
+  formats:
+    text:
+      print-linter-name: true
+      print-issued-lines: true
+      colors: true
+      path: stdout
+linters:
+  enable:
+    - bodyclose
+    - depguard
+    - errorlint
+    - forcetypeassert
+    - gochecknoinits
+    - gocritic
+    - gosec
+    - misspell
+    - nakedret
+    - revive
+    - sqlclosecheck
+    - wastedassign
+  disable:
+    - noctx
+    - unparam
+  settings:
+    depguard:
+      rules:
+        main:
+          list-mode: lax
+          allow:
+            - tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview
+            - github.com/hashicorp/terraform-plugin-framework
+            - github.com/hashicorp/terraform-plugin-log
+            - github.com/stackitcloud/stackit-sdk-go
+          deny:
+            - pkg: github.com/stretchr/testify
+              desc: Do not use a testing framework
+    gocritic:
+      disabled-checks:
+        - wrapperFunc
+        - typeDefFirst
+        - ifElseChain
+        - dupImport
+        - hugeParam
+      enabled-tags:
+        - performance
+        - style
+        - experimental
+    gosec:
+      excludes:
+        - G104
+        - G102
+        - G304
+        - G307
+    misspell:
+      locale: US
+    nakedret:
+      max-func-lines: 0
+    revive:
+      severity: error
+      rules:
+        - name: errorf
+        - name: context-as-argument
+        - name: error-return
+        - name: increment-decrement
+        - name: indent-error-flow
+        - name: superfluous-else
+        - name: unused-parameter
+        - name: unreachable-code
+        - name: atomic
+        - name: empty-lines
+        - name: early-return
+  exclusions:
+    paths:
+      - stackit-sdk-generator/
+      - generated/
+      - pkg_gen/
+    generated: lax
+    warn-unused: true
+    # Excluding configuration per-path, per-linter, per-text and per-source.
+    rules:
+      # Exclude some linters from running on tests files.
+        - path: _test\.go
+          linters:
+            - gochecknoinits
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview
--- a/internal/testutils/activateMocks.go
+++ b/internal/testutils/activateMocks.go
@ -0,0 +1,39 @@
+package testutils
+
+import (
+	"fmt"
+	"net/http"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"strings"
+
+	"github.com/jarcoal/httpmock"
+)
+
+func TestName() string {
+	pc, _, _, _ := runtime.Caller(1)
+	nameFull := runtime.FuncForPC(pc).Name()
+	nameEnd := filepath.Ext(nameFull)
+	name := strings.TrimPrefix(nameEnd, ".")
+	return name
+}
+
+func ActivateEnvironmentHttpMocks() {
+	httpmock.RegisterNoResponder(
+		func(req *http.Request) (*http.Response, error) {
+			return nil, fmt.Errorf("no responder found for %s %s, please check your http mocks", req.Method, req.URL)
+		},
+	)
+
+	httpmock.RegisterRegexpResponder(
+		"GET",
+		regexp.MustCompile(`^https://api\.bap\.microsoft\.com/providers/Microsoft\.BusinessAppPlatform/locations/(europe|unitedstates)/environmentLanguages\?api-version=2023-06-01$`),
+		func(_ *http.Request) (*http.Response, error) {
+			return httpmock.NewStringResponse(
+				http.StatusOK,
+				httpmock.File("../../services/languages/tests/datasource/Validate_Read/get_languages.json").String(),
+			), nil
+		},
+	)
+}
--- a/internal/testutils/functions.go
+++ b/internal/testutils/functions.go
@ -0,0 +1,129 @@
+package testutils
+
+import (
+	"bytes"
+	"fmt"
+	"log"
+	"os"
+	"path"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+	"text/template"
+)
+
+// GetHomeEnvVariableName Helper function to obtain the home directory on different systems.
+// Based on os.UserHomeDir().
+func GetHomeEnvVariableName() string {
+	env := "HOME"
+	switch runtime.GOOS {
+	case "windows":
+		env = "USERPROFILE"
+	case "plan9":
+		env = "home"
+	}
+	return env
+}
+
+// CreateTemporaryHome create temporary home and initialize the credentials file as well
+func CreateTemporaryHome(createValidCredentialsFile bool, t *testing.T) string {
+	// create a temporary file
+	tempHome, err := os.MkdirTemp("", "tempHome")
+	if err != nil {
+		t.Fatalf("Failed to create temporary home directory: %v", err)
+	}
+
+	// create credentials file in temp directory
+	stackitFolder := path.Join(tempHome, ".stackit")
+	if err := os.Mkdir(stackitFolder, 0o750); err != nil {
+		t.Fatalf("Failed to create stackit folder: %v", err)
+	}
+
+	filePath := path.Join(stackitFolder, "credentials.json")
+	file, err := os.Create(filePath)
+	if err != nil {
+		t.Fatalf("Failed to create credentials file: %v", err)
+	}
+	defer func() {
+		if err := file.Close(); err != nil {
+			t.Fatalf("Error while closing the file: %v", err)
+		}
+	}()
+
+	// Define content, default = invalid token
+	token := "foo_token"
+	// if createValidCredentialsFile {
+	//	token = GetTestProjectServiceAccountJson("")
+	//}
+	if _, err = file.WriteString(token); err != nil {
+		t.Fatalf("Error writing to file: %v", err)
+	}
+
+	return tempHome
+}
+
+// SetTemporaryHome Function to overwrite the home folder
+func SetTemporaryHome(tempHomePath string) {
+	env := GetHomeEnvVariableName()
+	if err := os.Setenv(env, tempHomePath); err != nil {
+		fmt.Printf("Error setting temporary home directory %v", err)
+	}
+}
+
+// CleanupTemporaryHome cleanup the temporary home and reset the environment variable
+func CleanupTemporaryHome(tempHomePath string, t *testing.T) {
+	if err := os.RemoveAll(tempHomePath); err != nil {
+		t.Fatalf("Error cleaning up temporary folder: %v", err)
+	}
+	originalHomeDir, err := os.UserHomeDir()
+	if err != nil {
+		t.Fatalf("Failed to restore home directory back to normal: %v", err)
+	}
+	// revert back to original home folder
+	env := GetHomeEnvVariableName()
+	if err := os.Setenv(env, originalHomeDir); err != nil {
+		fmt.Printf("Error resetting temporary home directory %v", err)
+	}
+}
+
+func ucFirst(s string) string {
+	if s == "" {
+		return ""
+	}
+	return strings.ToUpper(s[:1]) + s[1:]
+}
+
+func StringFromTemplateMust(tplFile string, data any) string {
+	res, err := StringFromTemplate(tplFile, data)
+	if err != nil {
+		log.Fatalln(err)
+	}
+	return res
+}
+
+func StringFromTemplate(tplFile string, data any) (string, error) {
+	fn := template.FuncMap{
+		"ucfirst": ucFirst,
+	}
+
+	file := filepath.Base(tplFile)
+
+	tmpl, err := template.New(file).Funcs(fn).ParseFiles(tplFile)
+	if err != nil {
+		return "", err
+	}
+
+	tplBuf := &bytes.Buffer{}
+
+	err = tmpl.Execute(tplBuf, data)
+	if err != nil {
+		return "", err
+	}
+
+	return tplBuf.String(), nil
+}
+
+func ResStr(prefix, resource, name string) string {
+	return fmt.Sprintf("%s_%s.%s", prefix, resource, name)
+}
--- a/stackit/internal/testutil/testutil.go
+++ b/stackit/internal/testutil/testutil.go
@ -1,71 +1,11 @@
-// Copyright (c) STACKIT
-
-package testutil
+package testutils

 import (
-	"encoding/json"
 	"fmt"
 	"os"
-	"path/filepath"
-	"strings"
-	"time"
-
-	"github.com/hashicorp/terraform-plugin-framework/providerserver"
-	"github.com/hashicorp/terraform-plugin-go/tfprotov6"
-	"github.com/hashicorp/terraform-plugin-testing/config"
-	"github.com/hashicorp/terraform-plugin-testing/echoprovider"
-
-	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit"
-)
-
-const (
-	// Default location of credentials JSON
-	credentialsFilePath = ".stackit/credentials.json" //nolint:gosec // linter false positive
 )

 var (
-	// TestAccProtoV6ProviderFactories is used to instantiate a provider during
-	// acceptance testing. The factory function will be invoked for every Terraform
-	// CLI command executed to create a provider server to which the CLI can
-	// reattach.
-	TestAccProtoV6ProviderFactories = map[string]func() (tfprotov6.ProviderServer, error){
-		"stackit": providerserver.NewProtocol6WithError(stackit.New("test-version")()),
-	}
-
-	// TestEphemeralAccProtoV6ProviderFactories is used to instantiate a provider during
-	// acceptance testing. The factory function will be invoked for every Terraform
-	// CLI command executed to create a provider server to which the CLI can
-	// reattach.
-	//
-	// See the Terraform acceptance test documentation on ephemeral resources for more information:
-	// https://developer.hashicorp.com/terraform/plugin/testing/acceptance-tests/ephemeral-resources
-	TestEphemeralAccProtoV6ProviderFactories = map[string]func() (tfprotov6.ProviderServer, error){
-		"stackit": providerserver.NewProtocol6WithError(stackit.New("test-version")()),
-		"echo":    echoprovider.NewProviderServer(),
-	}
-
-	// E2ETestsEnabled checks if end-to-end tests should be run.
-	// It is enabled when the TF_ACC environment variable is set to "1".
-	E2ETestsEnabled = os.Getenv("TF_ACC") == "1"
-	// OrganizationId is the id of organization used for tests
-	OrganizationId = os.Getenv("TF_ACC_ORGANIZATION_ID")
-	// ProjectId is the id of project used for tests
-	ProjectId = os.Getenv("TF_ACC_PROJECT_ID")
-	Region    = os.Getenv("TF_ACC_REGION")
-	// ServerId is the id of a server used for some tests
-	ServerId = getenv("TF_ACC_SERVER_ID", "")
-	// TestProjectParentContainerID is the container id of the parent resource under which projects are created as part of the resource-manager acceptance tests
-	TestProjectParentContainerID = os.Getenv("TF_ACC_TEST_PROJECT_PARENT_CONTAINER_ID")
-	// TestProjectParentUUID is the uuid of the parent resource under which projects are created as part of the resource-manager acceptance tests
-	TestProjectParentUUID = os.Getenv("TF_ACC_TEST_PROJECT_PARENT_UUID")
-	// TestProjectServiceAccountEmail is the e-mail of a service account with admin permissions on the organization under which projects are created as part of the resource-manager acceptance tests
-	TestProjectServiceAccountEmail = os.Getenv("TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL")
-	// TestProjectUserEmail is the e-mail of a user for the project created as part of the resource-manager acceptance tests
-	// Default email: acc-test@sa.stackit.cloud
-	TestProjectUserEmail = getenv("TF_ACC_TEST_PROJECT_USER_EMAIL", "acc-test@sa.stackit.cloud")
-	// TestImageLocalFilePath is the local path to an image file used for image acceptance tests
-	TestImageLocalFilePath = getenv("TF_ACC_TEST_IMAGE_LOCAL_FILE_PATH", "default")
-
 	CdnCustomEndpoint             = os.Getenv("TF_ACC_CDN_CUSTOM_ENDPOINT")
 	DnsCustomEndpoint             = os.Getenv("TF_ACC_DNS_CUSTOM_ENDPOINT")
 	GitCustomEndpoint             = os.Getenv("TF_ACC_GIT_CUSTOM_ENDPOINT")
@ -93,30 +33,29 @@ var (
 	SKECustomEndpoint             = os.Getenv("TF_ACC_SKE_CUSTOM_ENDPOINT")
 )

-// Provider config helper functions
-
 func ObservabilityProviderConfig() string {
 	if ObservabilityCustomEndpoint == "" {
-		return `provider "stackit" {
+		return `provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			observability_custom_endpoint = "%s"
 		}`,
 		ObservabilityCustomEndpoint,
 	)
 }
+
 func CdnProviderConfig() string {
 	if CdnCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			enable_beta_resources = true
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			cdn_custom_endpoint = "%s"
 			enable_beta_resources = true
 		}`,
@ -126,10 +65,10 @@ func CdnProviderConfig() string {

 func DnsProviderConfig() string {
 	if DnsCustomEndpoint == "" {
-		return `provider "stackit" {}`
+		return `provider "stackitprivatepreview" {}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			dns_custom_endpoint = "%s"
 		}`,
 		DnsCustomEndpoint,
@ -139,12 +78,12 @@ func DnsProviderConfig() string {
 func IaaSProviderConfig() string {
 	if IaaSCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			iaas_custom_endpoint = "%s"
 		}`,
 		IaaSCustomEndpoint,
@ -154,13 +93,13 @@ func IaaSProviderConfig() string {
 func IaaSProviderConfigWithBetaResourcesEnabled() string {
 	if IaaSCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			enable_beta_resources = true
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			enable_beta_resources = true
 			iaas_custom_endpoint = "%s"
 		}`,
@ -171,13 +110,13 @@ func IaaSProviderConfigWithBetaResourcesEnabled() string {
 func IaaSProviderConfigWithExperiments() string {
 	if IaaSCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
  			experiments = [ "routing-tables", "network" ]
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			iaas_custom_endpoint = "%s"
 			experiments = [ "routing-tables", "network" ]
 		}`,
@ -188,12 +127,12 @@ func IaaSProviderConfigWithExperiments() string {
 func KMSProviderConfig() string {
 	if KMSCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			kms_custom_endpoint = "%s"
 		}`,
 		KMSCustomEndpoint,
@ -203,12 +142,12 @@ func KMSProviderConfig() string {
 func LoadBalancerProviderConfig() string {
 	if LoadBalancerCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			loadbalancer_custom_endpoint = "%s"
 		}`,
 		LoadBalancerCustomEndpoint,
@ -218,12 +157,12 @@ func LoadBalancerProviderConfig() string {
 func LogMeProviderConfig() string {
 	if LogMeCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			logme_custom_endpoint = "%s"
 		}`,
 		LogMeCustomEndpoint,
@ -233,12 +172,12 @@ func LogMeProviderConfig() string {
 func MariaDBProviderConfig() string {
 	if MariaDBCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			mariadb_custom_endpoint = "%s"
 		}`,
 		MariaDBCustomEndpoint,
@ -248,13 +187,13 @@ func MariaDBProviderConfig() string {
 func ModelServingProviderConfig() string {
 	if ModelServingCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}
 		`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			modelserving_custom_endpoint = "%s"
 		}`,
 		ModelServingCustomEndpoint,
@ -264,12 +203,12 @@ func ModelServingProviderConfig() string {
 func MongoDBFlexProviderConfig() string {
 	if MongoDBFlexCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			mongodbflex_custom_endpoint = "%s"
 		}`,
 		MongoDBFlexCustomEndpoint,
@ -279,12 +218,12 @@ func MongoDBFlexProviderConfig() string {
 func ObjectStorageProviderConfig() string {
 	if ObjectStorageCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			objectstorage_custom_endpoint = "%s"
 		}`,
 		ObjectStorageCustomEndpoint,
@ -294,29 +233,32 @@ func ObjectStorageProviderConfig() string {
 func OpenSearchProviderConfig() string {
 	if OpenSearchCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			opensearch_custom_endpoint = "%s"
 		}`,
 		OpenSearchCustomEndpoint,
 	)
 }

-func PostgresFlexProviderConfig() string {
+func PostgresFlexProviderConfig(saFile string) string {
 	if PostgresFlexCustomEndpoint == "" {
-		return `
-		provider "stackit" {
+		return fmt.Sprintf(`
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
-		}`
+            service_account_key_path = "%s"
+		}`, saFile)
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
+            service_account_key_path = "%s"
 			postgresflex_custom_endpoint = "%s"
 		}`,
+		saFile,
 		PostgresFlexCustomEndpoint,
 	)
 }
@ -324,12 +266,12 @@ func PostgresFlexProviderConfig() string {
 func RabbitMQProviderConfig() string {
 	if RabbitMQCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			rabbitmq_custom_endpoint = "%s"
 		}`,
 		RabbitMQCustomEndpoint,
@ -339,66 +281,68 @@ func RabbitMQProviderConfig() string {
 func RedisProviderConfig() string {
 	if RedisCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			redis_custom_endpoint = "%s"
 		}`,
 		RedisCustomEndpoint,
 	)
 }

-func ResourceManagerProviderConfig() string {
-	token := GetTestProjectServiceAccountToken("")
+func ResourceManagerProviderConfig(saKeyPath string) string {
 	if ResourceManagerCustomEndpoint == "" || AuthorizationCustomEndpoint == "" {
 		return fmt.Sprintf(`
-		provider "stackit" {
-			service_account_token = "%s"
+		provider "stackitprivatepreview" {
+			service_account_key_path = "%s"
 		}`,
-			token,
+			saKeyPath,
 		)
 	}
 	return fmt.Sprintf(`
-	provider "stackit" {
+	provider "stackitprivatepreview" {
 		resourcemanager_custom_endpoint = "%s"
 		authorization_custom_endpoint = "%s"
-		service_account_token = "%s"
+		service_account_key_path = "%s"
 	}`,
 		ResourceManagerCustomEndpoint,
 		AuthorizationCustomEndpoint,
-		token,
+		saKeyPath,
 	)
 }

 func SecretsManagerProviderConfig() string {
 	if SecretsManagerCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			secretsmanager_custom_endpoint = "%s"
 		}`,
 		SecretsManagerCustomEndpoint,
 	)
 }

-func SQLServerFlexProviderConfig() string {
+func SQLServerFlexProviderConfig(saFile string) string {
 	if SQLServerFlexCustomEndpoint == "" {
-		return `
-		provider "stackit" {
+		return fmt.Sprintf(`
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
-		}`
+            service_account_key_path = "%s"
+		}`, saFile)
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
+            service_account_key_path = "%s"
 			sqlserverflex_custom_endpoint = "%s"
 		}`,
+		saFile,
 		SQLServerFlexCustomEndpoint,
 	)
 }
@ -406,13 +350,13 @@ func SQLServerFlexProviderConfig() string {
 func ServerBackupProviderConfig() string {
 	if ServerBackupCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 			enable_beta_resources = true
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			server_backup_custom_endpoint = "%s"
 			enable_beta_resources = true
 		}`,
@ -423,13 +367,13 @@ func ServerBackupProviderConfig() string {
 func ServerUpdateProviderConfig() string {
 	if ServerUpdateCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 			enable_beta_resources = true
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			server_update_custom_endpoint = "%s"
 			enable_beta_resources = true
 		}`,
@ -440,12 +384,12 @@ func ServerUpdateProviderConfig() string {
 func SKEProviderConfig() string {
 	if SKECustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			ske_custom_endpoint = "%s"
 		}`,
 		SKECustomEndpoint,
@ -455,13 +399,13 @@ func SKEProviderConfig() string {
 func AuthorizationProviderConfig() string {
 	if AuthorizationCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 			experiments = ["iam"]
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			authorization_custom_endpoint = "%s"
 			experiments = ["iam"]
 		}`,
@ -472,13 +416,13 @@ func AuthorizationProviderConfig() string {
 func ServiceAccountProviderConfig() string {
 	if ServiceAccountCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 			enable_beta_resources = true
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			service_account_custom_endpoint = "%s"
 			enable_beta_resources = true
 		}`,
@ -489,13 +433,13 @@ func ServiceAccountProviderConfig() string {
 func GitProviderConfig() string {
 	if GitCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 			enable_beta_resources = true
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			git_custom_endpoint = "%s"
 			enable_beta_resources = true
 		}`,
@ -506,105 +450,15 @@ func GitProviderConfig() string {
 func ScfProviderConfig() string {
 	if ScfCustomEndpoint == "" {
 		return `
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 		}`
 	}
 	return fmt.Sprintf(`
-		provider "stackit" {
+		provider "stackitprivatepreview" {
 			default_region = "eu01"
 			scf_custom_endpoint = "%s"
 		}`,
 		ScfCustomEndpoint,
 	)
 }
-
-func ResourceNameWithDateTime(name string) string {
-	dateTime := time.Now().Format(time.RFC3339)
-	// Remove timezone to have a smaller datetime
-	dateTimeTrimmed, _, _ := strings.Cut(dateTime, "+")
-	return fmt.Sprintf("tf-acc-%s-%s", name, dateTimeTrimmed)
-}
-
-func GetTestProjectServiceAccountToken(path string) string {
-	var err error
-	token, tokenSet := os.LookupEnv("TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_TOKEN")
-	if !tokenSet || token == "" {
-		token, err = readTestTokenFromCredentialsFile(path)
-		if err != nil {
-			return ""
-		}
-	}
-	return token
-}
-
-func readTestTokenFromCredentialsFile(path string) (string, error) {
-	if path == "" {
-		customPath, customPathSet := os.LookupEnv("STACKIT_CREDENTIALS_PATH")
-		if !customPathSet || customPath == "" {
-			path = credentialsFilePath
-			home, err := os.UserHomeDir()
-			if err != nil {
-				return "", fmt.Errorf("getting home directory: %w", err)
-			}
-			path = filepath.Join(home, path)
-		} else {
-			path = customPath
-		}
-	}
-
-	credentialsRaw, err := os.ReadFile(path)
-	if err != nil {
-		return "", fmt.Errorf("opening file: %w", err)
-	}
-
-	var credentials struct {
-		TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_TOKEN string `json:"TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_TOKEN"`
-	}
-	err = json.Unmarshal(credentialsRaw, &credentials)
-	if err != nil {
-		return "", fmt.Errorf("unmarshalling credentials: %w", err)
-	}
-	return credentials.TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_TOKEN, nil
-}
-
-func getenv(key, defaultValue string) string {
-	val := os.Getenv(key)
-	if val == "" {
-		return defaultValue
-	}
-	return val
-}
-
-// CreateDefaultLocalFile is a helper for local_file_path. No real data is created
-func CreateDefaultLocalFile() os.File {
-	// Define the file name and size
-	fileName := "test-512k.img"
-	size := 512 * 1024 // 512 KB
-
-	// Create the file
-	file, err := os.Create(fileName)
-	if err != nil {
-		panic(err)
-	}
-
-	// Seek to the desired position (512 KB)
-	_, err = file.Seek(int64(size), 0)
-	if err != nil {
-		panic(err)
-	}
-
-	return *file
-}
-
-func ConvertConfigVariable(variable config.Variable) string {
-	tmpByteArray, _ := variable.MarshalJSON()
-	// In case the variable is a string, the quotes should be removed
-	if tmpByteArray[0] == '"' && tmpByteArray[len(tmpByteArray)-1] == '"' {
-		result := string(tmpByteArray[1 : len(tmpByteArray)-1])
-		// Replace escaped quotes which where added MarshalJSON
-		rawString := strings.ReplaceAll(result, `\"`, `"`)
-		return rawString
-	}
-	return string(tmpByteArray)
-}
--- a/internal/testutils/testutils.go
+++ b/internal/testutils/testutils.go
@ -0,0 +1,220 @@
+package testutils
+
+import (
+	"fmt"
+	"log"
+	"log/slog"
+	"os"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-framework/providerserver"
+	"github.com/hashicorp/terraform-plugin-go/tfprotov6"
+	"github.com/hashicorp/terraform-plugin-testing/config"
+	"github.com/hashicorp/terraform-plugin-testing/echoprovider"
+	"github.com/joho/godotenv"
+
+	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit"
+)
+
+const (
+	// Default location of service account JSON
+	serviceAccountFilePath = "service_account.json"
+)
+
+var (
+	// TestAccProtoV6ProviderFactories is used to instantiate a provider during
+	// acceptance testing. The factory function will be invoked for every Terraform
+	// CLI command executed to create a provider server to which the CLI can
+	// reattach.
+	TestAccProtoV6ProviderFactories = map[string]func() (tfprotov6.ProviderServer, error){
+		"stackitprivatepreview": providerserver.NewProtocol6WithError(stackit.New("test-version")()),
+	}
+
+	// TestEphemeralAccProtoV6ProviderFactories is used to instantiate a provider during
+	// acceptance testing. The factory function will be invoked for every Terraform
+	// CLI command executed to create a provider server to which the CLI can
+	// reattach.
+	//
+	// See the Terraform acceptance test documentation on ephemeral resources for more information:
+	// https://developer.hashicorp.com/terraform/plugin/testing/acceptance-tests/ephemeral-resources
+	TestEphemeralAccProtoV6ProviderFactories = map[string]func() (tfprotov6.ProviderServer, error){
+		"stackitprivatepreview": providerserver.NewProtocol6WithError(stackit.New("test-version")()),
+		"echo":                  echoprovider.NewProviderServer(),
+	}
+
+	// E2ETestsEnabled checks if end-to-end tests should be run.
+	// It is enabled when the TF_ACC environment variable is set to "1".
+	E2ETestsEnabled = os.Getenv("TF_ACC") == "1"
+	// OrganizationId is the id of organization used for tests
+	OrganizationId = os.Getenv("TF_ACC_ORGANIZATION_ID")
+	// ProjectId is the id of project used for tests
+	ProjectId = os.Getenv("TF_ACC_PROJECT_ID")
+	Region    = os.Getenv("TF_ACC_REGION")
+	// ServiceAccountFile is the json file of the service account
+	ServiceAccountFile = os.Getenv("TF_ACC_SERVICE_ACCOUNT_FILE")
+	// ServerId is the id of a server used for some tests
+	ServerId = getenv("TF_ACC_SERVER_ID", "")
+	// TestProjectParentContainerID is the container id of the parent resource under which projects are created as part of the resource-manager acceptance tests
+	TestProjectParentContainerID = os.Getenv("TF_ACC_TEST_PROJECT_PARENT_CONTAINER_ID")
+	// TestProjectParentUUID is the uuid of the parent resource under which projects are created as part of the resource-manager acceptance tests
+	TestProjectParentUUID = os.Getenv("TF_ACC_TEST_PROJECT_PARENT_UUID")
+	// TestProjectServiceAccountEmail is the e-mail of a service account with admin permissions on the organization under which projects are created as part of the resource-manager acceptance tests
+	TestProjectServiceAccountEmail = os.Getenv("TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL")
+	// TestProjectUserEmail is the e-mail of a user for the project created as part of the resource-manager acceptance tests
+	// Default email: acc-test@sa.stackit.cloud
+	TestProjectUserEmail = getenv("TF_ACC_TEST_PROJECT_USER_EMAIL", "acc-test@sa.stackit.cloud")
+	// TestImageLocalFilePath is the local path to an image file used for image acceptance tests
+	TestImageLocalFilePath = getenv("TF_ACC_TEST_IMAGE_LOCAL_FILE_PATH", "default")
+)
+
+func Setup() {
+	root, err := getRoot()
+	if err != nil {
+		log.Fatalln(err)
+	}
+	err = godotenv.Load(fmt.Sprintf("%s/.env", *root))
+	if err != nil {
+		slog.Info("could not find .env file - not loading .env")
+		return
+	}
+	slog.Info("loaded .env file", "path", *root)
+}
+
+func getRoot() (*string, error) {
+	cmd := exec.Command("git", "rev-parse", "--show-toplevel")
+	out, err := cmd.Output()
+	if err != nil {
+		return nil, err
+	}
+	lines := strings.Split(string(out), "\n")
+	return &lines[0], nil
+}
+
+func ResourceNameWithDateTime(name string) string {
+	dateTime := time.Now().Format(time.RFC3339)
+	// Remove timezone to have a smaller datetime
+	dateTimeTrimmed, _, _ := strings.Cut(dateTime, "+")
+	return fmt.Sprintf("tf-acc-%s-%s", name, dateTimeTrimmed)
+}
+
+// func GetTestProjectServiceAccountJson(path string) string {
+//	var err error
+//	json, ok := os.LookupEnv("TF_ACC_SERVICE_ACCOUNT_JSON_CONTENT")
+//	if !ok || json == "" {
+//		json, err = readTestServiceAccountJsonFromFile(path)
+//		if err != nil {
+//			return ""
+//		}
+//	}
+//	return json
+//}
+
+// func GetTestProjectServiceAccountToken(path string) string {
+//	var err error
+//	token, tokenSet := os.LookupEnv("TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_TOKEN")
+//	if !tokenSet || token == "" {
+//		token, err = readTestTokenFromCredentialsFile(path)
+//		if err != nil {
+//			return ""
+//		}
+//	}
+//	return token
+//}
+//
+// func readTestTokenFromCredentialsFile(path string) (string, error) {
+//	if path == "" {
+//		customPath, customPathSet := os.LookupEnv("STACKIT_CREDENTIALS_PATH")
+//		if !customPathSet || customPath == "" {
+//			path = credentialsFilePath
+//			home, err := os.UserHomeDir()
+//			if err != nil {
+//				return "", fmt.Errorf("getting home directory: %w", err)
+//			}
+//			path = filepath.Join(home, path)
+//		} else {
+//			path = customPath
+//		}
+//	}
+//
+//	credentialsRaw, err := os.ReadFile(path)
+//	if err != nil {
+//		return "", fmt.Errorf("opening file: %w", err)
+//	}
+//
+//	var credentials struct {
+//		TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_TOKEN string `json:"TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_TOKEN"`
+//	}
+//	err = json.Unmarshal(credentialsRaw, &credentials)
+//	if err != nil {
+//		return "", fmt.Errorf("unmarshalling credentials: %w", err)
+//	}
+//	return credentials.TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_TOKEN, nil
+//}
+
+// func readTestServiceAccountJsonFromFile(path string) (string, error) {
+//	if path == "" {
+//		customPath, ok := os.LookupEnv("TF_ACC_SERVICE_ACCOUNT_FILE")
+//		if !ok || customPath == "" {
+//			path = serviceAccountFilePath
+//			// TODO: check if we want to handle this with a home dir
+//			/*
+//				home, err := os.UserHomeDir()
+//				if err != nil {
+//					return "", fmt.Errorf("getting home directory: %w", err)
+//				}
+//				path = filepath.Join(home, path)
+//			*/
+//		} else {
+//			path = customPath
+//		}
+//	}
+//
+//	credentialsRaw, err := os.ReadFile(path)
+//	if err != nil {
+//		return "", fmt.Errorf("opening file: %w", err)
+//	}
+//	return string(credentialsRaw), nil
+//}
+
+func getenv(key, defaultValue string) string {
+	val := os.Getenv(key)
+	if val == "" {
+		return defaultValue
+	}
+	return val
+}
+
+// CreateDefaultLocalFile is a helper for local_file_path. No real data is created
+func CreateDefaultLocalFile() os.File {
+	// Define the file name and size
+	fileName := "test-512k.img"
+	size := 512 * 1024 // 512 KB
+
+	// Create the file
+	file, err := os.Create(fileName)
+	if err != nil {
+		panic(err)
+	}
+
+	// Seek to the desired position (512 KB)
+	_, err = file.Seek(int64(size), 0)
+	if err != nil {
+		panic(err)
+	}
+
+	return *file
+}
+
+func ConvertConfigVariable(variable config.Variable) string {
+	tmpByteArray, _ := variable.MarshalJSON()
+	// In case the variable is a string, the quotes should be removed
+	if tmpByteArray[0] == '"' && tmpByteArray[len(tmpByteArray)-1] == '"' {
+		result := string(tmpByteArray[1 : len(tmpByteArray)-1])
+		// Replace escaped quotes which where added MarshalJSON
+		rawString := strings.ReplaceAll(result, `\"`, `"`)
+		return rawString
+	}
+	return string(tmpByteArray)
+}
--- a/stackit/internal/testutil/testutil_test.go
+++ b/stackit/internal/testutil/testutil_test.go
@ -1,6 +1,4 @@
-// Copyright (c) STACKIT
-
-package testutil
+package testutils

 import (
 	"testing"
--- a/main.go
+++ b/main.go
@ -6,6 +6,7 @@ import (
 	"log"

 	"github.com/hashicorp/terraform-plugin-framework/providerserver"
+
 	"tf-provider.git.onstackit.cloud/stackit-dev-tools/terraform-provider-stackitprivatepreview/stackit"
 )

--- a/sample/alpha-from-registry/key.tf
+++ b/sample/alpha-from-registry/key.tf
@ -0,0 +1,38 @@
+resource "stackit_kms_keyring" "mshalpha-keyring" {
+  project_id   = var.project_id
+  display_name = "msh-alpha-tests"
+  description  = "This is a test keyring for private endpoints"
+}
+
+resource "stackit_kms_key" "mshalpha-key01" {
+  project_id   = var.project_id
+  keyring_id   = stackit_kms_keyring.mshalpha-keyring.keyring_id
+  display_name = "mshalpha-key01"
+  protection   = "software"
+  algorithm    = "aes_256_gcm"
+  purpose      = "symmetric_encrypt_decrypt"
+  access_scope = "SNA"
+}
+
+output "keyid" {
+  value = stackit_kms_key.mshalpha-key01.key_id
+}
+
+# (because stackit_kms_key.key001 is not in configuration)
+resource "stackit_kms_key" "key001" {
+  access_scope = "SNA"
+  algorithm    = "aes_256_gcm"
+  display_name = "msh-key-sna01"
+  keyring_id   = stackit_kms_keyring.keyring001.keyring_id
+  project_id   = var.project_id
+  protection   = "software"
+  purpose      = "symmetric_encrypt_decrypt"
+}
+
+# stackit_kms_keyring.keyring001 will be destroyed
+# (because stackit_kms_keyring.keyring001 is not in configuration)
+resource "stackit_kms_keyring" "keyring001" {
+  description  = "This is a test keyring for private endpoints"
+  display_name = "msh-keyring-sna01"
+  project_id   = var.project_id
+}
--- a/sample/alpha-from-registry/postresql.tf
+++ b/sample/alpha-from-registry/postresql.tf
@ -0,0 +1,96 @@
+
+data "stackitprivatepreview_postgresflexalpha_flavor" "pgsql_flavor" {
+  project_id    = var.project_id
+  region        = "eu01"
+  cpu           = 2
+  ram           = 4
+  node_type     = "Single"
+  storage_class = "premium-perf2-stackit"
+}
+
+resource "stackitprivatepreview_postgresflexalpha_instance" "msh-alpha-sna-enc" {
+  project_id      = var.project_id
+  name            = "msh-alpha-sna-enc"
+  backup_schedule = "0 0 * * *"
+  retention_days  = 45
+  flavor_id       = data.stackitprivatepreview_postgresflexalpha_flavor.pgsql_flavor.flavor_id
+  replicas        = 1
+  storage = {
+    performance_class = "premium-perf2-stackit"
+    size              = 10
+  }
+  encryption = {
+    kek_key_id = stackit_kms_key.mshalpha-key01.key_id
+    kek_key_ring_id = stackit_kms_keyring.mshalpha-keyring.keyring_id
+    kek_key_version = 1
+    service_account = var.sa_email
+  }
+  network = {
+    acl          = ["0.0.0.0/0", "193.148.160.0/19", "170.85.2.177/32"]
+    access_scope = "SNA"
+  }
+  version = 17
+}
+
+resource "stackitprivatepreview_postgresflexalpha_instance" "msh-alpha-nosna-noenc" {
+  project_id      = var.project_id
+  name            = "msh-alpha-nosna-enc"
+  backup_schedule = "0 0 * * *"
+  retention_days  = 45
+  flavor_id       = data.stackitprivatepreview_postgresflexalpha_flavor.pgsql_flavor.flavor_id
+  replicas        = 1
+  storage = {
+    performance_class = "premium-perf2-stackit"
+    size              = 10
+  }
+  network = {
+    acl          = ["0.0.0.0/0", "193.148.160.0/19", "170.85.2.177/32"]
+    access_scope = "PUBLIC"
+  }
+  version = 16
+}
+
+resource "stackitprivatepreview_postgresflexalpha_user" "ptlsdbadminuser" {
+  project_id  = var.project_id
+  instance_id = stackitprivatepreview_postgresflexalpha_instance.msh-alpha-sna-enc.instance_id
+  name    = var.db_admin_username
+  roles       = ["createdb", "login"]
+  # roles     = ["createdb", "login", "createrole"]
+}
+
+resource "stackitprivatepreview_postgresflexalpha_user" "ptlsdbuser" {
+  project_id  = var.project_id
+  instance_id = stackitprivatepreview_postgresflexalpha_instance.msh-alpha-sna-enc.instance_id
+  name    = var.db_username
+  roles       = ["login"]
+  # roles     = ["createdb", "login", "createrole"]
+}
+
+resource "stackitprivatepreview_postgresflexalpha_database" "example" {
+  count       = 5
+  depends_on  = [stackitprivatepreview_postgresflexalpha_user.ptlsdbadminuser]
+  project_id  = var.project_id
+  instance_id = stackitprivatepreview_postgresflexalpha_instance.msh-alpha-sna-enc.instance_id
+  name        = "${var.db_name}${count.index}"
+  owner       = var.db_admin_username
+}
+
+# data "stackitprivatepreview_postgresflexalpha_instance" "datapsql" {
+#   project_id = var.project_id
+#   instance_id = var.instance_id
+#   region = "eu01"
+# }
+
+# output "psql_instance_id" {
+#   value = data.stackitprivatepreview_postgresflexalpha_instance.datapsql.instance_id
+# }
+
+output "psql_user_password" {
+  value     = stackitprivatepreview_postgresflexalpha_user.ptlsdbuser.password
+  sensitive = true
+}
+
+# output "psql_user_conn" {
+#   value     = stackitprivatepreview_postgresflexalpha_user.ptlsdbuser.connection_string
+#   sensitive = true
+# }
--- a/sample/alpha-from-registry/providers.tf
+++ b/sample/alpha-from-registry/providers.tf
@ -0,0 +1,24 @@
+
+terraform {
+  required_providers {
+    stackit = {
+      source  = "registry.terraform.io/stackitcloud/stackit"
+      version = "~> 0.70"
+    }
+    stackitprivatepreview = {
+      source  = "tfregistry.sysops.stackit.rocks/mhenselin/stackitprivatepreview"
+      version = ">=0.1.0"
+    }
+  }
+}
+
+provider "stackit" {
+  default_region           = "eu01"
+  enable_beta_resources    = true
+  service_account_key_path = "../service_account.json"
+}
+
+provider "stackitprivatepreview" {
+  default_region           = "eu01"
+  service_account_key_path = "../service_account.json"
+}
--- a/sample/alpha-from-registry/sqlserver.tf
+++ b/sample/alpha-from-registry/sqlserver.tf
@ -0,0 +1,101 @@
+# resource "stackit_kms_keyring" "keyring001" {
+#   project_id   = var.project_id
+#   display_name = "msh-keyring-sna01"
+#   description  = "This is a test keyring for private endpoints"
+# }
+#
+# resource "stackit_kms_key" "key001" {
+#   project_id   = var.project_id
+#   keyring_id   = stackit_kms_keyring.keyring001.keyring_id
+#   display_name = "msh-key-sna01"
+#   protection   = "software"
+#   algorithm    = "aes_256_gcm"
+#   purpose      = "symmetric_encrypt_decrypt"
+#   access_scope = "SNA"
+# }
+
+data "stackitprivatepreview_sqlserverflexbeta_flavor" "sqlserver_flavor" {
+  project_id    = var.project_id
+  region        = "eu01"
+  cpu           = 4
+  ram           = 16
+  node_type     = "Single"
+  storage_class = "premium-perf2-stackit"
+}
+
+resource "stackitprivatepreview_sqlserverflexbeta_instance" "msh-sna-001" {
+  project_id      = var.project_id
+  name            = "msh-sna-001"
+  backup_schedule = "0 3 * * *"
+  retention_days  = 31
+  flavor_id       = data.stackitprivatepreview_sqlserverflexbeta_flavor.sqlserver_flavor.flavor_id
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 50
+  }
+  version = 2022
+  encryption = {
+    kek_key_version = 1
+    kek_key_id      = var.key_id
+    kek_key_ring_id = var.keyring_id
+    service_account = var.sa_email
+  }
+  network = {
+    acl          = ["0.0.0.0/0", "193.148.160.0/19"]
+    access_scope = "SNA"
+  }
+}
+
+#resource "stackitprivatepreview_sqlserverflexbeta_instance" "msh-nosna-001" {
+#  project_id      = var.project_id
+#  name            = "msh-nosna-001"
+#  backup_schedule = "0 3 * * *"
+#  retention_days  = 31
+#  flavor_id       = data.stackitprivatepreview_sqlserverflexbeta_flavor.sqlserver_flavor.flavor_id
+#  storage = {
+#    class = "premium-perf2-stackit"
+#    size  = 50
+#  }
+#  version = 2022
+#  # encryption = {
+#  #   #key_id     = stackit_kms_key.key.key_id
+#  #   #keyring_id = stackit_kms_keyring.keyring.keyring_id
+#  #   #key_version     = 1
+#  #   #key_id          = var.key_id
+#  #   # key with scope public
+#  #   key_id          = "fe039bcf-8d7b-431a-801d-9e81371a6b7b"
+#  #   keyring_id      = var.keyring_id
+#  #   key_version     = var.key_version
+#  #   service_account = var.sa_email
+#  # }
+#  network = {
+#    acl          = ["0.0.0.0/0", "193.148.160.0/19"]
+#    access_scope = "PUBLIC"
+#  }
+#}
+
+# data "stackitprivatepreview_sqlserverflexbeta_instance" "test" {
+#   project_id = var.project_id
+#   instance_id = var.instance_id
+#   region = "eu01"
+# }
+
+# output "test" {
+#   value = data.stackitprivatepreview_sqlserverflexbeta_instance.test
+# }
+
+resource "stackitprivatepreview_sqlserverflexbeta_user" "ptlsdbadminuser" {
+  project_id  = var.project_id
+  instance_id = stackitprivatepreview_sqlserverflexbeta_instance.msh-sna-001.instance_id
+  username    = var.db_admin_username
+  #roles       = ["##STACKIT_LoginManager##", "##STACKIT_DatabaseManager##"]
+  roles       = ["##STACKIT_LoginManager##"]
+}
+
+resource "stackitprivatepreview_sqlserverflexbeta_user" "ptlsdbuser" {
+  project_id  = var.project_id
+  instance_id = stackitprivatepreview_sqlserverflexbeta_instance.msh-sna-001.instance_id
+  username    = var.db_username
+  roles       = ["##STACKIT_LoginManager##"]
+}
+
--- a/sample/kms/kms.tf
+++ b/sample/kms/kms.tf
@ -0,0 +1,57 @@
+resource "stackit_kms_keyring" "keyring001" {
+  project_id   = var.project_id
+  display_name = "msh-keyring-sna01"
+  description  = "This is a test keyring for private endpoints"
+}
+
+resource "stackit_kms_key" "key001" {
+  project_id   = var.project_id
+  keyring_id   = stackit_kms_keyring.keyring001.keyring_id
+  display_name = "msh-key-sna01"
+  protection   = "software"
+  algorithm    = "aes_256_gcm"
+  purpose      = "symmetric_encrypt_decrypt"
+  access_scope = "SNA"
+}
+
+
+# data "stackitprivatepreview_sqlserverflexalpha_instance" "test" {
+#   project_id = var.project_id
+#   instance_id = var.instance_id
+#   region = "eu01"
+# }
+
+output "key_ring_id" {
+  value = stackit_kms_keyring.keyring001.id
+}
+
+resource "stackit_kms_keyring" "keyring001yy" {
+  project_id   = var.project_id
+  display_name = "msh-kr-sna01"
+  description  = "This is a test keyring for private endpoints"
+}
+
+resource "stackit_kms_key" "key001yy" {
+  project_id   = var.project_id
+  keyring_id   = stackit_kms_keyring.keyring001yy.keyring_id
+  display_name = "msh-k-001"
+  protection   = "software"
+  algorithm    = "aes_256_gcm"
+  purpose      = "symmetric_encrypt_decrypt"
+  access_scope = "SNA"
+}
+
+
+# data "stackitprivatepreview_sqlserverflexalpha_instance" "test" {
+#   project_id = var.project_id
+#   instance_id = var.instance_id
+#   region = "eu01"
+# }
+
+output "key_ring_idxx" {
+  value = stackit_kms_keyring.keyring001yy.id
+}
+
+output "key_id" {
+  value = stackit_kms_key.key001yy.id
+}
--- a/Show more
+++ b/Show more