stackit-dev-tools/terraform-provider-stackitprivatepreview

No description

Find a file

Vicente Pinto 93fe2fe89f IaaS Release (#543 ) * IaaS Volume (#541) * Onboard IaaS Volume * Labels mapping * Add acceptance test * Remove source field * Fix lint * Add examples and docs * Fix lint * Fix lint * Fix lint * Volume source field (#542) * Onboard IaaS Volume * Labels mapping * Add acceptance test * Remove source field * Fix lint * Add examples and docs * Fix lint * Fix lint * Fix lint * Add source field supoort * Fix labels and source mapping * Remove unecessary source mapping * Move methods to conversion pkg * Revert change * Update stackit/internal/services/iaas/volume/datasource.go Co-authored-by: João Palet <joao.palet@outlook.com> * Update stackit/internal/services/iaas/volume/resource.go Co-authored-by: João Palet <joao.palet@outlook.com> * Update stackit/internal/services/iaas/volume/resource.go Co-authored-by: João Palet <joao.palet@outlook.com> * Update stackit/internal/services/iaas/volume/resource.go Co-authored-by: João Palet <joao.palet@outlook.com> * Changes after review * Change after revie --------- Co-authored-by: João Palet <joao.palet@outlook.com> * Onboard IaaS security groups (#545) * onboard iaas security group * add examples and generate docs * fix linter issues * fix deletion * Update stackit/internal/services/iaas/securitygroup/resource.go Co-authored-by: Vicente Pinto <vicente.pinto@freiheit.com> * rename data source example file * update docs * remove field * remove field * remove plan modifier from the name field * refactor labels in mapFields * change function from utils to conversion * remove rules from the security group * update docs * add security group acceptance test * add plan modifiers to stateful field * sort imports * change stateful description --------- Co-authored-by: Gökçe Gök Klingel <goekce.goek_klingel@stackit.cloud> Co-authored-by: Vicente Pinto <vicente.pinto@freiheit.com> * IaaS Server baseline configuration (#546) * Server resource schema * Implemente CRUD methods and unit testsg * Bug fixes * Bug fix * Make variable private * Remove delete_on_termination and update descriptions * Add security_group field to initial networking * Add examples and acc test * Generate docs * Fix lint * Fix lint issue * Fix unit test * Update desc * Gen docs * Onboard IaaS network interface (#544) * implement network interface * handle labels * add CIDR validation * fix linter issues and generate docs * remove computed from the allowed addresses and fix the conditions * Update stackit/internal/services/iaas/networkinterface/resource.go Co-authored-by: Vicente Pinto <vicente.pinto@freiheit.com> * Update stackit/internal/services/iaas/networkinterface/datasource.go Co-authored-by: Vicente Pinto <vicente.pinto@freiheit.com> * apply code review changes * remove status from schema * remove unnecessary GET call * Update stackit/internal/services/iaas/networkinterface/resource.go Co-authored-by: Vicente Pinto <vicente.pinto@freiheit.com> * Update stackit/internal/services/iaas/networkinterface/resource.go Co-authored-by: Vicente Pinto <vicente.pinto@freiheit.com> * rename nic_security to security * add beta markdown description * use existing validateIP function * use utils function for the options listing * refactor labels * change function from utils to conversion * make allowed addresses a list of strings * add acceptance test for network interfaces * fix acceptance test * rename security_groups as security_group_ids * extend descriptions * fix acc test --------- Co-authored-by: Gökçe Gök Klingel <goekce.goek_klingel@stackit.cloud> Co-authored-by: Vicente Pinto <vicente.pinto@freiheit.com> * rename volume data source example (#552) Co-authored-by: Gökçe Gök Klingel <goekce.goek_klingel@stackit.cloud> * add requires replace to ipv4 and ipv6 fields (#549) Co-authored-by: Gökçe Gök Klingel <goekce.goek_klingel@stackit.cloud> Co-authored-by: Vicente Pinto <vicente.pinto@freiheit.com> * Server resource improvements (#548) * Improvements to server resource * Fix example * Remove useStateForUnknown * Update SDK modules * Update iaasalpha moduel (#555) * Remove initial networking field (#556) * Server attachment resources (#557) * Server attachemnt resources * Add examples * Update volume datasource example * Fix linting issues * Fix linting * Fix examples formatting * Update go.mod * Revert iaas to v0.11 * Onboard iaas public ip (#551) * onboard public ip * onboard public ip * add public ip acceptance test * Update examples/data-sources/stackit_public_ip/data-source.tf Co-authored-by: Vicente Pinto <vicente.pinto@freiheit.com> * add plan modifier to IP * change type in the volume data source * add network_interface field to public ip resource * rename network_interface to network_interface_id * remove obsolete checks * extend unit tests * add network_interface_id in example * extend unit test * extend acceptance test * sort imports --------- Co-authored-by: Vicente Pinto <vicente.pinto@freiheit.com> * Add labels to network, network are and network area route resources (#559) * Fix network_interface example * Extend network, network area and network area route with labels * Revert iaas to v0.11.0 --------- Co-authored-by: GokceGK <161626272+GokceGK@users.noreply.github.com> * Onboard iaas security group rule (#553) * onboard security group rule * add security group rule to acceptance test * change type in examples * fix acc test issues * extend example with objects * remove obsolete field from acceptance test * remove unnecessary plan modifier * adapt schema fields * adapt schema fields * add requires replace to all fields * extend descriptions with protocol limitations * rename subfield protocol to number * add requires replace to objects * make icmp_parameters fields required * add empty field checks for nested objects * make max and min fields required in the port_range object * make number field computed in the protocol object * add UseStateForUnknown in protocol number * remove obsolete unit test * add checks for empty protocol and adapt unit test * add atLeastOneOf validation in protocol fields * fix linter issues * Add project existence check before deleting SNA (#561) * add project list check and error in network area deletion * Update stackit/internal/services/iaas/networkarea/resource.go Co-authored-by: Vicente Pinto <vicente.pinto@freiheit.com> --------- Co-authored-by: Vicente Pinto <vicente.pinto@freiheit.com> * Example server use cases and other fixes (#560) * Add example usage to server resource * Update examples * Fix beta warning * Update docs and examples * Remove size from example * Fix server description, fix security group rule error message * Other fixes * remove field from datasource --------- Co-authored-by: GokceGK <161626272+GokceGK@users.noreply.github.com> * Security group rule fixes (#562) * Add example usage to server resource * Update examples * Fix beta warning * Update docs and examples * Remove size from example * Fix server description, fix security group rule error message * Other fixes * Fixes to sec group rule * Fix lint * Change after review --------- Co-authored-by: GokceGK <161626272+GokceGK@users.noreply.github.com> * Fix server example (#565) * Fix server example * Fixes to examples, add CIDR validation to nic * Migrate iaasalpha to iaas (#568) * Migrate iaasalpha to iaas * Fix lint * Update example * Improvements to security group rule (#569) * Improvements to security group rule * Fix lint * Fix example and remove computed from description * Fix formatting * Update description --------- Co-authored-by: João Palet <joao.palet@outlook.com> Co-authored-by: GokceGK <161626272+GokceGK@users.noreply.github.com> Co-authored-by: Gökçe Gök Klingel <goekce.goek_klingel@stackit.cloud>		2024-10-18 16:37:41 +01:00
.github	Remove leftover Postgresql code and documentation (#527 )	2024-09-04 16:16:24 +01:00
docs	IaaS Release (#543 )	2024-10-18 16:37:41 +01:00
examples	IaaS Release (#543 )	2024-10-18 16:37:41 +01:00
scripts	Initial commit	2023-09-07 11:34:45 +01:00
stackit	IaaS Release (#543 )	2024-10-18 16:37:41 +01:00
templates	Documentation: How to use Hashicorp Kubernetes with SKE (#522 )	2024-09-17 15:14:28 +01:00
.gitignore	feature/gitignore-and-improve-contribution-guideline (#383 )	2024-05-31 09:32:31 +01:00
.goreleaser.yaml	chore(deps): update goreleaser/goreleaser-action action to v6 (#407 )	2024-06-19 16:55:07 +01:00
CONTRIBUTION.md	Extend contribution guidelines (new resource, datasource, service) (#322 )	2024-04-09 15:52:34 +01:00
go.mod	IaaS Release (#543 )	2024-10-18 16:37:41 +01:00
go.sum	IaaS Release (#543 )	2024-10-18 16:37:41 +01:00
golang-ci.yaml	Initial commit	2023-09-07 11:34:45 +01:00
LICENSE.md	updated license (#351 )	2024-05-08 11:33:54 +01:00
main.go	Fix provider address (#13 )	2023-09-08 18:07:46 +01:00
Makefile	ref 624723: server backup schedules (#416 )	2024-06-26 11:51:06 +01:00
MIGRATION.md	Remove leftover Postgresql code and documentation (#527 )	2024-09-04 16:16:24 +01:00
NOTICE.txt	updated license (#351 )	2024-05-08 11:33:54 +01:00
README.md	fix field name (#499 )	2024-08-09 12:27:00 +02:00
SECURITY.md	Add SECURITY file (#518 )	2024-08-27 12:01:00 +02:00
terraform-registry-manifest.json	Implement release pipeline (#9 )	2023-09-08 16:03:00 +01:00

README.md

STACKIT Terraform Provider

This project is the official Terraform Provider for STACKIT, which allows you to manage STACKIT resources through Terraform.

Getting Started

To install the STACKIT Terraform Provider, copy and paste this code into your Terraform configuration. Then, run terraform init.

terraform {
  required_providers {
    stackit = {
      source = "stackitcloud/stackit"
      version = "X.X.X"
    }
  }
}

provider "stackit" {
  # Configuration options
}

Check one of the examples in the examples folder.

Authentication

To authenticate, you will need a service account. Create it in the STACKIT Portal and assign the necessary permissions to it, e.g. project.owner. There are multiple ways to authenticate:

Key flow (recommended)
Token flow

When setting up authentication, the provider will always try to use the key flow first and search for credentials in several locations, following a specific order:

Explicit configuration, e.g. by setting the field service_account_key_path in the provider block (see example below)
Environment variable, e.g. by setting STACKIT_SERVICE_ACCOUNT_KEY_PATH
Credentials file

The provider will check the credentials file located in the path defined by the STACKIT_CREDENTIALS_PATH env var, if specified, or in $HOME/.stackit/credentials.json as a fallback. The credentials file should be a JSON and each credential should be set using the name of the respective environment variable, as stated below in each flow. Example:
```
{
  "STACKIT_SERVICE_ACCOUNT_TOKEN": "foo_token",
  "STACKIT_SERVICE_ACCOUNT_KEY_PATH": "path/to/sa_key.json"
}
```

Key flow

The following instructions assume that you have created a service account and assigned the necessary permissions to it, e.g. `project.owner`.

To use the key flow, you need to have a service account key, which must have an RSA key-pair attached to it.

When creating the service account key, a new pair can be created automatically, which will be included in the service account key. This will make it much easier to configure the key flow authentication in the STACKIT Terraform Provider, by just providing the service account key.

Optionally, you can provide your own private key when creating the service account key, which will then require you to also provide it explicitly to the STACKIT Terraform Provider, additionally to the service account key. Check the STACKIT Knowledge Base for an example of how to create your own key-pair.

To configure the key flow, follow this steps:

Create a service account key:

Use the STACKIT Portal: go to the Service Accounts tab, choose a Service Account and go to Service Account Keys to create a key. For more details, see Create a service account key

Save the content of the service account key by copying it and saving it in a JSON file.

The expected format of the service account key is a JSON with the following structure:

{
  "id": "uuid",
  "publicKey": "public key",
  "createdAt": "2023-08-24T14:15:22Z",
  "validUntil": "2023-08-24T14:15:22Z",
  "keyType": "USER_MANAGED",
  "keyOrigin": "USER_PROVIDED",
  "keyAlgorithm": "RSA_2048",
  "active": true,
  "credentials": {
    "kid": "string",
    "iss": "my-sa@sa.stackit.cloud",
    "sub": "uuid",
    "aud": "string",
    (optional) "privateKey": "private key when generated by the SA service"
  }
}

Configure the service account key for authentication in the provider by following one of the alternatives below:
- setting the fields in the provider block: service_account_key or service_account_key_path
- setting the environment variable: STACKIT_SERVICE_ACCOUNT_KEY_PATH
- setting STACKIT_SERVICE_ACCOUNT_KEY_PATH in the credentials file (see above)

Optionally, only if you have provided your own RSA key-pair when creating the service account key, you also need to configure your private key (takes precedence over the one included in the service account key, if present). The private key must be PEM encoded and can be provided using one of the options below:

setting the field in the provider block: private_key or private_key_path

setting the environment variable: STACKIT_PRIVATE_KEY_PATH

setting STACKIT_PRIVATE_KEY_PATH in the credentials file (see above)

Token flow

Using this flow is less secure since the token is long-lived. You can provide the token in several ways:

Setting the field service_account_token in the provider
Setting the environment variable STACKIT_SERVICE_ACCOUNT_TOKEN
Setting it in the credentials file (see above)

Backend configuration

To keep track of your Terraform state, you can configure an S3 backend using STACKIT Object Storage.

To do so, you need an Object Storage S3 bucket and credentials to access it. If you need to create them, check Getting Started - Object Storage.

Once you have everything setup, you can configure the backend by adding the following block to your Terraform configuration:

terraform {
  backend "s3" {
    bucket = "BUCKET_NAME"
    key    = "path/to/key"
    endpoints = {
      s3 = "https://object.storage.eu01.onstackit.cloud"
    }
    region                      = "eu01"
    skip_credentials_validation = true
    skip_region_validation      = true
    skip_s3_checksum            = true
    skip_requesting_account_id  = true
    secret_key                  = "SECRET_KEY"
    access_key                  = "ACCESS_KEY"
  }
}

Note: AWS specific checks must be skipped as they do not work on STACKIT. For details on what those validations do, see here.

Opting into Beta Resources

To use beta resources in the STACKIT Terraform provider, follow these steps:

Provider Configuration Option

Set the enable_beta_resources option in the provider configuration. This is a boolean attribute that can be either true or false.
```
provider "stackit" {
  region                = "eu01"
  enable_beta_resources = true
}
```
Environment Variable

Set the STACKIT_TF_ENABLE_BETA_RESOURCES environment variable to "true" or "false". Other values will be ignored and will produce a warning.
```
export STACKIT_TF_ENABLE_BETA_RESOURCES=true
```

Note

: The environment variable takes precedence over the provider configuration option. This means that if the STACKIT_TF_ENABLE_BETA_RESOURCES environment variable is set to a valid value ("true" or "false"), it will override the enable_beta_resources option specified in the provider configuration.

For more details, please refer to the beta resources configuration guide.

Acceptance Tests

Terraform acceptance tests are run using the command make test-acceptance-tf. For all services,

The env var TF_ACC_PROJECT_ID must be set with the ID of the STACKIT test project to test it.
Authentication is set as usual.
Optionally, the env var TF_ACC_XXXXXX_CUSTOM_ENDPOINT (where XXXXXX is the uppercase name of the service) can be set to use endpoints other than the default value.

Additionally:

For the Resource Manager service:
- A service account with permissions to create and delete projects is required
- The env var TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL must be set as the email of the service account
- The env var TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_TOKEN must be set as a valid token of the service account. Can also be set in the credentials file used by authentication (see Authentication for more details)
- The env var TF_ACC_PROJECT_ID is ignored
For the Load Balancer service:
- OpenStack credentials are required, as the acceptance tests use the OpenStack provider to set up the supporting infrastructure
  - These can be obtained after creating a user token through the STACKIT Portal, in your project's Infrastructure API page
- The env var TF_ACC_OS_USER_DOMAIN_NAME must be set as the OpenStack user domain name
- The env var TF_ACC_OS_USER_NAME must be set as the OpenStack username
- The env var TF_ACC_OS_PASSWORD must be set as the OpenStack password

WARNING: Acceptance tests will create real resources, which may incur in costs.

Migration

For guidance on how to migrate to using this provider, please see our Migration Guide.

Reporting Issues

If you encounter any issues or have suggestions for improvements, please open an issue in the repository.

Contribute

Your contribution is welcome! For more details on how to contribute, refer to our Contribution Guide.

License

Apache 2.0