+```
diff --git a/examples/vpn-usecases/stackit-stackit/docs/architecture.png b/examples/vpn-usecases/stackit-stackit/docs/architecture.png
new file mode 100644
index 0000000..fe965d1
Binary files /dev/null and b/examples/vpn-usecases/stackit-stackit/docs/architecture.png differ
diff --git a/modules/test-machine/main.tf b/modules/test-machine/main.tf
index 2bf7f22..4547645 100644
--- a/modules/test-machine/main.tf
+++ b/modules/test-machine/main.tf
@@ -12,14 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-terraform {
- required_providers {
- stackit = {
- source = "stackitcloud/stackit"
- }
- }
-}
-
resource "stackit_volume" "boot_volume" {
project_id = var.project_id
name = "${var.name}-volume"
diff --git a/modules/test-machine/variables.tf b/modules/test-machine/variables.tf
index a85ae88..6813331 100644
--- a/modules/test-machine/variables.tf
+++ b/modules/test-machine/variables.tf
@@ -15,40 +15,70 @@
variable "project_id" {
description = "The STACKIT Project ID"
type = string
+
+ validation {
+ condition = can(regex("^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$", var.project_id))
+ error_message = "The project_id must be a valid UUID."
+ }
}
variable "network_id" {
description = "The Network ID (UUID) where the machine should be spawned"
type = string
+
+ validation {
+ condition = can(regex("^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$", var.network_id))
+ error_message = "The network_id must be a valid UUID."
+ }
}
variable "name" {
description = "Hostname of the server"
type = string
default = "test-machine"
+
+ validation {
+ condition = can(regex("^[a-z0-9-]+$", var.name))
+ error_message = "The machine name must contain only lowercase letters, numbers, and hyphens."
+ }
}
variable "availability_zone" {
description = "The availability zone (e.g. eu01-1)"
type = string
+
+ validation {
+ condition = can(regex("^[a-z]{2}[0-9]{2}-[a-zA-Z0-9]+$", var.availability_zone))
+ error_message = "The availability zone must follow the STACKIT pattern (e.g., eu01-1, eu01-m)."
+ }
}
variable "machine_type" {
description = "Flavor of the machine"
type = string
- default = "g1.1"
+ default = "c2i.1"
}
variable "image_id" {
description = "Image UUID (Default: Debian 12)"
type = string
default = "c751cde7-e648-4f81-9722-ce9c7848bed0"
+
+ validation {
+ condition = can(regex("^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$", var.image_id))
+ error_message = "The image_id must be a valid UUID."
+ }
}
variable "disk_size" {
description = "Boot volume size in GB"
type = number
default = 50
+
+ validation {
+ condition = var.disk_size >= 1
+ error_message = "The disk_size must be at least 1 GB."
+ }
}
variable "disk_performance_class" {
diff --git a/modules/test-ske/README.md b/modules/test-ske/README.md
new file mode 100644
index 0000000..6c23eb5
--- /dev/null
+++ b/modules/test-ske/README.md
@@ -0,0 +1,54 @@
+# Test SKE Module
+
+This module is designed to quickly spin up an SKE cluster. Internally, we use it to
+debug network connectivity and deploy test applications in a simple, frictionless manner.
+It automatically selects the latest SKE and node pool machine versions.
+
+
+
+## Requirements
+
+| Name | Version |
+| ------------------------------------------------------------------ | -------- |
+| [random](#requirement_random) | 3.9.0 |
+| [stackit](#requirement_stackit) | >=0.95.0 |
+
+## Providers
+
+| Name | Version |
+| ------------------------------------------------------------ | -------- |
+| [random](#provider_random) | 3.9.0 |
+| [stackit](#provider_stackit) | >=0.95.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+| ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
+| [random_string.this](https://registry.terraform.io/providers/hashicorp/random/3.9.0/docs/resources/string) | resource |
+| [stackit_ske_cluster.this](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/resources/ske_cluster) | resource |
+| [stackit_ske_kubeconfig.this](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/resources/ske_kubeconfig) | resource |
+| [stackit_ske_kubernetes_versions.this](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/data-sources/ske_kubernetes_versions) | data source |
+| [stackit_ske_machine_image_versions.this](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/data-sources/ske_machine_image_versions) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+| --------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: |
+| [cluster_name](#input_cluster_name) | The name of the Kubernetes cluster | `string` | `null` | no |
+| [maintenance](#input_maintenance) | Maintenance window configuration for the cluster | object({
enable_kubernetes_version_updates = bool
enable_machine_image_version_updates = bool
start = string
end = string
}) | {
"enable_kubernetes_version_updates": true,
"enable_machine_image_version_updates": true,
"end": "02:00:00Z",
"start": "01:00:00Z"
} | no |
+| [network_id](#input_network_id) | The ID of the STACKIT network in which the SKE cluster will be deployed. If not provided, the cluster will automatically create a network on demand. Specifying a network ID is only supported in SNA setups | `string` | `null` | no |
+| [node_pools](#input_node_pools) | Configuration for the cluster node pools | `any` | [
{
"availability_zones": [
"eu01-1",
"eu01-2",
"eu01-3"
],
"machine_type": "g2i.4",
"max_surge": 3,
"maximum": 3,
"minimum": 1,
"name": "standard",
"os_name": "flatcar",
"volume_size": 20,
"volume_type": "storage_premium_perf6"
}
]
| no |
+| [project_id](#input_project_id) | The STACKIT project ID | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+| ----------------------------------------------------------------------- | --------------------------------------------- |
+| [cluster_name](#output_cluster_name) | The name of the provisioned SKE cluster |
+| [kubeconfig](#output_kubeconfig) | The kubeconfig contents to access the cluster |
+
+
diff --git a/modules/test-ske/main.tf b/modules/test-ske/main.tf
new file mode 100644
index 0000000..38bf7f4
--- /dev/null
+++ b/modules/test-ske/main.tf
@@ -0,0 +1,84 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+data "stackit_ske_kubernetes_versions" "this" {
+ version_state = "SUPPORTED"
+}
+
+data "stackit_ske_machine_image_versions" "this" {
+ version_state = "SUPPORTED"
+}
+
+resource "random_string" "this" {
+ length = 6
+ special = false
+ upper = false
+}
+
+locals {
+ flatcar_supported_versions = flatten([
+ for mi in data.stackit_ske_machine_image_versions.this.machine_images : [
+ for v in mi.versions : v.version if mi.name == "flatcar"
+ ]
+ ])
+ flatcar_supported_version = length(local.flatcar_supported_versions) > 0 ? local.flatcar_supported_versions[0] : null
+
+ ubuntu_supported_versions = flatten([
+ for mi in data.stackit_ske_machine_image_versions.this.machine_images : [
+ for v in mi.versions : v.version if mi.name == "ubuntu"
+ ]
+ ])
+ ubuntu_supported_version = length(local.ubuntu_supported_versions) > 0 ? local.ubuntu_supported_versions[0] : null
+}
+
+resource "stackit_ske_cluster" "this" {
+ project_id = var.project_id
+ name = var.cluster_name != null && var.cluster_name != "" ? var.cluster_name : "ske-${random_string.this.result}"
+ kubernetes_version_min = data.stackit_ske_kubernetes_versions.this.kubernetes_versions[0].version
+
+ maintenance = var.maintenance
+
+ network = var.network_id != null && var.network_id != "" ? {
+ id = var.network_id
+ } : null
+
+ node_pools = [
+ for np in var.node_pools : {
+ name = np.name
+ machine_type = np.machine_type
+ minimum = np.minimum
+ maximum = np.maximum
+ max_surge = np.max_surge
+ availability_zones = np.availability_zones
+ os_name = np.os_name
+ # Dynamically injects the latest OS version based on os_name if not explicitly set
+ os_version_min = lookup(np, "os_version_min", np.os_name == "flatcar" ? local.flatcar_supported_version : local.ubuntu_supported_version)
+ volume_size = np.volume_size
+ volume_type = np.volume_type
+ }
+ ]
+
+ lifecycle {
+ ignore_changes = [
+ kubernetes_version_min,
+ node_pools
+ ]
+ }
+}
+
+resource "stackit_ske_kubeconfig" "this" {
+ project_id = var.project_id
+ cluster_name = stackit_ske_cluster.this.name
+ refresh = true
+}
diff --git a/modules/test-ske/outputs.tf b/modules/test-ske/outputs.tf
new file mode 100644
index 0000000..3a16cc5
--- /dev/null
+++ b/modules/test-ske/outputs.tf
@@ -0,0 +1,24 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+output "cluster_name" {
+ description = "The name of the provisioned SKE cluster"
+ value = stackit_ske_cluster.this.name
+}
+
+output "kubeconfig" {
+ description = "The kubeconfig contents to access the cluster"
+ value = stackit_ske_kubeconfig.this.kube_config
+ sensitive = true
+}
diff --git a/modules/test-ske/provider.tf b/modules/test-ske/provider.tf
new file mode 100644
index 0000000..994578e
--- /dev/null
+++ b/modules/test-ske/provider.tf
@@ -0,0 +1,26 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+ required_providers {
+ stackit = {
+ source = "stackitcloud/stackit"
+ version = ">=0.95.0"
+ }
+ random = {
+ source = "hashicorp/random"
+ version = "3.9.0"
+ }
+ }
+}
diff --git a/modules/test-ske/variables.tf b/modules/test-ske/variables.tf
new file mode 100644
index 0000000..c029aa2
--- /dev/null
+++ b/modules/test-ske/variables.tf
@@ -0,0 +1,64 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "project_id" {
+ description = "The STACKIT project ID"
+ type = string
+}
+
+variable "cluster_name" {
+ description = "The name of the Kubernetes cluster"
+ type = string
+ default = null
+}
+
+variable "network_id" {
+ description = "The ID of the STACKIT network in which the SKE cluster will be deployed. If not provided, the cluster will automatically create a network on demand. Specifying a network ID is only supported in SNA setups"
+ type = string
+ default = null
+}
+
+variable "maintenance" {
+ description = "Maintenance window configuration for the cluster"
+ type = object({
+ enable_kubernetes_version_updates = bool
+ enable_machine_image_version_updates = bool
+ start = string
+ end = string
+ })
+ default = {
+ enable_kubernetes_version_updates = true
+ enable_machine_image_version_updates = true
+ start = "01:00:00Z"
+ end = "02:00:00Z"
+ }
+}
+
+variable "node_pools" {
+ description = "Configuration for the cluster node pools"
+ type = any
+ default = [
+ {
+ name = "standard"
+ machine_type = "g2i.4"
+ minimum = 1
+ maximum = 3
+ max_surge = 3
+ availability_zones = ["eu01-1", "eu01-2", "eu01-3"]
+ os_name = "flatcar"
+ volume_size = 20
+ volume_type = "storage_premium_perf6"
+ }
+ ]
+}
diff --git a/scripts/README.md b/scripts/README.md
new file mode 100644
index 0000000..f81f308
--- /dev/null
+++ b/scripts/README.md
@@ -0,0 +1,329 @@
+# Scripts
+
+Helper scripts for working with STACKIT services.
+
+> **Warning:** These scripts can perform destructive or wide-reaching operations against your STACKIT account (e.g. deleting volumes, overwriting kubeconfigs, writing secrets). Review each script and understand what it does before running it.
+
+## Overview
+
+| Script | Purpose | Required tools |
+| ---------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ---------------------------------- |
+| [`s3-ssec.sh`](#s3-ssec) | Upload and Download Files to a STACKIT S3 Bucket (Object Storage) and enable Server Side Encryption with Custom Keys. | `awscli`, `python3-awscrt` |
+| [`check-stackit-ip.sh`](#check-stackit-ipsh) | Check whether a given IP address belongs to STACKIT's public IP ranges. | `stackit`, `jq`, `grepcidr` |
+| [`create-kubeconfig-multiple-projects.sh`](#create-kubeconfig-multiple-projectssh) | Generate kubeconfig entries for every SKE cluster across one or more STACKIT projects. | `stackit`, `yq` |
+| [`delete-unused-volumes.sh`](#delete-unused-volumessh) | Delete all STACKIT volumes whose status is `AVAILABLE` (i.e. not attached). | `stackit`, `yq` |
+| [`list-project-resources.sh`](#list-project-resourcessh) | Render a Markdown inventory of resources (DNS, SKE, databases, storage, …) for one or more STACKIT projects. | `stackit`, `jq` |
+| [`ske-show-versions.sh`](#ske-show-versionssh) | Print overview of SKE cluster Kubernetes versions and nodepool image versions, marking deprecated versions. | `stackit` (>= 0.59.0), `jq`, `awk` |
+| [`smctl.sh`](#smctlsh) | Unified CLI wrapper around HashiCorp Vault for the STACKIT Secret Manager (KV v2), think `kubectl` for secrets | `vault`, `jq` |
+| [`vault-migrate.sh`](#vault-migratesh) | Migrate secrets between two Vault instances using the KV v2 API (supports userpass and LDAP for source). | `vault`, `jq` |
+
+---
+
+## `s3-ssec.sh`
+
+### STACKIT S3 Object Storage SSE-C Automation Script
+
+This script automates secure Server-Side Encryption with Customer-Provided Keys (SSE-C) using the native aws-cli tool against STACKIT Object Storage.
+
+### Why This Script Exists
+
+Standard S3 tools (s3cmd, rclone) often fail during SSE-C operations on Linux due to a Binary-to-Text Encoding Mismatch when passing keys via the command line. Furthermore, third-party tools frequently throw false alarms regarding data corruption because the server-side encrypted file's MD5 hash (ETag) no longer matches the local unencrypted file's hash.
+
+The Solution: This script utilizes the official aws-cli along with a binary key file reference (fileb://). This approach bypasses shell encoding issues entirely. The AWS CLI natively understands SSE-C protocols, managing hash verifications and setting all necessary headers automatically.
+
+### Prerequisites
+
+AWS CLI installed:
+
+```bash
+sudo apt install awscli -y # Debian/Ubuntu
+sudo dnf install aws-cli -y # RHEL/CentOS
+```
+
+Permissions: Root access (or appropriate sudo permissions) to store the encryption key safely under /root/ssec.key.
+
+### Setup & Configuration
+
+Open the script and fill in your STACKIT credentials and bucket name under the configuration block:
+
+```bash
+export AWS_ACCESS_KEY_ID="YOUR_ACCESS_KEY"
+export AWS_SECRET_ACCESS_KEY="YOUR_SECRET_ACCESS_KEY"
+BUCKET="s3://your-bucket-name"
+```
+
+Note: On its very first run, the script will automatically generate a cryptographically secure 32-byte binary AES key using openssl and lock down its file permissions (chmod 400).
+
+### Usage
+
+Make the script executable:
+
+```bash
+chmod +x s3-ssec.sh
+```
+
+1. Uploading a File (Encrypted)
+ To upload and encrypt a local file, pass upload followed by the file path:
+
+```bash
+./s3-ssec.sh upload /path/to/local/file.txt
+```
+
+The file will be encrypted on the fly by the STACKIT storage backend using your generated key.
+
+2. Downloading a File (Decrypted)
+ To download and decrypt an object from the bucket, pass download followed by the remote object name:
+
+```bash
+./s3-ssec.sh download file.txt
+```
+
+The script will fetch the file, provide the required key headers, and save the decrypted file locally as ./file.txt_downloaded.
+
+Security Warning ⚠️
+Backup your Key: If you lose the /root/ssec.key file, any data encrypted with it in the bucket cannot be recovered.
+
+Credential Rotation: Never commit the script to public repositories while it contains live AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY strings. Use environment variables or secret managers in production environments.
+
+---
+
+## `check-stackit-ip.sh`
+
+Looks up the STACKIT public IP ranges (via `stackit curl https://iaas.api.eu01.stackit.cloud/v1/networks/public-ip-ranges`) and tells you whether a given IP falls inside any of them. Useful to verify whether a public-facing address actually originates from STACKIT.
+
+Exits `0` if the IP is found, `1` otherwise.
+
+### Example
+
+```bash
+# Check a single IP
+./check-stackit-ip.sh 45.129.40.1
+```
+
+Sample output:
+
+```
+Fetching STACKIT IP ranges...
+Found: 45.129.40.1 is in the range 45.129.40.0/22
+```
+
+---
+
+## `create-kubeconfig-multiple-projects.sh`
+
+Logs in to STACKIT, iterates over a hard-coded list of project IDs, lists all SKE clusters in each project and writes a 60-day kubeconfig for every cluster into a single kubeconfig file.
+
+Edit the `projects=( ... )` array near the bottom of the script before running.
+
+### Flags
+
+- `-f, --filepath ` — destination kubeconfig path (default: `$HOME/.kube/config`).
+- `-h, --help` — show usage.
+
+### Examples
+
+```bash
+# Write to default ~/.kube/config (will prompt before overwriting)
+./create-kubeconfig-multiple-projects.sh
+
+# Write to a custom location
+./create-kubeconfig-multiple-projects.sh -f ~/.kube/stackit-config
+```
+
+---
+
+## `delete-unused-volumes.sh`
+
+Lists all STACKIT volumes in the currently configured project and deletes those with status `AVAILABLE`.
+
+Set `DRY_RUN=1` at the top of the script to preview the deletions without executing them.
+
+### Examples
+
+```bash
+# Make sure the right project is selected
+stackit config set --project-id
+
+# Preview what would be deleted (edit DRY_RUN=1 in the script first)
+./delete-unused-volumes.sh
+
+# Actually delete unused volumes
+./delete-unused-volumes.sh
+```
+
+---
+
+## `ske-show-versions.sh`
+
+Prints a tabular overview of SKE clusters across the project IDs configured in the `projectid` variable. For each nodepool it shows the Kubernetes version and the Flatcar machine image version, annotated with `supported` or the `expirationDate` for deprecated versions. Rows containing any deprecated version are highlighted in red.
+
+The script enforces a minimum STACKIT CLI version (`0.59.0`).
+
+Edit the `projectid="..."` variable (space-separated list) before running.
+
+### Example
+
+```bash
+./ske-show-versions.sh
+```
+
+Sample output:
+
+```
+CLUSTER NAME SKE VERSION NODEPOOL FLATCAR VERSION MACHINE TYPE PROJECT ID
+------------ ----------- -------- --------------- ------------ ----------
+prod-cluster 1.30.4 (supported) default 4081.2.0 (supported) c1.4 xxxxxxxx-...
+legacy-cluster 1.27.9 (exp. 2026-05-01) default 3815.2.5 (exp. 2026-03-15) c1.2 yyyyyyyy-...
+
+Summary:
+Total clusters: 2
+```
+
+---
+
+## `smctl.sh`
+
+Wrapper around the `vault` CLI to works with secrets in STACKIT Secrets Manager, think about it as `kubectl` but for secrets.
+
+### Required environment variables
+
+| Variable | Description |
+| ------------- | -------------------------------------------------------------- |
+| `SM_USERNAME` | STACKIT Secret Manager username |
+| `SM_PASSWORD` | STACKIT Secret Manager password |
+| `SM_ID` | KV secrets engine mount path (your secret manager instance ID) |
+
+### Commands
+
+| Command | Description |
+| -------------------------------- | --------------------------------------------------------------------------------------------------- |
+| `get ` | Print the value of a single key. |
+| `get all` | Print all keys as `key: value`. |
+| `get all-export` | Print all keys as `export key=value` (suitable for `eval`/`source`). |
+| `put [value]` | Write/update a key. Reads from stdin if no value is given. Existing keys at the path are preserved. |
+| `list` | List all secret paths under the mount. |
+| `list ` | List all keys at a specific path. |
+| `help` | Show usage. |
+
+### Examples
+
+```bash
+export SM_USERNAME='my-user'
+export SM_PASSWORD='my-pass'
+export SM_ID='sm-xxxxxxxx'
+
+# List all paths
+./smctl.sh list
+
+# List keys at a path
+./smctl.sh list postgresql
+
+# Read a single value
+./smctl.sh get postgresql db_password
+
+# Dump everything at a path
+./smctl.sh get postgresql all
+
+# Load all secrets at a path into the current shell
+eval "$(./smctl.sh get postgresql all-export)"
+
+# Write a value directly
+./smctl.sh put postgresql db_password 'super-secret'
+
+# Write a value from a file (e.g. a full .env)
+./smctl.sh put terraform secret-env < .env
+```
+
+---
+
+## `list-project-resources.sh`
+
+Iterates over the listable STACKIT services (DNS, Git, Load Balancers, SKE etc.) and prints a Markdown report containing one section per project with a table per resource type. Intended to be redirected into a `.md` file.
+
+Project IDs are passed as arguments — at least one is required.
+
+### Example
+
+```bash
+# Single project
+./list-project-resources.sh xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx > project-inventory.md
+
+# Multiple projects in one report
+./list-project-resources.sh \
+ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
+ yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy \
+ > inventory.md
+```
+
+Sample output (excerpt):
+
+```markdown
+## Project: my-prod-project (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
+
+**SKE Clusters:**
+|name|status|...|
+|---|---|---|
+|prod-cluster|HEALTHY|...|
+
+**Public IPs:**
+N/A
+
+last update: Thu, 16-Apr-2026 14:42:11 CEST
+```
+
+---
+
+## `vault-migrate.sh`
+
+Migrates secrets between two KV v2-compatible secret backends, typically from a HashiCorp Vault instance into STACKIT Secrets Manager, or from one STACKIT Secrets Manager instance to another (both expose the Vault KV v2 API). Source authentication can be `userpass` or `ldap` (LDAP triggers an interactive password prompt); the target always uses `userpass`. Recursively walks all paths under the source mount unless `MIGRATE_PATHS` is set.
+
+### Flags
+
+- `-d, --dry-run` — show what would be migrated without writing.
+- `-v, --verbose` — verbose progress output.
+- `-s, --skip-existing` — skip secrets that already exist in the target.
+- `--debug` — debug output (implies `--verbose`).
+- `-h, --help` — show usage.
+
+### Required environment variables
+
+| Variable | Description |
+| ---------------------- | ----------------------------------------------------------------- |
+| `SOURCE_VAULT_ADDR` | Source Vault address (e.g. `https://vault.example.com`). |
+| `SOURCE_SM_ID` | Source KV mount path. |
+| `SOURCE_AUTH_METHOD` | `userpass` (default) or `ldap`. |
+| `SOURCE_SM_USERNAME` | Source username — required when `SOURCE_AUTH_METHOD=userpass`. |
+| `SOURCE_SM_PASSWORD` | Source password — required when `SOURCE_AUTH_METHOD=userpass`. |
+| `SOURCE_LDAP_USERNAME` | LDAP username — required when `SOURCE_AUTH_METHOD=ldap`. |
+| `TARGET_VAULT_ADDR` | Target Vault address. |
+| `TARGET_SM_USERNAME` | Target Vault username (always userpass). |
+| `TARGET_SM_PASSWORD` | Target Vault password. |
+| `TARGET_SM_ID` | Target KV mount path. |
+| `MIGRATE_PATHS` | Optional space-separated list of paths to migrate (default: all). |
+
+### Examples
+
+```bash
+# Common target setup
+export TARGET_VAULT_ADDR="https://prod.sm.eu01.stackit.cloud"
+export TARGET_SM_USERNAME="target-user"
+export TARGET_SM_PASSWORD=''
+export TARGET_SM_ID="sm-target-xxxx"
+
+# 1) Dry run — migrate everything from a userpass source
+export SOURCE_VAULT_ADDR="https://old.vault.example.com"
+export SOURCE_SM_ID="sm-source-xxxx"
+export SOURCE_AUTH_METHOD="userpass"
+export SOURCE_SM_USERNAME="source-user"
+export SOURCE_SM_PASSWORD=''
+./vault-migrate.sh --dry-run --verbose
+
+# 2) Migrate from an LDAP source (will prompt for password)
+export SOURCE_AUTH_METHOD="ldap"
+export SOURCE_LDAP_USERNAME="myuser"
+./vault-migrate.sh
+
+# 3) Migrate only selected paths, skipping ones that already exist
+export MIGRATE_PATHS="postgresql redis terraform"
+./vault-migrate.sh --skip-existing --verbose
+```
diff --git a/scripts/check-stackit-ip.sh b/scripts/check-stackit-ip.sh
new file mode 100755
index 0000000..48da5ff
--- /dev/null
+++ b/scripts/check-stackit-ip.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+# check-ip: Checks if a given IP address is in the STACKIT public IP ranges.
+# Usage: ./check-ip
+# Example: ./check-ip 45.129.40.1
+
+# Check if an IP address was provided as an argument
+if [ -z "$1" ]; then
+ echo "Usage: $0 "
+ echo "Example: $0 45.129.40.1"
+ exit 1
+fi
+
+IP_TO_CHECK="$1"
+
+# Check for required commands.
+# We need 'stackit', 'jq', and 'grepcidr'.
+for cmd in stackit jq grepcidr; do
+ if ! command -v $cmd &> /dev/null; then
+ echo "Error: Required command '$cmd' is not installed." >&2
+ echo "Please install it and ensure it's in your PATH." >&2
+ exit 1
+ fi
+done
+
+echo "Fetching STACKIT IP ranges..." >&2
+
+FOUND=0
+RANGES_CHECKED=0
+
+while read -r RANGE; do
+ # Skip empty lines, just in case
+ if [ -z "$RANGE" ]; then
+ continue
+ fi
+
+ RANGES_CHECKED=$((RANGES_CHECKED + 1))
+
+ if echo "$IP_TO_CHECK" | grepcidr -s "$RANGE"; then
+ echo "Found: $IP_TO_CHECK is in the range $RANGE"
+ FOUND=1
+ break
+ fi
+done < <(stackit curl "https://iaas.api.eu01.stackit.cloud/v1/networks/public-ip-ranges" | jq -r '.items[].cidr')
+
+# Check if we processed any ranges at all
+if [ $RANGES_CHECKED -eq 0 ]; then
+ echo "Error: Failed to fetch or parse IP ranges from STACKIT API." >&2
+ exit 1
+fi
+
+# Check the flag after the loop
+if [ $FOUND -eq 0 ]; then
+ # If the loop finished without finding anything, print a "not found" message
+ echo "Not found: $IP_TO_CHECK is not in any of the STACKIT ranges."
+ exit 1
+fi
+
+exit 0
diff --git a/scripts/create-kubeconfig-multiple-projects.sh b/scripts/create-kubeconfig-multiple-projects.sh
index f954083..8d7b94e 100644
--- a/scripts/create-kubeconfig-multiple-projects.sh
+++ b/scripts/create-kubeconfig-multiple-projects.sh
@@ -1,22 +1,67 @@
#!/bin/bash
-rm -rf ~/.kube/config
+# 1. Check for required dependencies
+for cmd in stackit yq; do
+ if ! command -v "$cmd" &> /dev/null; then
+ echo "Error: Required command '$cmd' is not installed or not in your PATH." >&2
+ echo "Please install it before running this script." >&2
+ exit 1
+ fi
+done
+
+# Default path for kubeconfig
+KUBECONFIG_PATH="$HOME/.kube/config"
+
+# 2. Parse command line arguments for a custom filepath
+while [[ "$#" -gt 0 ]]; do
+ case $1 in
+ -f|--filepath)
+ KUBECONFIG_PATH="$2"
+ shift 2
+ ;;
+ -h|--help)
+ echo "Usage: $0 [-f|--filepath ]"
+ exit 0
+ ;;
+ *)
+ echo "Unknown parameter passed: $1"
+ echo "Usage: $0 [-f|--filepath ]"
+ exit 1
+ ;;
+ esac
+done
+
+# 3. Safely check if the file exists and ask for confirmation
+if [[ -f "$KUBECONFIG_PATH" ]]; then
+ read -p "The file '$KUBECONFIG_PATH' already exists. Do you want to delete it before continuing? [y/N]: " confirm
+ if [[ "$confirm" =~ ^[Yy]$ ]]; then
+ rm "$KUBECONFIG_PATH"
+ echo "Deleted '$KUBECONFIG_PATH'."
+ else
+ echo "Keeping the existing file. New configurations will be merged/appended."
+ fi
+fi
+
+# Ensure the target directory exists just in case a custom path was provided
+mkdir -p "$(dirname "$KUBECONFIG_PATH")"
+
+# Export the KUBECONFIG environment variable so the STACKIT CLI targets the correct file
+export KUBECONFIG="$KUBECONFIG_PATH"
+
stackit auth login
projects=(
"xxx-xxx-xxx-xxx"
)
-
for project in "${projects[@]}"; do
stackit config set --project-id "$project"
clusters_yaml=$(stackit ske cluster list -o yaml)
-
cluster_names=$(echo "$clusters_yaml" | yq e '.[] | .name' -)
for cluster_name in $cluster_names; do
- echo "Creating kubeconfig for cluster: $cluster_name"
+ echo "Creating kubeconfig for cluster: $cluster_name (saving to $KUBECONFIG_PATH)"
stackit ske kubeconfig create --expiration 60d "$cluster_name" -y
done
done
diff --git a/scripts/delete-unused-volumes.sh b/scripts/delete-unused-volumes.sh
index 7146b2a..800c732 100644
--- a/scripts/delete-unused-volumes.sh
+++ b/scripts/delete-unused-volumes.sh
@@ -1,5 +1,14 @@
#!/bin/bash
+# 1. Check for required dependencies
+for cmd in stackit yq; do
+ if ! command -v "$cmd" &> /dev/null; then
+ echo "Error: Required command '$cmd' is not installed or not in your PATH." >&2
+ echo "Please install it before running this script." >&2
+ exit 1
+ fi
+done
+
# Set to 1 to only print the volumes that would be deleted (no actual deletion)
DRY_RUN=0
diff --git a/scripts/list-project-resources.sh b/scripts/list-project-resources.sh
new file mode 100755
index 0000000..02c3def
--- /dev/null
+++ b/scripts/list-project-resources.sh
@@ -0,0 +1,133 @@
+#!/bin/bash
+
+# Script to list (all) resources of a STACKIT project
+# Ideally, you redirect the output into a markdown file.
+
+set -euo pipefail
+
+# Check if stackit cli is installed
+if ! command -v stackit &> /dev/null; then
+ echo "Error: stackit command not found"
+ echo "Please install STACKIT CLI from:"
+ echo "https://github.com/stackitcloud/stackit-cli/blob/main/INSTALLATION.md"
+ exit 1
+fi
+
+# Check if stackit is properly authenticated; only login if the session is gone
+if ! stackit auth get-access-token &> /dev/null; then
+ echo "Session expired. Logging in..."
+ stackit auth login || { echo "Error: stackit authentication failed."; exit 1; }
+fi
+
+# Check if jq is installed
+if ! command -v jq &> /dev/null; then
+ echo "Error: 'jq' is not installed."
+ exit 1
+fi
+
+# Function to display usage and handle errors
+display_usage() {
+ echo "Usage: $0 ..."
+ echo "Example: $0 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy >output.md"
+ exit 1
+}
+
+# Function to get project information
+get_project_name() {
+ local project_id=$1
+
+ local project_name=""
+ project_name=$(stackit project describe --project-id "$project_id" --output-format json 2>/dev/null \
+ | jq -r '.name // empty')
+ # If the CLI call fails or .name is missing, fall back to the raw ID
+ [[ -z "$project_name" ]] && project_name="$project_id"
+ echo "## Project: $project_name ($project_id)"
+ echo ""
+}
+
+# Function to get resource information
+fetch_resources() {
+ local service=$1
+ local type=$2
+ local label=$3
+ local fields=${4:-} # comma-separated list of fields to keep; empty = all
+
+ # Build the CLI command - omit the type if it's empty
+ if [[ -z "$type" ]]; then
+ json_output=$(stackit "$service" list --project-id "$project_id" --output-format json)
+ else
+ json_output=$(stackit "$service" "$type" list --project-id "$project_id" --output-format json)
+ fi
+
+ local header
+ local separation_line
+ local data
+
+ # Check whether json output is empty/null - indicating no resource of that service type found - and print it
+ if [[ -z "$json_output" ]] || [[ "$json_output" == "[]" ]] || [[ "$json_output" == "null" ]]; then
+ echo "**$label:**"
+ echo "N/A"
+ echo -e "\n"
+ return
+ fi
+
+ # Narrow output to only the requested fields (preserving their order)
+ if [[ -n "$fields" ]]; then
+ json_output=$(jq --arg fields "$fields" '
+ ($fields | split(",")) as $keep |
+ map(. as $item | reduce $keep[] as $k ({}; . + {($k): $item[$k]}))
+ ' <<< "$json_output")
+ fi
+
+ # Format the json output into a markdown table
+ header=$(jq -r '.[0] | to_entries | map(.key) | join("\t")' <<< "$json_output" | sed 's/\t/|/g; s/^/|/; s/$/|/')
+ separation_line=$(jq -r '.[0] | to_entries | map("|---") | join("")' <<< "$json_output")
+ data=$(jq -r '.[] | to_entries | map(.value|tostring) | join("\t")' <<< "$json_output" | sed 's/\t/|/g; s/^/|/; s/$/|/')
+
+ echo "**$label:**"
+ echo "$header"
+ echo "$separation_line"
+ echo "$data"
+ echo -e "\n"
+}
+
+get_project_resources() {
+
+ # call function to get project name
+ get_project_name "$project_id"
+
+ # Format: service, type, label, fields (comma-separated; empty = all fields)
+ services=("dns" "zone" "DNS Zones" "name,dnsName,type,visibility,state,recordCount,id"
+ "git" "instance" "Git Instances" ""
+ "load-balancer" "" "Load Balancers" ""
+ "logme" "instance" "LogMe Instances" ""
+ "mariadb" "instance" "MariaDB Instances" ""
+ "mongodbflex" "instance" "MongoDB Flex Instances" ""
+ "object-storage" "bucket" "Object Storage Buckets" ""
+ "observability" "instance" "Observability Instances" ""
+ "opensearch" "instance" "OpenSearch Instances" ""
+ "postgresflex" "instance" "Postgres Flex Instances" ""
+ "public-ip" "" "Public IPs" ""
+ "rabbitmq" "instance" "RabbitMQ Instances" ""
+ "redis" "instance" "Redis Instances" ""
+ "secrets-manager" "instance" "Secrets Manager Instances" ""
+ "service-account" "" "Service Accounts" ""
+ "ske" "cluster" "SKE Clusters" "")
+
+ for ((i=0; i<${#services[@]}; i+=4)); do
+ fetch_resources "${services[i]}" "${services[i+1]}" "${services[i+2]}" "${services[i+3]}"
+ done
+
+ echo "last update: $(date +"%a, %d-%b-%Y %H:%M:%S %Z")"
+}
+
+# Main script
+if [ $# -eq 0 ]; then
+ echo "Error: No project IDs provided"
+ display_usage
+fi
+
+# Process each project ID
+for project_id in "$@"; do
+ get_project_resources "$project_id"
+done
diff --git a/scripts/s3-ssec.sh b/scripts/s3-ssec.sh
new file mode 100755
index 0000000..e60b534
--- /dev/null
+++ b/scripts/s3-ssec.sh
@@ -0,0 +1,74 @@
+#!/bin/bash
+set -e # Exit immediately if a command exits with a non-zero status
+
+# Help / Usage output
+usage() {
+ echo "Usage: $0 "
+ echo "Examples:"
+ echo " $0 upload /path/to/local/file.txt"
+ echo " $0 download file.txt"
+ exit 1
+}
+
+# Check for required arguments
+if [ -z "$1" ] || [ -z "$2" ]; then
+ usage
+fi
+
+ACTION="$1"
+TARGET_FILE="$2"
+
+# ==============================================================================
+# CONFIGURATION
+# ==============================================================================
+export AWS_ACCESS_KEY_ID=""
+export AWS_SECRET_ACCESS_KEY=""
+export AWS_DEFAULT_REGION="eu01"
+
+ENDPOINT="https://object.storage.eu01.onstackit.cloud"
+BUCKET="s3://mybucket"
+KEY_FILE="/root/ssec.key"
+
+# ==============================================================================
+# 1. GENERATE BINARY KEY (Only required once if the key file doesn't exist)
+# ==============================================================================
+if [ ! -f "$KEY_FILE" ]; then
+ echo "[*] Generating new binary 32-byte AES key..."
+ openssl rand 32 > "$KEY_FILE"
+ chmod 600 "$KEY_FILE"
+fi
+
+# ==============================================================================
+# 2. ACTION EXECUTION (UPLOAD OR DOWNLOAD)
+# ==============================================================================
+if [ "$ACTION" == "upload" ]; then
+ # Check if the local file exists before uploading
+ if [ ! -f "$TARGET_FILE" ]; then
+ echo "Error: Local file '$TARGET_FILE' does not exist!"
+ exit 1
+ fi
+
+ REMOTE_NAME=$(basename "$TARGET_FILE")
+
+ echo "[*] Starting SSE-C upload of '$TARGET_FILE' to STACKIT..."
+ aws --endpoint-url "$ENDPOINT" s3 cp "$TARGET_FILE" "$BUCKET/$REMOTE_NAME" \
+ --sse-c AES256 \
+ --sse-c-key "fileb://$KEY_FILE"
+
+ echo "[+] Upload successful! '$REMOTE_NAME' is now stored encrypted in the bucket. 🚀"
+
+elif [ "$ACTION" == "download" ]; then
+ REMOTE_NAME=$(basename "$TARGET_FILE")
+ LOCAL_DOWNLOAD_PATH="./${REMOTE_NAME}_downloaded"
+
+ echo "[*] Starting SSE-C download of '$REMOTE_NAME' from STACKIT..."
+ aws --endpoint-url "$ENDPOINT" s3 cp "$BUCKET/$REMOTE_NAME" "$LOCAL_DOWNLOAD_PATH" \
+ --sse-c AES256 \
+ --sse-c-key "fileb://$KEY_FILE"
+
+ echo "[+] Download successful! Saved to '$LOCAL_DOWNLOAD_PATH' 🚀"
+
+else
+ echo "Error: Invalid action '$ACTION'."
+ usage
+fi
diff --git a/scripts/ske-show-versions.sh b/scripts/ske-show-versions.sh
new file mode 100755
index 0000000..3107df0
--- /dev/null
+++ b/scripts/ske-show-versions.sh
@@ -0,0 +1,86 @@
+#!/bin/bash
+
+export STACKIT_CLI_MIN_MAJOR=0
+export STACKIT_CLI_MIN_MINOR=59
+export STACKIT_CLI_MIN_PATCH=0
+
+# Script to show SKE cluster versions and nodepool flatcar versions
+
+set -euo pipefail
+
+# Check if stackit command is available
+if ! command -v stackit &> /dev/null; then
+ echo "Error: stackit command not found"
+ echo "Please install STACKIT CLI from:"
+ echo "https://github.com/stackitcloud/stackit-cli/blob/main/INSTALLATION.md"
+ exit 1
+fi
+
+# Check if stackit-cli is supported
+stackit -v |awk -v maj="$STACKIT_CLI_MIN_MAJOR" -v min="$STACKIT_CLI_MIN_MINOR" -v pat="$STACKIT_CLI_MIN_PATCH" '/Version:/ { { split($2, a, ".");
+current_maj = a[1];
+current_min = a[2];
+current_pat = a[3];
+if (current_maj > maj || (current_maj == maj && current_min > min) || (current_maj == maj && current_min == min && current_pat >= pat)) {
+ print "✅ Version supported (" current_maj "." current_min "." current_pat ")";
+ exit 0;
+ } else {
+ print "❌ STACKIT CLI version not supported. Need at least " maj "." min "." pat;
+ exit 1;
+ }
+ }
+}'
+
+# Define project IDs (space-separated)
+projectid="xxxxxx yyyyy"
+
+# Collect all clusters from all projects
+all_clusters="[]"
+
+echo "Fetching SKE cluster information..."
+for pid in $projectid; do
+ echo "Fetching clusters for project ID: $pid"
+ clusters=$(stackit ske cluster list -o json --project-id "$pid")
+
+ # Merge with existing clusters
+ all_clusters=$(echo "$all_clusters" "$clusters" | jq -s '.[0] + .[1]')
+done
+
+# Print header
+printf "\n%-20s %-30s %-20s %-30s %-15s %-40s\n" "CLUSTER NAME" "SKE VERSION" "NODEPOOL" "FLATCAR VERSION" "MACHINE TYPE" "PROJECT ID"
+printf "%-20s %-30s %-20s %-30s %-15s %-40s\n" "------------" "-----------" "--------" "---------------" "------------" "----------"
+
+# Parse JSON and display information
+for pid in $projectid; do
+ clusters=$(stackit ske cluster list -o json --project-id "$pid")
+
+ echo "$clusters" | jq -r --arg pid "$pid" '.[] |
+ .name as $cluster_name |
+ .kubernetes.version as $k8s_version |
+ .nodepools[] |
+ [$cluster_name, $k8s_version, .name, .machine.image.version, .machine.type, $pid] |
+ @tsv' | while IFS=$'\t' read -r cluster ske_version nodepool flatcar_version machine_type project; do
+
+ k8s_version_desc=$(stackit ske options kubernetes-versions -o json | jq -r --arg VERSION $ske_version '.kubernetesVersions[] | select(.version == $VERSION) | if .state == "deprecated" then "exp. "+.expirationDate[0:10] else "supported" end ')
+ k8s_version_state=$(stackit ske options kubernetes-versions -o json | jq -r --arg VERSION $ske_version '.kubernetesVersions[] | select(.version == $VERSION).state')
+
+ flatcar_version_desc=$(stackit ske options machine-images -o json | jq -r --arg VERSION $flatcar_version '.machineImages[] | select(.name == "flatcar") | .versions[] | select(.version == $VERSION) | if .state == "deprecated" then "exp. "+.expirationDate[0:10] else "supported" end ' )
+ flatcar_version_state=$(stackit ske options machine-images -o json | jq -r --arg VERSION $flatcar_version '.machineImages[] | select(.name == "flatcar") | .versions[] | select(.version == $VERSION).state' )
+
+ GREEN='\033[0;32m'
+ RED='\033[0;31m'
+ NC='\033[0m'
+
+ if [[ "$k8s_version_state" == "deprecated" || "$flatcar_version_state" == "deprecated" ]]; then
+ ROW_COLOR=$RED
+ else
+ ROW_COLOR=$GREEN
+ fi
+
+ printf "${ROW_COLOR}%-20s %-30s %-20s %-30s %-15s %-40s${NC}\n" "$cluster" "$ske_version ($k8s_version_desc)" "$nodepool" "$flatcar_version ($flatcar_version_desc) " "$machine_type" "$project"
+ done
+done
+
+echo ""
+echo "Summary:"
+echo "$all_clusters" | jq -r 'length | "Total clusters: \(.)"'
diff --git a/scripts/smctl.sh b/scripts/smctl.sh
new file mode 100755
index 0000000..86504a8
--- /dev/null
+++ b/scripts/smctl.sh
@@ -0,0 +1,215 @@
+#!/usr/bin/env bash
+# Unified Secret Manager utility for STACKIT Secret Manager (Vault v2)
+# Usage: smkey.sh [args]
+
+set -euo pipefail
+
+# Check for required dependencies
+for cmd in vault jq; do
+ if ! command -v "$cmd" &> /dev/null; then
+ echo "Error: Required command '$cmd' is not installed or not in your PATH." >&2
+ echo "Please install it before running this script." >&2
+ exit 1
+ fi
+done
+
+export VAULT_ADDR="https://prod.sm.eu01.stackit.cloud"
+
+# Ensure required env variables are set
+: "${SM_USERNAME:?Environment variable SM_USERNAME is not set}"
+: "${SM_PASSWORD:?Environment variable SM_PASSWORD is not set}"
+: "${SM_ID:?Environment variable SM_ID is not set}"
+
+# Function to authenticate and get Vault token
+authenticate() {
+ if [ -z "${VAULT_TOKEN:-}" ]; then
+ export VAULT_TOKEN=$(vault login --address "${VAULT_ADDR}" -no-store -format=json \
+ --method=userpass username="${SM_USERNAME}" password="${SM_PASSWORD}" 2>/dev/null | jq -r .auth.client_token)
+ fi
+}
+
+# Function to display usage
+usage() {
+ cat < [args]
+
+Commands:
+ get Get a specific secret value
+ Example: $0 get postgresql db_password
+
+ get all Get all key-value pairs in "key: value" format
+ Example: $0 get postgresql all
+
+ get all-export Get all key-value pairs in "export key=value" format
+ Example: $0 get postgresql all-export
+
+ put [value] Put a secret value (from argument or stdin)
+ Example: $0 put postgresql db_password myvalue123
+ Example: $0 put terraform secret-env < .env
+
+ list [vault_path] List all available vault paths (no arg)
+ or list all keys in a specific vault path
+ Example: $0 list
+ Example: $0 list postgresql
+
+ help Show this help message
+
+Environment variables required:
+ SM_USERNAME STACKIT Secret Manager username
+ SM_PASSWORD STACKIT Secret Manager password
+ SM_ID KV secrets engine mount path
+EOF
+ exit 1
+}
+
+# Command: get
+cmd_get() {
+ if [ $# -ne 2 ]; then
+ echo "Error: 'get' requires and arguments"
+ echo "Usage: $0 get "
+ echo " $0 get all # Get all keys in 'key: value' format"
+ echo " $0 get all-export # Get all keys in 'export key=value' format"
+ exit 1
+ fi
+
+ local vault_path="$1"
+ local secret_key="$2"
+
+ authenticate
+
+ # Handle special "all" and "all-export" keys
+ if [ "${secret_key}" = "all" ]; then
+ # Get all key-value pairs in "key: value" format
+ local secret_data=$(vault kv get -mount="${SM_ID}" -format=json "${vault_path}" 2>/dev/null)
+
+ if [ $? -ne 0 ] || [ -z "${secret_data}" ]; then
+ echo "Error: No secret found at path '${vault_path}'"
+ exit 1
+ fi
+
+ # Output in simple "key: value" format
+ echo "${secret_data}" | jq -r '.data.data | to_entries[] | "\(.key): \(.value)"'
+ return
+ fi
+
+ if [ "${secret_key}" = "all-export" ]; then
+ # Get all key-value pairs in "export key=value" format
+ local secret_data=$(vault kv get -mount="${SM_ID}" -format=json "${vault_path}" 2>/dev/null)
+
+ if [ $? -ne 0 ] || [ -z "${secret_data}" ]; then
+ echo "Error: No secret found at path '${vault_path}'"
+ exit 1
+ fi
+
+ # Output in "export key=value" format
+ echo "${secret_data}" | jq -r '.data.data | to_entries[] | "export \(.key)=\(.value)"'
+ return
+ fi
+
+ # Standard single key retrieval
+ vault kv get -mount="${SM_ID}" -field="${secret_key}" "${vault_path}"
+}
+
+# Command: put
+cmd_put() {
+ if [ $# -lt 2 ] || [ $# -gt 3 ]; then
+ echo "Error: 'put' requires and arguments, with optional "
+ echo "Usage: $0 put # Provide value directly"
+ echo " $0 put < input_file # Read value from file"
+ exit 1
+ fi
+
+ local vault_path="$1"
+ local secret_key="$2"
+
+ authenticate
+
+ # Get current secret data (if exists)
+ local current_data=$(vault kv get -mount="${SM_ID}" -format=json "${vault_path}" 2>/dev/null | jq -r '.data.data' || echo "{}")
+
+ # Read new value from argument or stdin
+ local new_value
+ if [ $# -eq 3 ]; then
+ # Value provided as argument
+ new_value="$3"
+ else
+ # Read value from stdin
+ new_value=$(cat)
+ fi
+
+ # Merge existing keys with new key/value
+ local updated_data=$(echo "${current_data}" | jq --arg k "${secret_key}" --arg v "${new_value}" '. + {($k): $v}')
+
+ # Build arguments for vault kv put
+ local put_args=()
+ while IFS= read -r key; do
+ local value=$(echo "${updated_data}" | jq -r --arg k "$key" '.[$k]')
+ put_args+=("${key}=${value}")
+ done < <(echo "${updated_data}" | jq -r 'keys[]')
+
+ # Write merged data back to Vault
+ vault kv put -mount="${SM_ID}" "${vault_path}" "${put_args[@]}"
+}
+
+# Command: list
+cmd_list() {
+ authenticate
+
+ # If no path provided, list all vault paths
+ if [ $# -eq 0 ]; then
+ echo "Available vault paths:"
+ vault kv list -mount="${SM_ID}" -format=json | jq -r '.[]' 2>/dev/null || {
+ echo "Error: Unable to list vault paths or no paths found"
+ exit 1
+ }
+ return
+ fi
+
+ # If path provided, list all keys in that path
+ if [ $# -ne 1 ]; then
+ echo "Error: 'list' requires zero or one argument"
+ echo "Usage: $0 list [vault_path]"
+ exit 1
+ fi
+
+ local vault_path="$1"
+
+ # Get the secret and list all keys
+ local secret_data=$(vault kv get -mount="${SM_ID}" -format=json "${vault_path}" 2>/dev/null)
+
+ if [ $? -ne 0 ] || [ -z "${secret_data}" ]; then
+ echo "Error: No secret found at path '${vault_path}'"
+ exit 1
+ fi
+
+ echo "Keys in ${vault_path}:"
+ echo "${secret_data}" | jq -r '.data.data | keys[]'
+}
+
+# Main command dispatcher
+if [ $# -eq 0 ]; then
+ usage
+fi
+
+COMMAND="$1"
+shift
+
+case "${COMMAND}" in
+ get)
+ cmd_get "$@"
+ ;;
+ put)
+ cmd_put "$@"
+ ;;
+ list)
+ cmd_list "$@"
+ ;;
+ help|--help|-h)
+ usage
+ ;;
+ *)
+ echo "Error: Unknown command '${COMMAND}'"
+ echo
+ usage
+ ;;
+esac
diff --git a/scripts/vault-migrate.sh b/scripts/vault-migrate.sh
new file mode 100755
index 0000000..34c9dd9
--- /dev/null
+++ b/scripts/vault-migrate.sh
@@ -0,0 +1,467 @@
+#!/usr/bin/env bash
+# Vault Secret Migration Script - Migrate secrets between Vault instances using v2 API
+# Usage: vault-migrate.sh [options]
+
+set -euo pipefail
+
+# Default values
+DRY_RUN=false
+VERBOSE=false
+SKIP_EXISTING=false
+DEBUG=false
+
+# Source Vault configuration
+: "${SOURCE_VAULT_ADDR:?Environment variable SOURCE_VAULT_ADDR is not set}"
+: "${SOURCE_SM_ID:?Environment variable SOURCE_SM_ID is not set (KV mount path)}"
+
+# Source authentication method (userpass or ldap)
+SOURCE_AUTH_METHOD="${SOURCE_AUTH_METHOD:-userpass}"
+
+# Validate source authentication variables based on method
+if [ "${SOURCE_AUTH_METHOD}" = "userpass" ]; then
+ : "${SOURCE_SM_USERNAME:?Environment variable SOURCE_SM_USERNAME is not set (required for userpass auth)}"
+ : "${SOURCE_SM_PASSWORD:?Environment variable SOURCE_SM_PASSWORD is not set (required for userpass auth)}"
+elif [ "${SOURCE_AUTH_METHOD}" = "ldap" ]; then
+ : "${SOURCE_LDAP_USERNAME:?Environment variable SOURCE_LDAP_USERNAME is not set (required for ldap auth)}"
+ # Note: LDAP password is NOT required as env var - will use interactive login
+else
+ echo "Error: SOURCE_AUTH_METHOD must be 'userpass' or 'ldap' (got: ${SOURCE_AUTH_METHOD})"
+ exit 1
+fi
+
+# Target Vault configuration
+: "${TARGET_VAULT_ADDR:?Environment variable TARGET_VAULT_ADDR is not set}"
+: "${TARGET_SM_USERNAME:?Environment variable TARGET_SM_USERNAME is not set}"
+: "${TARGET_SM_PASSWORD:?Environment variable TARGET_SM_PASSWORD is not set}"
+: "${TARGET_SM_ID:?Environment variable TARGET_SM_ID is not set (KV mount path)}"
+
+# Optional: specify paths to migrate (if not set, migrate all)
+MIGRATE_PATHS="${MIGRATE_PATHS:-}"
+
+# Check for required dependencies
+for cmd in vault jq; do
+ if ! command -v "$cmd" &>/dev/null; then
+ echo "Error: Required command '$cmd' not found in PATH"
+ exit 1
+ fi
+done
+
+# Function to display usage
+usage() {
+ cat </dev/null | jq -r .auth.client_token)
+ elif [ "${SOURCE_AUTH_METHOD}" = "ldap" ]; then
+ log_info "Authenticating to source Vault at ${SOURCE_VAULT_ADDR} (method: ldap, user: ${SOURCE_LDAP_USERNAME})..."
+
+ # Interactive LDAP login - vault will prompt for password
+ if ! vault login -address="${SOURCE_VAULT_ADDR}" -method=ldap username="${SOURCE_LDAP_USERNAME}" >/dev/null 2>&1; then
+ echo "Error: Failed to authenticate to source Vault using LDAP"
+ exit 1
+ fi
+
+ # Read token from vault token file
+ if [ -f "${HOME}/.vault-token" ]; then
+ SOURCE_VAULT_TOKEN=$(cat "${HOME}/.vault-token")
+ else
+ echo "Error: Vault token file not found at ${HOME}/.vault-token"
+ exit 1
+ fi
+ fi
+
+ if [ -z "${SOURCE_VAULT_TOKEN}" ] || [ "${SOURCE_VAULT_TOKEN}" = "null" ]; then
+ echo "Error: Failed to authenticate to source Vault using ${SOURCE_AUTH_METHOD}"
+ exit 1
+ fi
+ log_verbose "✓ Source authentication successful"
+ fi
+}
+
+# Function to authenticate to target Vault
+authenticate_target() {
+ if [ -z "${TARGET_VAULT_TOKEN:-}" ]; then
+ log_verbose "Authenticating to target Vault at ${TARGET_VAULT_ADDR}..."
+ TARGET_VAULT_TOKEN=$(vault login --address "${TARGET_VAULT_ADDR}" -no-store -format=json \
+ --method=userpass username="${TARGET_SM_USERNAME}" password="${TARGET_SM_PASSWORD}" 2>/dev/null | jq -r .auth.client_token)
+
+ if [ -z "${TARGET_VAULT_TOKEN}" ] || [ "${TARGET_VAULT_TOKEN}" = "null" ]; then
+ echo "Error: Failed to authenticate to target Vault"
+ exit 1
+ fi
+ log_verbose "✓ Target authentication successful"
+ fi
+}
+
+# Logging functions
+log_verbose() {
+ if [ "${VERBOSE}" = true ]; then
+ echo "$@" >&2
+ fi
+}
+
+log_debug() {
+ if [ "${DEBUG}" = true ]; then
+ echo "[DEBUG] $@" >&2
+ fi
+}
+
+log_info() {
+ echo "$@" >&2
+}
+
+log_error() {
+ echo "ERROR: $@" >&2
+}
+
+# Function to list paths at a given location
+list_paths_at() {
+ local base_path="$1"
+ local error_output
+ error_output=$(mktemp)
+
+ local paths
+ # Try JSON format first
+ paths=$(VAULT_ADDR="${SOURCE_VAULT_ADDR}" VAULT_TOKEN="${SOURCE_VAULT_TOKEN}" \
+ vault kv list -mount="${SOURCE_SM_ID}" "${base_path}" -format=json 2>"${error_output}" | jq -r '.[]' 2>/dev/null || echo "")
+
+ # If JSON failed, try table format
+ if [ -z "${paths}" ]; then
+ paths=$(VAULT_ADDR="${SOURCE_VAULT_ADDR}" VAULT_TOKEN="${SOURCE_VAULT_TOKEN}" \
+ vault kv list -mount="${SOURCE_SM_ID}" "${base_path}" 2>"${error_output}" | grep -v "^Keys$" | grep -v "^----$" | grep -v "^$" || echo "")
+ fi
+
+ rm -f "${error_output}"
+ echo "${paths}"
+}
+
+# Function to recursively get all secret paths from source Vault
+get_all_paths_recursive() {
+ local prefix="$1"
+ local paths
+
+ paths=$(list_paths_at "${prefix}")
+
+ for item in ${paths}; do
+ if [[ "${item}" == */ ]]; then
+ # It's a folder, recurse into it
+ log_debug "Found folder: ${prefix}${item}"
+ get_all_paths_recursive "${prefix}${item}"
+ else
+ # It's a secret, add it to the list
+ echo "${prefix}${item}"
+ fi
+ done
+}
+
+# Function to get all paths from source Vault
+get_all_paths() {
+ authenticate_source
+
+ log_verbose "Fetching all secret paths from source Vault..."
+
+ local cmd="VAULT_ADDR=\"${SOURCE_VAULT_ADDR}\" VAULT_TOKEN=\"${SOURCE_VAULT_TOKEN}\" vault kv list -mount=\"${SOURCE_SM_ID}\""
+ log_debug "Command: ${cmd}"
+
+ # Get all paths recursively starting from root
+ local all_secrets
+ all_secrets=$(get_all_paths_recursive "")
+
+ if [ -z "${all_secrets}" ]; then
+ log_error "No secrets found in source Vault"
+ log_error "Mount path: ${SOURCE_SM_ID}"
+ exit 1
+ fi
+
+ log_debug "Found secrets: ${all_secrets}"
+ echo "${all_secrets}"
+}
+
+# Function to get secret from source
+get_source_secret() {
+ local path="$1"
+
+ authenticate_source
+
+ local cmd="VAULT_ADDR=\"${SOURCE_VAULT_ADDR}\" VAULT_TOKEN=\"\" vault kv get -mount=\"${SOURCE_SM_ID}\" -format=json \"${path}\""
+ log_debug "Command: ${cmd}"
+
+ local error_output
+ error_output=$(mktemp)
+
+ local result
+ result=$(VAULT_ADDR="${SOURCE_VAULT_ADDR}" VAULT_TOKEN="${SOURCE_VAULT_TOKEN}" \
+ vault kv get -mount="${SOURCE_SM_ID}" -format=json "${path}" 2>"${error_output}" | jq -r '.data.data')
+
+ local exit_code=$?
+
+ if [ ${exit_code} -ne 0 ] || [ -z "${result}" ] || [ "${result}" = "null" ]; then
+ log_debug "Failed to read secret at path: ${path}"
+ if [ -s "${error_output}" ]; then
+ log_debug "Vault error output:"
+ cat "${error_output}" >&2
+ fi
+ rm -f "${error_output}"
+ echo ""
+ return 1
+ fi
+
+ rm -f "${error_output}"
+ echo "${result}"
+}
+
+# Function to check if secret exists in target
+target_secret_exists() {
+ local path="$1"
+
+ authenticate_target
+
+ VAULT_ADDR="${TARGET_VAULT_ADDR}" VAULT_TOKEN="${TARGET_VAULT_TOKEN}" \
+ vault kv get -mount="${TARGET_SM_ID}" -format=json "${path}" 2>/dev/null >/dev/null
+
+ return $?
+}
+
+# Function to put secret to target
+put_target_secret() {
+ local path="$1"
+ local secret_data="$2"
+
+ authenticate_target
+
+ # Convert JSON object to key=value arguments
+ local put_args=()
+ while IFS= read -r key; do
+ local value=$(echo "${secret_data}" | jq -r --arg k "$key" '.[$k]')
+ put_args+=("${key}=${value}")
+ done < <(echo "${secret_data}" | jq -r 'keys[]')
+
+ if [ ${#put_args[@]} -eq 0 ]; then
+ log_error "No key-value pairs found in secret data for path '${path}'"
+ return 1
+ fi
+
+ VAULT_ADDR="${TARGET_VAULT_ADDR}" VAULT_TOKEN="${TARGET_VAULT_TOKEN}" \
+ vault kv put -mount="${TARGET_SM_ID}" "${path}" "${put_args[@]}" >/dev/null 2>&1
+}
+
+# Function to migrate a single secret path
+migrate_secret() {
+ local path="$1"
+ local migrated_count=0
+ local skipped_count=0
+ local failed_count=0
+
+ log_info "Processing: ${path}"
+
+ # Check if secret exists in target and skip if requested
+ if [ "${SKIP_EXISTING}" = true ]; then
+ if target_secret_exists "${path}"; then
+ log_info " ⊘ Skipped (already exists in target)"
+ echo "0:1:0"
+ return 0
+ fi
+ fi
+
+ # Get secret from source
+ local secret_data
+ secret_data=$(get_source_secret "${path}")
+
+ if [ -z "${secret_data}" ] || [ "${secret_data}" = "null" ]; then
+ log_info " ⊘ Skipped (empty or deleted secret)"
+ log_verbose " Path: ${path}"
+ echo "0:1:0"
+ return 0
+ fi
+
+ # Count keys
+ local key_count
+ key_count=$(echo "${secret_data}" | jq 'keys | length')
+ log_verbose " Found ${key_count} keys"
+
+ # Dry run mode
+ if [ "${DRY_RUN}" = true ]; then
+ log_info " → Would migrate ${key_count} keys (dry-run)"
+ if [ "${VERBOSE}" = true ]; then
+ echo "${secret_data}" | jq -r 'to_entries[] | " - \(.key)"' >&2
+ fi
+ echo "0:0:0"
+ return 0
+ fi
+
+ # Put secret to target
+ if put_target_secret "${path}" "${secret_data}"; then
+ log_info " ✓ Migrated ${key_count} keys"
+ echo "1:0:0"
+ else
+ log_error " ✗ Failed to write to target"
+ echo "0:0:1"
+ fi
+}
+
+# Parse command line arguments
+while [[ $# -gt 0 ]]; do
+ case $1 in
+ -d|--dry-run)
+ DRY_RUN=true
+ shift
+ ;;
+ -v|--verbose)
+ VERBOSE=true
+ shift
+ ;;
+ -s|--skip-existing)
+ SKIP_EXISTING=true
+ shift
+ ;;
+ --debug)
+ DEBUG=true
+ VERBOSE=true # Debug implies verbose
+ shift
+ ;;
+ -h|--help)
+ usage
+ ;;
+ *)
+ echo "Error: Unknown option: $1"
+ echo
+ usage
+ ;;
+ esac
+done
+
+# Main migration logic
+main() {
+ log_info "=== Vault Secret Migration ==="
+ log_info "Source: ${SOURCE_VAULT_ADDR} (mount: ${SOURCE_SM_ID}, auth: ${SOURCE_AUTH_METHOD})"
+ log_info "Target: ${TARGET_VAULT_ADDR} (mount: ${TARGET_SM_ID}, auth: userpass)"
+
+ if [ "${DRY_RUN}" = true ]; then
+ log_info "Mode: DRY RUN (no changes will be made)"
+ fi
+
+ log_info ""
+
+ # Authenticate to both vaults
+ authenticate_source
+ authenticate_target
+
+ # Determine which paths to migrate
+ local paths_to_migrate
+ if [ -n "${MIGRATE_PATHS}" ]; then
+ log_info "Migrating specified paths: ${MIGRATE_PATHS}"
+ paths_to_migrate="${MIGRATE_PATHS}"
+ else
+ log_info "Migrating all paths from source Vault..."
+ paths_to_migrate=$(get_all_paths)
+ fi
+
+ log_info ""
+
+ # Statistics
+ local total_migrated=0
+ local total_skipped=0
+ local total_failed=0
+ local total_paths=0
+
+ # Migrate each path
+ for path in ${paths_to_migrate}; do
+ ((total_paths++)) || true
+
+ result=$(migrate_secret "${path}")
+ IFS=':' read -r migrated skipped failed <<< "${result}"
+
+ ((total_migrated+=migrated)) || true
+ ((total_skipped+=skipped)) || true
+ ((total_failed+=failed)) || true
+ done
+
+ # Print summary
+ log_info ""
+ log_info "=== Migration Summary ==="
+ log_info "Total paths processed: ${total_paths}"
+
+ if [ "${DRY_RUN}" = false ]; then
+ log_info "Successfully migrated: ${total_migrated}"
+ if [ "${SKIP_EXISTING}" = true ]; then
+ log_info "Skipped (existing): ${total_skipped}"
+ fi
+ log_info "Failed: ${total_failed}"
+
+ if [ ${total_failed} -gt 0 ]; then
+ log_error "Migration completed with errors"
+ exit 1
+ else
+ log_info ""
+ log_info "✓ Migration completed successfully!"
+ fi
+ else
+ log_info "✓ Dry run completed"
+ fi
+}
+
+# Run main function
+main
