Merge pull request 'example(iam-scim): add docs for ske integration' (#28) from example/ske-docs-iam-scim into main

Reviewed-on: #28

.github/workflows/default-ci.yaml

@@ -1,4 +1,4 @@
-name: "Professional Services CI"
+name: "Default CI"
 
 on:
   push:
@@ -17,6 +17,23 @@ jobs:
       - name: TruffleHog Scan
         uses: edplato/trufflehog-actions-scan@master
 
+  todo-check:
+    name: "Check for Open TODOs"
+    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'stackit-ubuntu-22' }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v6
+
+      - name: Search codebase
+        run: |
+          # Searches recursively (-r), showing line numbers (-n), ignoring binary files (-I)
+          # Excludes the .git directory to prevent false positives
+          if grep -rnIE "# ?TODO" --exclude-dir=.git --exclude-dir=.github .; then
+            echo "Error: TODOs found in the codebase. Please resolve them before merging."
+            exit 1
+          fi
+          echo "No TODOs found. Proceeding."
+
   pre-commit-checks:
     name: "Pre-Commit Hooks"
     runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'stackit-ubuntu-22' }}

.github/workflows/github-mirror-ci.yaml

@@ -28,11 +28,11 @@ jobs:
       - name: Push to Public Repo
         run: |
           echo "Setting up remote..."
-          git config --global user.name "prof-service-sync-bot"
-          git config --global user.email "prof-service-sync-bot@digits.schwarz"
+          git config --global user.name "ps-sync-bot"
+          git config --global user.email "ps-sync-bot@digits.schwarz"
 
           # Add the GitHub remote using the SSH protocol
-          git remote add public git@github.com:stackitcloud/professional-services.git
+          git remote add public git@github.com:stackitcloud/professional-service.git
 
           echo "Pushing main branch to GitHub..."
           git push public main --force

.gitignore

@@ -67,3 +67,7 @@ go.work.sum
 ### Jetbrains
 .idea
 ssh
+keys
+
+### K8s
+.kubeconfig

CONTRIBUTING.md

@@ -16,7 +16,7 @@ Your contribution is welcome! Thank you for your interest in growing our shared
 
 ### Pre-Commit Checks & CI
 
-To keep our codebase clean and secure, we enforce a strict CI pipeline on all Pull Requests. You can save time by running these checks locally before you commit:
+To maintain a clean and secure codebase, we enforce a strict CI pipeline on all Pull Requests. You can save time and catch pipeline failures early by running these checks locally before you commit your code. We use pre-commit to automate this process.
 
 - **Format your code:** The pipeline will fail if your code is not formatted according to industry standards.
   - Terraform: `terraform fmt -recursive`

GOVERNANCE.md

@@ -0,0 +1,41 @@
+# Project Governance: STACKIT Professional Service
+
+This document defines the management, ownership, and maintenance processes for the STACKIT Professional Service repository.
+
+## 1. Strategy & "The Story"
+
+This repository serves as a bridge between internal excellence and public visibility.
+
+- **Internal Git (Source of Truth):** The primary repository is hosted on our internal STACKIT Git instance. All internal communication, documentation, and chat links MUST point to the internal instance to promote our own infrastructure and tools.
+- **GitHub (Public Mirror):** The GitHub repository is a mirror intended for external visibility, SEO, and accessibility for AI models (LLMs). It helps customers find our solutions and establishes STACKIT as a thought leader in cloud automation.
+
+## 2. Ownership
+
+### 2.1 Organizational Ownership
+
+The repository is owned by the **STACKIT Professional Services** organization. High-level decisions regarding repository structure, licensing, and global policies are managed by the Core Maintainers team.
+
+### 2.2 Example & Module Ownership
+
+Individual examples or modules within the repository have specific owners, documented in their respective `MAINTAINERS.md` files.
+
+- **Responsibility:** Owners are responsible for the technical health, periodic updates (e.g., dependency bumps), and community feedback for their specific content.
+- **Handover:** If an owner leaves the project or company, ownership reverts to the Core Maintainers until a new owner is assigned.
+
+## 3. Review & Quality Assurance
+
+To ensure high standards and security, we follow a strict contribution process:
+
+- **4-Eyes Principle:** No code enters the `main` branch without at least one successful Peer Review.
+- **Automated Validation:** Every Pull Request must pass the CI pipeline, which includes:
+  - Linting and formatting checks.
+  - License header verification (Apache 2.0).
+  - Secret scanning (Trufflehog).
+- **Best Effort Policy:** While we strive for quality, the content is provided "as-is." Use in production environments requires independent validation by the user.
+
+## 4. Mirroring Process
+
+The synchronization between the internal Git and GitHub is fully automated:
+
+1.  Changes are merged into the internal `main` branch.
+2.  A GitHub Action triggers on every push to `main`.

README.md

@@ -1,12 +1,12 @@
-# STACKIT Professional Services
+# STACKIT Professional Service
 
-Welcome to the central repository for STACKIT Professional Services examples, scripts, and boilerplate code!
+Welcome to the central repository for STACKIT examples, scripts, and boilerplate code!
 
 > **⚠️ REPOSITORY MIRROR NOTICE**
 >
 > This GitHub repository is a **mirror**.
 > The primary, internal source of truth for this codebase lives at:
-> `https://professional-service.git.onstackit.cloud/professional-service-best-practices/professional-services`
+> `https://professional-service.git.onstackit.cloud/professional-service-best-practices/professional-service`
 >
 > We automatically sync changes from our STACKIT managed GIT instance to this public GitHub repository.
 >
@@ -20,7 +20,13 @@ Let's be upfront about how this repository is maintained:
 
 - **Strictly Best Effort:** Everything you find in this repository is provided on a "best effort" basis.
 - **No Guarantees on Freshness:** We try our best to keep the examples, Terraform modules, and scripts up to date with the latest provider releases and API changes. However, **we cannot guarantee it**. Things move fast in the cloud, and some examples might become outdated over time.
-- **Use Your Brain:** Do not blindly copy-paste code from here directly into a production environment.
+- **Review Before Deploying:** Do not blindly copy-paste code from here directly into a production environment.
+
+## Contents
+
+- [`examples/`](./examples) — Example solutions across a variety of STACKIT products.
+- [`scripts/`](./scripts/README.md) — Helper scripts for working with STACKIT services.
+- [`modules/`](./modules) — Ready-made Terraform modules to simplify your deployments.
 
 ## How to Use This Repository
 
@@ -39,3 +45,4 @@ Whenever you are starting a new project, looking for a specific implementation,
 Did you find a script that is broken because of a recent update? Did you build a new, awesome example that could help your colleagues?
 
 Since this is a best-effort repository, we highly encourage you to open a Pull Request and share your fixes or additions! We all benefit from a growing, shared knowledge base. Please refer to our `CONTRIBUTING.md` for guidelines on how to format your code before submitting.
+Because this repository is maintained on a best-effort basis, discussions and reviews may take some time. However, we strive to respond within 7 business days.

examples/dbaas-otel-collect-metrics/.terraform.lock.hcl

@@ -0,0 +1,107 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.1.1"
+  hashes = [
+    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
+    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
+    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
+    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
+    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
+    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
+    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
+    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
+    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
+    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
+    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
+    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
+    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "3.1.0"
+  constraints = ">= 2.14.0"
+  hashes = [
+    "h1:G9QqKNpcztBRqrywtlNylFJSpGzDfRFtO8hcWLdkvRY=",
+    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
+    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
+    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
+    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
+    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
+    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
+    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
+    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
+    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
+    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.8.1"
+  constraints = ">= 3.6.3"
+  hashes = [
+    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
+    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
+    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
+    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
+    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
+    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
+    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
+    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
+    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
+    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
+    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
+    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/time" {
+  version = "0.13.1"
+  hashes = [
+    "h1:+W+DMrVoVnoXo3f3M4W+OpZbkCrUn6PnqDF33D2Cuf0=",
+    "h1:ZT5ppCNIModqk3iOkVt5my8b8yBHmDpl663JtXAIRqM=",
+    "zh:02cb9aab1002f0f2a94a4f85acec8893297dc75915f7404c165983f720a54b74",
+    "zh:04429b2b31a492d19e5ecf999b116d396dac0b24bba0d0fb19ecaefe193fdb8f",
+    "zh:26f8e51bb7c275c404ba6028c1b530312066009194db721a8427a7bc5cdbc83a",
+    "zh:772ff8dbdbef968651ab3ae76d04afd355c32f8a868d03244db3f8496e462690",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:898db5d2b6bd6ca5457dccb52eedbc7c5b1a71e4a4658381bcbb38cedbbda328",
+    "zh:8de913bf09a3fa7bedc29fec18c47c571d0c7a3d0644322c46f3aa648cf30cd8",
+    "zh:9402102c86a87bdfe7e501ffbb9c685c32bbcefcfcf897fd7d53df414c36877b",
+    "zh:b18b9bb1726bb8cfbefc0a29cf3657c82578001f514bcf4c079839b6776c47f0",
+    "zh:b9d31fdc4faecb909d7c5ce41d2479dd0536862a963df434be4b16e8e4edc94d",
+    "zh:c951e9f39cca3446c060bd63933ebb89cedde9523904813973fbc3d11863ba75",
+    "zh:e5b773c0d07e962291be0e9b413c7a22c044b8c7b58c76e8aa91d1659990dfb5",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.92.0"
+  constraints = ">= 0.87.0"
+  hashes = [
+    "h1:dE5sdzUaHkzVL8AW3+GXD2EEWX2PlS+sHT7F25SXcZ0=",
+    "h1:j26ncxqlAp4q0/NHFoiATuVdIg7KH0zZhWoSAd+4Yj0=",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:5eaa713f68a004ec33697f510ca4c7722940e2bab8080c025822ca547325ef98",
+    "zh:60ed4496492b9781f7cc581e346222a6356538a527e4ac67dce6815a64fc5c66",
+    "zh:6834a7819429e3482a5fdd547c442cc032d7047c3fb0dee30e8babb2438598e1",
+    "zh:6de632db0cbb42b429a9e752078df37716b0f335e5c39e883be5c55f7f1da553",
+    "zh:ac8b1bc8212236aaab789cef1dce718e6b8394bcf4b5f6c6f8dabf8c8a213573",
+    "zh:af4b1e805d6082a3ec94d2f5b68e8a62f04205af3f75a4a7d1b167e0f027d9ec",
+    "zh:b709258a4cd3acd0a9426809c1d7c1ed25859010b566c1b29481b132a7e2af13",
+    "zh:c7e8c5e8f2ca8c14c1bf5c92716a761b67792b38046b99653bdbf9ca423fc675",
+    "zh:c7f47c6b7e33d1f28bdc8d1aa5fda2734d74d6b1b0c6ef8b258489d9405af231",
+    "zh:d57dc6ad6b3a2879aa47012faf82f597a2ca1c3de1561bb96c6191e65072ea95",
+    "zh:d5b18390104164477913ced864e7a1cd5a678490f9412be887e5d8e3961d242e",
+    "zh:ead616306ab18c30a4c1110ad7fa8aee7d8a99e4410ceecbe5875beac5724f8a",
+    "zh:f73ad70183a35e5d04e4b48c44654c76fec48a8f4c913dd31a5befc2a1c2e4dc",
+  ]
+}

examples/dbaas-otel-collect-metrics/00-provider.tf

@@ -0,0 +1,55 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file defines the required Terraform providers and their configurations.
+# It sets up the STACKIT, Kubernetes, and Helm providers to manage resources in the project and the SKE cluster.
+terraform {
+  required_version = ">= 0.14.0"
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">= 0.87.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6.3"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">=2.14.0"
+    }
+  }
+}
+
+provider "stackit" {
+  default_region           = var.stackit_region
+  service_account_key_path = var.stackit_service_account_key_path
+  experiments              = ["iam"]
+}
+
+provider "kubernetes" {
+  host                   = yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.server
+  client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-certificate-data)
+  client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-key-data)
+  cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.certificate-authority-data)
+}
+
+provider "helm" {
+  kubernetes = {
+    host                   = yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.server
+    client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-certificate-data)
+    client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-key-data)
+    cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.certificate-authority-data)
+  }
+}

examples/dbaas-otel-collect-metrics/01-variables.tf

@@ -0,0 +1,33 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "stackit_project_id" {
+  type    = string
+  default = "d75e6aab-b616-4b42-ae3b-aaf161ad626d"
+}
+
+variable "stackit_region" {
+  type    = string
+  default = "eu01"
+}
+
+variable "stackit_service_account_key_path" {
+  type    = string
+  default = "../../keys/stackit-sa.json"
+}
+
+resource "stackit_key_pair" "admin_keypair" {
+  name       = "admin-keypair-12345"
+  public_key = chomp(file("~/.ssh/id_rsa.pub"))
+}

examples/dbaas-otel-collect-metrics/02-ske.tf

@@ -0,0 +1,67 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_ske_kubeconfig" "this" {
+  project_id   = var.stackit_project_id
+  cluster_name = stackit_ske_cluster.this.name
+  refresh      = true
+
+  depends_on = [stackit_ske_cluster.this]
+}
+
+data "stackit_ske_kubernetes_versions" "this" {
+  version_state = "SUPPORTED"
+}
+
+data "stackit_ske_machine_image_versions" "this" {
+  version_state = "SUPPORTED"
+}
+
+locals {
+  flatcar_supported_version = one(flatten([
+    for mi in data.stackit_ske_machine_image_versions.this.machine_images : [
+      for v in mi.versions :
+      v.version
+      if mi.name == "flatcar"
+    ]
+  ]))
+}
+
+resource "stackit_ske_cluster" "this" {
+  project_id             = var.stackit_project_id
+  name                   = "dbaas-otel"
+  kubernetes_version_min = data.stackit_ske_kubernetes_versions.this.kubernetes_versions.0.version
+
+  maintenance = {
+    enable_kubernetes_version_updates    = true
+    enable_machine_image_version_updates = true
+    start                                = "01:00:00Z"
+    end                                  = "02:00:00Z"
+  }
+
+  node_pools = [
+    {
+      name               = "standard"
+      machine_type       = "g2i.4"
+      minimum            = "3"
+      maximum            = "9"
+      max_surge          = "3"
+      availability_zones = ["eu01-1", "eu01-2", "eu01-3"]
+      os_version_min     = local.flatcar_supported_version
+      os_name            = "flatcar"
+      volume_size        = 150
+      volume_type        = "storage_premium_perf6"
+    },
+  ]
+}

examples/dbaas-otel-collect-metrics/03-observability.tf

@@ -0,0 +1,20 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_observability_instance" "example" {
+  project_id   = var.stackit_project_id
+  name         = "example-obs"
+  plan_name    = "Observability-Large-EU01"
+  alert_config = null
+}

examples/dbaas-otel-collect-metrics/04-postgres.tf

@@ -0,0 +1,44 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_postgresflex_instance" "this" {
+  project_id      = var.stackit_project_id
+  name            = "example-instance"
+  backup_schedule = "00 00 * * *"
+  flavor = {
+    cpu = 2
+    ram = 4
+  }
+  replicas = 3
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 15
+  }
+  version = 15
+  acl     = ["0.0.0.0/0"]
+}
+
+resource "stackit_postgresflex_user" "this" {
+  project_id  = var.stackit_project_id
+  instance_id = stackit_postgresflex_instance.this.instance_id
+  username    = "test"
+  roles       = ["createdb", "login"]
+}
+
+resource "stackit_postgresflex_database" "this" {
+  project_id  = var.stackit_project_id
+  instance_id = stackit_postgresflex_instance.this.instance_id
+  name        = "test"
+  owner       = stackit_postgresflex_user.this.username
+}

examples/dbaas-otel-collect-metrics/04-service-account.tf

@@ -0,0 +1,38 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_service_account" "this" {
+  name       = "prom-proxy"
+  project_id = var.stackit_project_id
+}
+
+resource "time_rotating" "rotate" {
+  rotation_days = 150
+}
+
+resource "stackit_service_account_key" "this" {
+  project_id            = var.stackit_project_id
+  service_account_email = stackit_service_account.this.email
+  ttl_days              = 180
+
+  rotate_when_changed = {
+    rotation = time_rotating.rotate.id
+  }
+}
+
+resource "stackit_authorization_project_role_assignment" "this" {
+  resource_id = var.stackit_project_id
+  role        = "prometheus-proxy.reader"
+  subject     = stackit_service_account.this.email
+}

examples/dbaas-otel-collect-metrics/05-otel-helm.tf

@@ -0,0 +1,65 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+locals {
+  sa_json = jsondecode(stackit_service_account_key.this.json)
+  otel_helm_values = templatefile("${path.module}/helm-values/otel-collector-values.tftpl", {
+    stackit_project_id             = var.stackit_project_id
+    stackit_region                 = var.stackit_region
+    stackit_postgres_instance_id   = stackit_postgresflex_instance.this.instance_id
+    observability_metrics_endpoint = stackit_observability_instance.example.metrics_push_url
+    secret_name                    = kubernetes_secret.otel_secret.metadata[0].name
+    sa_client_id                   = local.sa_json.credentials.sub
+    sa_issuer                      = local.sa_json.credentials.iss
+    sa_key_id                      = local.sa_json.credentials.kid
+  })
+}
+
+
+resource "stackit_observability_credential" "otel" {
+  project_id  = var.stackit_project_id
+  instance_id = stackit_observability_instance.example.instance_id
+}
+
+resource "kubernetes_namespace" "monitoring" {
+  metadata {
+    name = "monitoring"
+  }
+}
+
+resource "kubernetes_secret" "otel_secret" {
+  metadata {
+    name      = "otel-secrets"
+    namespace = kubernetes_namespace.monitoring.metadata[0].name
+  }
+
+  data = {
+    OBSERVABILITY_AUTHORIZATION_HEADER = "Basic ${base64encode("${stackit_observability_credential.otel.username}:${stackit_observability_credential.otel.password}")}"
+    JSON                               = stackit_service_account_key.this.json
+    PRIVATE_KEY                        = jsondecode(stackit_service_account_key.this.json).credentials.privateKey
+  }
+}
+
+resource "helm_release" "opentelemetry_collector" {
+  name       = "opentelemetry-collector"
+  repository = "https://open-telemetry.github.io/opentelemetry-helm-charts"
+  chart      = "opentelemetry-collector"
+  version    = "0.152.0"
+  namespace  = kubernetes_namespace.monitoring.metadata[0].name
+  timeout    = 30
+
+  values = [
+    local.otel_helm_values
+  ]
+}

examples/dbaas-otel-collect-metrics/MAINTAINERS.md

@@ -0,0 +1,9 @@
+# Maintainers
+
+General maintainers:
+
+- Mauritz Uphoff (Mauritz.Uphoff@digits.schwarz)
+
+This example is actively maintained. The owner is responsible for reviewing and updating dependencies and functionalities on a monthly basis.
+For questions, issues, or feature requests, please email general maintainers.
+Please include the BP name and version in your request. We will track your request as an issue.

examples/dbaas-otel-collect-metrics/README.md

@@ -0,0 +1,39 @@
+# DBaaS OpenTelemetry Metrics Collection
+
+Collect metrics from STACKIT PostgreSQL Flex and MongoDB instances using OpenTelemetry (OTel) and export them to STACKIT Observability.
+
+## Prerequisites
+
+- STACKIT Project ID and Service Account key.
+- Terraform, `kubectl`, and `helm` installed.
+
+## Usage
+
+1. **Configure**: Update `stackit_project_id` and `stackit_service_account_key_path` in `01-variables.tf`.
+2. **Deploy**:
+   ```bash
+   terraform init
+   terraform apply
+   ```
+
+## Scrape Configuration
+
+The OTel Collector scrapes metrics from:
+
+- **PostgreSQL**: `https://postgres-prom-proxy.api.stackit.cloud/v2/...`
+- **MongoDB**: `https://mongodb-prom-proxy.api.stackit.cloud/v2/...`
+
+_Note: MSSQL is not supported._
+
+## Debugging
+
+View live scrape data in the collector logs:
+
+```bash
+kubectl logs -l app.kubernetes.io/name=otel-collector -n monitoring -f
+```
+
+## Documentation
+
+- [PostgreSQL Flex Metrics](https://docs.stackit.cloud/products/databases/postgresql-flex/reference/observability-metrics-in-postgresql-flex/)
+- [MongoDB Flex Metrics](https://docs.stackit.cloud/products/databases/mongodb-flex/reference/observability-metrics/)

examples/dbaas-otel-collect-metrics/helm-values/otel-collector-values.tftpl

@@ -0,0 +1,79 @@
+fullnameOverride: otel-collector
+mode: deployment
+
+podAnnotations:
+  stackit-sa-key-id: "${sa_key_id}"
+
+image:
+  repository: "otel/opentelemetry-collector-contrib"
+
+config:
+  receivers:
+    prometheus:
+      config:
+        scrape_configs:
+          - job_name: stackit-postgres
+            metrics_path: /v2/projects/$${STACKIT_PROJECT_ID}/regions/$${STACKIT_REGION}/instances/$${STACKIT_POSTGRES_INSTANCE_ID}/metrics
+            oauth2:
+              audience: $${SA_TOKEN_REQUEST_AUDIENCE}
+              client_certificate_key_file: /mnt/secrets-store/private-key
+              client_certificate_key_id: $${SA_TOKEN_REQUEST_CLIENT_CERTIFICATE_KEY_ID}
+              client_id: $${SA_TOKEN_REQUEST_CLIENT_ID}
+              grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
+              iss: $${SA_TOKEN_REQUEST_ISSUER}
+              signature_algorithm: RS512
+              token_url: https://service-account.api.stackit.cloud/token
+            scheme: https
+            scrape_interval: 1m
+            static_configs:
+              - targets:
+                  - postgres-prom-proxy.api.stackit.cloud:443
+  exporters:
+    debug:
+      verbosity: normal
+    prometheusremotewrite:
+      endpoint: $${OBSERVABILITY_METRICS_ENDPOINT}
+      headers:
+        Authorization: $${OBSERVABILITY_AUTHORIZATION_HEADER}
+
+  service:
+    pipelines:
+      metrics:
+        receivers: [prometheus]
+        exporters: [prometheusremotewrite, debug]
+
+extraEnvs:
+  - name: STACKIT_PROJECT_ID
+    value: "${stackit_project_id}"
+  - name: STACKIT_REGION
+    value: "${stackit_region}"
+  - name: STACKIT_POSTGRES_INSTANCE_ID
+    value: "${stackit_postgres_instance_id}"
+  - name: OBSERVABILITY_METRICS_ENDPOINT
+    value: "${observability_metrics_endpoint}"
+  - name: OBSERVABILITY_AUTHORIZATION_HEADER
+    valueFrom:
+      secretKeyRef:
+        name: ${secret_name}
+        key: OBSERVABILITY_AUTHORIZATION_HEADER
+  - name: SA_TOKEN_REQUEST_CLIENT_ID
+    value: "${sa_client_id}"
+  - name: SA_TOKEN_REQUEST_ISSUER
+    value: "${sa_issuer}"
+  - name: SA_TOKEN_REQUEST_CLIENT_CERTIFICATE_KEY_ID
+    value: "${sa_key_id}"
+  - name: SA_TOKEN_REQUEST_AUDIENCE
+    value: "https://service-account.api.stackit.cloud/token"
+
+extraVolumes:
+  - name: otel-secrets
+    secret:
+      secretName: ${secret_name}
+      items:
+        - key: PRIVATE_KEY
+          path: private-key
+
+extraVolumeMounts:
+  - name: otel-secrets
+    mountPath: /mnt/secrets-store
+    readOnly: true

examples/iaas-cross-az-layer4-loadbalancer/.terraform.lock.hcl

@@ -0,0 +1,46 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.8.1"
+  constraints = ">= 3.6.3"
+  hashes = [
+    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
+    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
+    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
+    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
+    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
+    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
+    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
+    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
+    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
+    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
+    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
+    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.91.0"
+  constraints = ">= 0.87.0"
+  hashes = [
+    "h1:8de9n+Roq6Z2Ltp9poBBBN9a4zSpx73VLpgFS5mTyoI=",
+    "h1:RStdHSDwbtonYfg7mR5Y92v6fxIVX9FEz0UN+tm9kHI=",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:0ed12db90276ccd2d6f87135b7dd078657823c3ca33121c6a157d0bdf08f801e",
+    "zh:160b32bcf1d01666784cf8469e10e0a38d4c3d24c80c0c5be470cc63ef27ea62",
+    "zh:32e1909037235c24138b74131c6fb12ac99003f79750f1768ca5468cc05da6b0",
+    "zh:4376f1cdafbb35ad5f220e28153741908390b23161d9eae3828f7830039ce8ef",
+    "zh:458b054781ef6165d9136fc3d667f9bf37319e37d0f19300bbb63b703de2599d",
+    "zh:54a1864cf1315a118c043f834e02f2a1ca0ecbc8c2a246460589a95847da6c80",
+    "zh:83424712926ccef3c60cc011dfa298721bdbaee3598a0c8459da46bc6b7424cc",
+    "zh:a3c38ebffdbca21dd177b06acf891bed1a903907ba252d0219d91ff0ecf9d861",
+    "zh:c6325e583b77aa1e9df94e3b4b12479d7bf12c66a2ace71c1b8f64e46ac5c37e",
+    "zh:de6db8deeee895af5670df2449c8b8c34df051277f8a6e2f19c5c9ec1f0ddb12",
+    "zh:e18b05e7d8356caa6103c5c80b5ea373be3ff255b453cf577c68798ffe1b93ce",
+    "zh:f4d9215f7a2888c882892642539b2edd3ea97cb25904e4fa358db4f001c3ccd0",
+    "zh:f94d0c0c2bf843867122ababc8d8066d52257e68bbcb5c62a603f77c581e9668",
+  ]
+}

examples/iaas-cross-az-layer4-loadbalancer/00-provider.tf

@@ -0,0 +1,33 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Define required providers
+terraform {
+  required_version = ">= 0.14.0"
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">= 0.87.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6.3"
+    }
+  }
+}
+
+provider "stackit" {
+  default_region           = var.stackit_region
+  service_account_key_path = var.stackit_service_account_key_path
+}

examples/iaas-cross-az-layer4-loadbalancer/01-variables.tf

@@ -0,0 +1,37 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "stackit_project_id" {
+  type    = string
+  default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+
+variable "stackit_region" {
+  type    = string
+  default = "eu01"
+}
+
+variable "stackit_service_account_key_path" {
+  type    = string
+  default = "../../keys/stackit-sa.json"
+}
+
+resource "stackit_key_pair" "admin_keypair" {
+  name       = "admin-keypair-12345"
+  public_key = chomp(file("~/.ssh/id_rsa.pub"))
+}
+
+variable "jumphost_flavor" {
+  default = "c2i.1"
+}

examples/iaas-cross-az-layer4-loadbalancer/02-network.tf

@@ -0,0 +1,20 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_network" "network" {
+  project_id       = var.stackit_project_id
+  name             = "network01"
+  ipv4_nameservers = ["1.1.1.1", "9.9.9.9"]
+  ipv4_prefix      = "172.17.1.0/24"
+}

examples/iaas-cross-az-layer4-loadbalancer/03-machine01.tf

@@ -0,0 +1,27 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module "test-machine01" {
+  source = "../../modules/test-machine"
+
+  project_id        = var.stackit_project_id
+  network_id        = stackit_network.network.network_id
+  availability_zone = "eu01-1"
+
+  name         = "machine01"
+  machine_type = var.jumphost_flavor
+  disk_size    = 48
+
+  user_data = templatefile("${path.module}/apache-debug-user.yaml", {})
+}

examples/iaas-cross-az-layer4-loadbalancer/04-machine02.tf

@@ -0,0 +1,27 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module "test-machine02" {
+  source = "../../modules/test-machine"
+
+  project_id        = var.stackit_project_id
+  network_id        = stackit_network.network.network_id
+  availability_zone = "eu01-2"
+
+  name         = "machine02"
+  machine_type = var.jumphost_flavor
+  disk_size    = 48
+
+  user_data = templatefile("${path.module}/apache-debug-user.yaml", {})
+}

examples/iaas-cross-az-layer4-loadbalancer/05-l4-loadbalancer.tf

@@ -0,0 +1,84 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_public_ip" "public_ip" {
+  project_id = var.stackit_project_id
+
+  lifecycle {
+    ignore_changes = [network_interface_id]
+  }
+}
+
+resource "stackit_loadbalancer" "this" {
+  project_id                        = var.stackit_project_id
+  name                              = "lb-example-1"
+  disable_security_group_assignment = true
+
+  target_pools = [
+    {
+      name        = "pool-1"
+      target_port = 80
+      targets = [
+        {
+          display_name = "lb-target-1"
+          ip           = module.test-machine01.primary_ip
+        },
+        {
+          display_name = "lb-target-2"
+          ip           = module.test-machine02.primary_ip
+        }
+      ]
+      active_health_check = {
+        healthy_threshold   = 10
+        interval            = "3s"
+        interval_jitter     = "3s"
+        timeout             = "3s"
+        unhealthy_threshold = 10
+      }
+    },
+  ]
+
+  listeners = [
+    {
+      display_name = "listener1"
+      port         = 80
+      protocol     = "PROTOCOL_TCP"
+      target_pool  = "pool-1"
+    },
+  ]
+
+  networks = [
+    {
+      network_id = stackit_network.network.network_id
+      role       = "ROLE_LISTENERS_AND_TARGETS"
+    }
+  ]
+
+  external_address = stackit_public_ip.public_ip.ip
+
+  options = {
+    // for private loadbalancer usage
+    /*private_network_only = false*/
+  }
+}
+
+
+output "lb_external_address" {
+  value = stackit_loadbalancer.this.external_address
+}
+
+/*output "lb_private_ip_address" {
+  // for private loadbalancer usage
+  value = stackit_loadbalancer.lb_example.private_address
+}*/

examples/iaas-cross-az-layer4-loadbalancer/MAINTAINERS.md

@@ -0,0 +1,9 @@
+# Maintainers
+
+General maintainers:
+
+- Mauritz Uphoff (Mauritz.Uphoff@digits.schwarz)
+
+This example is actively maintained. The owner is responsible for reviewing and updating dependencies and functionalities on a monthly basis.
+For questions, issues, or feature requests, please email general maintainers.
+Please include the BP name and version in your request. We will track your request as an issue.

examples/iaas-cross-az-layer4-loadbalancer/README.md

@@ -0,0 +1,5 @@
+# IaaS cross AZ Layer4 Loadbalancer
+
+## Overview
+
+A classic highly-available architecture: provisioning multiple VMs across different Availability Zones (AZs) and putting them behind a STACKIT L4 Load Balancer.

examples/iaas-cross-az-layer4-loadbalancer/apache-debug-user.yaml

@@ -0,0 +1,22 @@
+#cloud-config
+users:
+  - name: debug
+    groups: sudo
+    shell: /bin/bash
+    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
+    lock_passwd: false
+    passwd: "$6$JZBVJ2zsw/o4C1UJ$FskGQWf.nqwj.o9bHbxkSGvSilQcHt03KdPYlgsiE3L77tNqFj0/vnlCXSf.SRb4jR2xsHk/.OlEyT16Txj4J." # hashed version of 'House123!'
+
+chpasswd:
+  expire: false
+
+ssh_pwauth: true
+
+packages:
+  - apache2
+
+runcmd:
+  - systemctl enable apache2
+  - systemctl start apache2
+  - echo "<h1>Hello from STACKIT Instance</h1><p>Hostname $(hostname)</p>" > /var/www/html/index.html
+  - chown www-data:www-data /var/www/html/index.html

examples/iaas-cross-az-layer7-loadbalancer-waf/.terraform-version

@@ -0,0 +1 @@
+v1.14.0

examples/iaas-cross-az-layer7-loadbalancer-waf/.terraform.lock.hcl

@@ -0,0 +1,90 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.8.1"
+  constraints = ">= 3.6.3"
+  hashes = [
+    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
+    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
+    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
+    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
+    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
+    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
+    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
+    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
+    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
+    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
+    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
+    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+  version = "4.2.1"
+  hashes = [
+    "h1:F5d6bQY8UlBo0D71Sv7CsV+3aZOFz0yeNF+vufog7h4=",
+    "h1:akFNuHwvrtnYMBofieoeXhPJDhYZzJVu/Q/BgZK2fgg=",
+    "zh:0d1e7d07ac973b97fa228f46596c800de830820506ee145626f079dd6bbf8d8a",
+    "zh:5c7e3d4348cb4861ab812973ef493814a4b224bdd3e9d534a7c8a7c992382b86",
+    "zh:7c6d4a86cd7a4e9c1025c6b3a3a6a45dea202af85d870cddbab455fb1bd568ad",
+    "zh:7d0864755ba093664c4b2c07c045d3f5e3d7c799dda1a3ef33d17ed1ac563191",
+    "zh:83734f57950ab67c0d6a87babdb3f13c908cbe0a48949333f489698532e1391b",
+    "zh:951e3c285218ebca0cf20eaa4265020b4ef042fea9c6ade115ad1558cfe459e5",
+    "zh:b9543955b4297e1d93b85900854891c0e645d936d8285a190030475379c5c635",
+    "zh:bb1bd9e86c003d08c30c1b00d44118ed5bbbf6b1d2d6f7eaac4fa5c6ebea5933",
+    "zh:c9477bfe00653629cd77ddac3968475f7ad93ac3ca8bc45b56d1d9efb25e4a6e",
+    "zh:d4cfda8687f736d0cba664c22ec49dae1188289e214ef57f5afe6a7217854fed",
+    "zh:dc77ee066cf96532a48f0578c35b1eaf6dc4d8ddd0e3ae8e029a3b10676dd5d3",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/mastercard/restapi" {
+  version     = "3.0.0"
+  constraints = ">= 3.0.0"
+  hashes = [
+    "h1:Fqxoc6bsydl6iWGx6ZvyqUDdGt7Cb4sW/BSHhBeHGgw=",
+    "h1:y1I3azDHOqRySTyDHsb3Xh1waP/99KfykZRagbRx1qI=",
+    "zh:0b63bd3c25a31f090a41933f90b7dd6e984add1c4261d8f5caa73f4d5aa065a4",
+    "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7",
+    "zh:2d31f322454d271eb328c2d3b3d41f426df98503982788be347799ddf68bf9bf",
+    "zh:47dd97e3f43bb89ae4254bba90ffbc6d521338554a1f94961e21214dd801b81b",
+    "zh:49636b072b9a30d15916468857bce91d39bc87bbba1c99fb3894fafa9409b8b4",
+    "zh:5566605a8e16478bc66c1fec8dea0890586c084221161dc82b73d162d44c08a7",
+    "zh:5859e0ad05aa6b3b108f0b718986e237a18d5176efea62d1ac1ef352561b4713",
+    "zh:76129b89e2b56d8d2af8f6e10cc748bea4ee6ec1105e916f1254cd124f4dcf9c",
+    "zh:bfc20b5fd03cb3243917e8cf360e5208284e757ab82f83c992da471ef16a0eab",
+    "zh:d1d2363009253cdfe5795a48b6412bff11104fe6a52fb0a57e5a95fc765a161e",
+    "zh:d1f0b981089ad709b73c4f989a9cd9118c4e3cb8fc0a2b303aa4d77cc5102a53",
+    "zh:dbfddb2f407481a4e88fdc17739c805d9d9fff2451efcb9226572d59ed2e9128",
+    "zh:df04a8c777d05896684171807b27c41befbf5f217f50b0e9b2b27164d4aacca5",
+    "zh:e68b450c66efe55d1132585477fa71207680806edafb3792ca44d9695d0a1d75",
+    "zh:f894e7e9913347e25e67d5d3bf91659c06877dd5fa11acf75820fa03fa34b8bd",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.91.0"
+  constraints = ">= 0.87.0"
+  hashes = [
+    "h1:8de9n+Roq6Z2Ltp9poBBBN9a4zSpx73VLpgFS5mTyoI=",
+    "h1:RStdHSDwbtonYfg7mR5Y92v6fxIVX9FEz0UN+tm9kHI=",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:0ed12db90276ccd2d6f87135b7dd078657823c3ca33121c6a157d0bdf08f801e",
+    "zh:160b32bcf1d01666784cf8469e10e0a38d4c3d24c80c0c5be470cc63ef27ea62",
+    "zh:32e1909037235c24138b74131c6fb12ac99003f79750f1768ca5468cc05da6b0",
+    "zh:4376f1cdafbb35ad5f220e28153741908390b23161d9eae3828f7830039ce8ef",
+    "zh:458b054781ef6165d9136fc3d667f9bf37319e37d0f19300bbb63b703de2599d",
+    "zh:54a1864cf1315a118c043f834e02f2a1ca0ecbc8c2a246460589a95847da6c80",
+    "zh:83424712926ccef3c60cc011dfa298721bdbaee3598a0c8459da46bc6b7424cc",
+    "zh:a3c38ebffdbca21dd177b06acf891bed1a903907ba252d0219d91ff0ecf9d861",
+    "zh:c6325e583b77aa1e9df94e3b4b12479d7bf12c66a2ace71c1b8f64e46ac5c37e",
+    "zh:de6db8deeee895af5670df2449c8b8c34df051277f8a6e2f19c5c9ec1f0ddb12",
+    "zh:e18b05e7d8356caa6103c5c80b5ea373be3ff255b453cf577c68798ffe1b93ce",
+    "zh:f4d9215f7a2888c882892642539b2edd3ea97cb25904e4fa358db4f001c3ccd0",
+    "zh:f94d0c0c2bf843867122ababc8d8066d52257e68bbcb5c62a603f77c581e9668",
+  ]
+}

examples/iaas-cross-az-layer7-loadbalancer-waf/00-provider.tf

@@ -0,0 +1,48 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Define required providers
+terraform {
+  required_version = ">= 0.14.0"
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">= 0.87.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6.3"
+    }
+    restapi = {
+      source  = "Mastercard/restapi"
+      version = ">= 3.0.0"
+    }
+  }
+}
+
+ephemeral "stackit_access_token" "alb" {}
+
+provider "restapi" {
+  uri          = "https://alb-waf.api.stackit.cloud"
+  bearer_token = ephemeral.stackit_access_token.alb.access_token
+
+  id_attribute         = "name"
+  write_returns_object = true
+}
+
+provider "stackit" {
+  default_region           = var.stackit_region
+  service_account_key_path = var.stackit_service_account_key_path
+  enable_beta_resources    = true
+}

examples/iaas-cross-az-layer7-loadbalancer-waf/01-variables.tf

@@ -0,0 +1,37 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "stackit_project_id" {
+  type    = string
+  default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+
+variable "stackit_region" {
+  type    = string
+  default = "eu01"
+}
+
+variable "stackit_service_account_key_path" {
+  type    = string
+  default = "../../keys/stackit-sa.json"
+}
+
+resource "stackit_key_pair" "admin_keypair" {
+  name       = "admin-keypair-12345"
+  public_key = chomp(file("~/.ssh/id_rsa.pub"))
+}
+
+variable "jumphost_flavor" {
+  default = "c2i.1"
+}

examples/iaas-cross-az-layer7-loadbalancer-waf/02-network.tf

@@ -0,0 +1,20 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_network" "network" {
+  project_id       = var.stackit_project_id
+  name             = "network01"
+  ipv4_nameservers = ["1.1.1.1", "9.9.9.9"]
+  ipv4_prefix      = "172.17.1.0/24"
+}

examples/iaas-cross-az-layer7-loadbalancer-waf/03-machine01.tf

@@ -0,0 +1,28 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module "test-machine01" {
+  source = "../../modules/test-machine"
+
+  project_id        = var.stackit_project_id
+  network_id        = stackit_network.network.network_id
+  availability_zone = "eu01-1"
+  security_enabled  = true
+
+  name         = "machine01"
+  machine_type = var.jumphost_flavor
+  disk_size    = 48
+
+  user_data = templatefile("${path.module}/apache-debug-user.yaml", {})
+}

examples/iaas-cross-az-layer7-loadbalancer-waf/04-machine02.tf

@@ -0,0 +1,28 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module "test-machine02" {
+  source = "../../modules/test-machine"
+
+  project_id        = var.stackit_project_id
+  network_id        = stackit_network.network.network_id
+  availability_zone = "eu01-2"
+  security_enabled  = true
+
+  name         = "machine02"
+  machine_type = var.jumphost_flavor
+  disk_size    = 48
+
+  user_data = templatefile("${path.module}/apache-debug-user.yaml", {})
+}

examples/iaas-cross-az-layer7-loadbalancer-waf/05-l7-loadbalancer.tf

@@ -0,0 +1,117 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "tls_private_key" "example" {
+  algorithm = "RSA"
+  rsa_bits  = 2048
+}
+
+resource "tls_self_signed_cert" "example" {
+  private_key_pem = tls_private_key.example.private_key_pem
+
+  subject {
+    common_name  = "localhost"
+    organization = "STACKIT Test"
+  }
+
+  validity_period_hours = 12
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+  ]
+}
+
+resource "stackit_public_ip" "public_ip" {
+  project_id = var.stackit_project_id
+
+  lifecycle {
+    ignore_changes = [network_interface_id]
+  }
+}
+
+resource "stackit_alb_certificate" "this" {
+  project_id  = var.stackit_project_id
+  name        = "example-certificate"
+  private_key = tls_private_key.example.private_key_pem
+  public_key  = tls_self_signed_cert.example.cert_pem
+}
+
+resource "stackit_application_load_balancer" "this" {
+  project_id       = var.stackit_project_id
+  region           = var.stackit_region
+  name             = "example-load-balancer"
+  plan_id          = "p10"
+  external_address = stackit_public_ip.public_ip.ip
+
+  listeners = [
+    {
+      name = "listener01"
+      port = 443
+      http = {
+        hosts = [{
+          host = "*"
+          rules = [{
+            target_pool = "target-pool-01"
+            /*path = {
+              prefix = "/path"
+            }*/
+          }]
+        }]
+      }
+      https = {
+        certificate_config = {
+          certificate_ids = [
+            stackit_alb_certificate.this.cert_id
+          ]
+        }
+      }
+      waf_config_name = restapi_object.waf.api_data.name
+      protocol        = "PROTOCOL_HTTPS"
+    }
+  ]
+  networks = [
+    {
+      network_id = stackit_network.network.network_id
+      role       = "ROLE_LISTENERS_AND_TARGETS"
+    }
+  ]
+  target_pools = [
+    {
+      name        = "target-pool-01"
+      target_port = 80
+      targets = [
+        {
+          display_name = "server01"
+          ip           = module.test-machine01.primary_ip
+        },
+        {
+          display_name = "server02"
+          ip           = module.test-machine02.primary_ip
+        }
+      ]
+    }
+  ]
+}
+
+
+output "alb_external_address" {
+  value = stackit_application_load_balancer.this.external_address
+}
+
+/*output "alb_private_ip_address" {
+  // for private alb loadbalancer usage
+  value = stackit_application_load_balancer.this.private_address
+}*/

examples/iaas-cross-az-layer7-loadbalancer-waf/06-waf.tf

@@ -0,0 +1,46 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "restapi_object" "waf_crs" {
+  path = "/v1alpha/projects/${var.stackit_project_id}/regions/${var.stackit_region}/core-rule-sets"
+  data = jsonencode({
+    name   = "example-crs"
+    active = true
+  })
+
+  ignore_server_additions = true
+}
+
+resource "restapi_object" "waf_rules" {
+  path = "/v1alpha/projects/${var.stackit_project_id}/regions/${var.stackit_region}/rules"
+  data = jsonencode({
+    name  = "example-rules"
+    rules = file("${path.module}/example-waf.conf")
+  })
+
+  ignore_server_additions = true
+  depends_on              = [restapi_object.waf_crs]
+}
+
+resource "restapi_object" "waf" {
+  path = "/v1alpha/projects/${var.stackit_project_id}/regions/${var.stackit_region}/wafs"
+  data = jsonencode({
+    name            = "example-waf"
+    coreRuleSetName = restapi_object.waf_crs.api_data.name
+    rulesConfigName = restapi_object.waf_rules.api_data.name
+  })
+
+  ignore_server_additions = true
+  depends_on              = [restapi_object.waf_rules]
+}

examples/iaas-cross-az-layer7-loadbalancer-waf/MAINTAINERS.md

@@ -0,0 +1,9 @@
+# Maintainers
+
+General maintainers:
+
+- Mauritz Uphoff (Mauritz.Uphoff@digits.schwarz)
+
+This example is actively maintained. The owner is responsible for reviewing and updating dependencies and functionalities on a monthly basis.
+For questions, issues, or feature requests, please email general maintainers.
+Please include the BP name and version in your request. We will track your request as an issue.

examples/iaas-cross-az-layer7-loadbalancer-waf/README.md

@@ -0,0 +1,36 @@
+# IaaS cross AZ Layer 7 Loadbalancer
+
+## Overview
+
+A classic highly-available architecture: provisioning multiple VMs across different Availability Zones (AZs) and putting them behind a STACKIT L7 Load Balancer. This example also includes a Web Application Firewall (WAF) configuration to secure the backend workloads against malicious traffic.
+
+## ⚠️ Important Note: [WAF Implementation](06-waf.tf)
+
+Currently, the official STACKIT Terraform provider does not natively support Web Application Firewall (WAF) resources.
+
+To bridge this gap and fully automate the deployment, this example utilizes a `restapi` provider as a workaround. This allows Terraform to interact directly with the STACKIT WAF REST API (`/v1alpha/projects/...`) to create and attach the Core Rule Sets and custom SecLang rules until native support is released.
+
+## Testing the WAF
+
+This deployment includes rules written in SecLang. These rules are specifically designed to safely verify that the WAF is successfully deployed, actively intercepting traffic, and applying your configurations.
+
+Once `terraform apply` completes successfully, extract the public IP of your Load Balancer from the Terraform outputs:
+
+```bash
+# Export the Load Balancer IP to an environment variable
+export ALB_IP=$(terraform output -raw alb_external_address)
+```
+
+Now, use curl to trigger the custom rules. Because the WAF is configured to block these specific signatures, both of the following commands should return an HTTP 403 Forbidden status code.
+
+Test 1: Trigger via Query Parameter
+
+```Bash
+curl -k -I -X GET "https://${ALB_IP}/?waf_test=trigger"
+```
+
+Test 2: Trigger via Custom HTTP Header
+
+```Bash
+curl -k -I -H "X-WAF-Test: trigger" "https://${ALB_IP}/"
+```

examples/iaas-cross-az-layer7-loadbalancer-waf/apache-debug-user.yaml

@@ -0,0 +1,22 @@
+#cloud-config
+users:
+  - name: debug
+    groups: sudo
+    shell: /bin/bash
+    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
+    lock_passwd: false
+    passwd: "$6$JZBVJ2zsw/o4C1UJ$FskGQWf.nqwj.o9bHbxkSGvSilQcHt03KdPYlgsiE3L77tNqFj0/vnlCXSf.SRb4jR2xsHk/.OlEyT16Txj4J." # hashed version of 'House123!'
+
+chpasswd:
+  expire: false
+
+ssh_pwauth: true
+
+packages:
+  - apache2
+
+runcmd:
+  - systemctl enable apache2
+  - systemctl start apache2
+  - echo "<h1>Hello from STACKIT Instance</h1><p>Hostname $(hostname)</p>" > /var/www/html/index.html
+  - chown www-data:www-data /var/www/html/index.html

examples/iaas-cross-az-layer7-loadbalancer-waf/example-waf.conf

@@ -0,0 +1,23 @@
+# ------------------------------------------------------------------------
+# WAF TEST RULES
+# Custom rule IDs should generally start at 1000000 to avoid conflicting
+# with the OWASP Core Rule Set (which uses the 900000 - 999999 range).
+# ------------------------------------------------------------------------
+
+# Test Rule 1: Block based on a specific query parameter (?waf_test=trigger)
+SecRule ARGS:waf_test "@streq trigger" \
+    "id:1000001,\
+    phase:1,\
+    deny,\
+    status:403,\
+    log,\
+    msg:'WAF Test Rule Triggered via Query Parameter'"
+
+# Test Rule 2: Block based on a specific custom header (X-WAF-Test: trigger)
+SecRule REQUEST_HEADERS:X-WAF-Test "@streq trigger" \
+    "id:1000002,\
+    phase:1,\
+    deny,\
+    status:403,\
+    log,\
+    msg:'WAF Test Rule Triggered via Custom Header'"

examples/iaas-ha-vrrp/.terraform.lock.hcl

@@ -5,6 +5,7 @@ provider "registry.terraform.io/hashicorp/random" {
   version     = "3.8.1"
   constraints = ">= 3.6.3"
   hashes = [
+    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
     "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
     "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
     "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
@@ -25,6 +26,7 @@ provider "registry.terraform.io/stackitcloud/stackit" {
   version     = "0.90.0"
   constraints = ">= 0.87.0"
   hashes = [
+    "h1:QgP6TOtucJ3A6fA51rdUvxhYGjl9RrWvXQZpjHTOuiU=",
     "h1:W29Kv6XUxYssF2Gy8KcmTx3EFstt6k8sKgPRIBbq+qs=",
     "zh:003af58a84884558bbb2fc40fcbefa6774ec20aa9e4b97cf3f950190a600afd2",
     "zh:026ee9cef4670cf33369f8654c6b9b1d8c0e116ceb0b353c882be222951ecdd4",

examples/iaas-ha-vrrp/01-config.tf

@@ -14,7 +14,7 @@
 
 variable "stackit_project_id" {
   type    = string
-  default = "d75e6aab-b616-4b42-ae3b-aaf161ad626d"
+  default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 }
 
 variable "stackit_region" {

examples/iaas-ha-vrrp/03-master.tf

@@ -22,7 +22,7 @@ resource "stackit_server" "example01" {
     performance_class     = "storage_premium_perf6"
     delete_on_termination = true
   }
-  machine_type       = "c1.4"
+  machine_type       = "c2i.4"
   availability_zone  = "eu01-1"
   user_data          = local.user_data_master
   keypair_name       = stackit_key_pair.admin_keypair.name

examples/iaas-ha-vrrp/04-backup.tf

@@ -22,7 +22,7 @@ resource "stackit_server" "example02" {
     performance_class     = "storage_premium_perf6"
     delete_on_termination = true
   }
-  machine_type      = "c1.4"
+  machine_type      = "c2i.4"
   availability_zone = "eu01-2"
   user_data         = local.user_data_backup
   keypair_name      = stackit_key_pair.admin_keypair.name

examples/iaas-ha-vrrp/STACKIT-CLI-GUIDE.md

@@ -97,7 +97,7 @@ stackit server create \
   --boot-volume-source-id 03e19c6a-d73a-4ba9-96af-4bd03cf905d3 \ # Debian 12 image ID
   --keypair-name <sshKeyPair> \
   --availability-zone eu01-1 \
-  --machine-type c1.2 \
+  --machine-type c2i.4 \
   --name <serverName> \
   --network-interface-ids $NICID
 ```

examples/iaas-volume-encryption/.terraform.lock.hcl

@@ -5,6 +5,7 @@ provider "registry.terraform.io/stackitcloud/stackit" {
   version     = "0.80.0"
   constraints = "0.80.0"
   hashes = [
+    "h1:VqmLlSV9sMOX7aq5Bnsj18KNKCUPFahZzf0SA5fTkVk=",
     "h1:wz7uGwzVoo1NO18CDLcfjLraTSiWQ5EzJnDeCKcFi60=",
     "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
     "zh:3a0e6cb125ef76a24b2b5ff9c786c57058f385571d283bd68f633225fcca695a",

examples/iaas-volume-encryption/01-config.tf

@@ -29,5 +29,5 @@ variable "zone" {
 variable "STACKIT_PROJECT_ID" {
   type        = string
   description = "STACKIT Project ID"
-  default     = "16ec118f-90d0-466d-8393-99eea504c536"
+  default     = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 }

examples/iaas-volume-encryption/05-server.tf

@@ -33,7 +33,7 @@ resource "stackit_network_interface" "nic" {
 
 data "stackit_security_group" "default" {
   project_id        = var.STACKIT_PROJECT_ID
-  security_group_id = "a6b4708e-b8ee-48ba-b084-a4892e9a73af"
+  security_group_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 }
 
 data "stackit_network" "default" {

examples/iaas-windows-byol-stackit-migration/MAINTAINERS.md

@@ -0,0 +1,9 @@
+# Maintainers
+
+General maintainers:
+
+- Gurwinder Singh (gurwinder.singh@digits.schwarz)
+
+This example is actively maintained. The owner is responsible for reviewing and updating dependencies and functionalities on a monthly basis.
+For questions, issues, or feature requests, please email general maintainers.
+Please include the BP name and version in your request. We will track your request as an issue.

examples/iaas-windows-byol-stackit-migration/README.md

@@ -0,0 +1,228 @@
+# **Guide: BYOL Migration to STACKIT**
+
+> ⚠️ Example images are still in German. Translating them into English is an open TODO.
+
+This document provides a migration path for your custom-built Windows Server VM (Bring Your Own License) from a local virtualization environment (e.g., Hyper-V / VirtualBox) to the STACKIT cloud platform.
+
+The detailed process ensures technical compatibility through the integration of VirtIO drivers and the conversion of disk images. Following these steps allows you to use your own Windows licenses within the STACKIT cloud.
+
+---
+
+### **Prerequisites**
+
+To successfully complete this workflow, you need access to the following tools and resources:
+
+- **STACKIT Windows VM (Recommended Sizing)**
+  - Flavor G2i.8
+  - Disk OS Perf6 - 64GB
+  - Data/Image Disk Perf10: 100GB
+- **Hyper-V:** Install as a virtualization platform via the Windows Role/Feature (e.g., via Server Manager).
+- **Qemu-img:** [https://www.qemu.org/download/#windows](https://www.qemu.org/download/#windows)
+- **STACKIT CLI:** [https://github.com/stackitcloud/stackit-cli/releases](https://github.com/stackitcloud/stackit-cli/releases)
+- **Virtio Drivers:** [https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/?C=M;O=D](https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/?C=M;O=D)
+- **Cloud-base Init:** [https://github.com/cloudbase/cloudbase-init/releases](https://github.com/cloudbase/cloudbase-init/releases)
+
+---
+
+### **Step-by-Step Migration**
+
+1. **Set up a new VM:** Action (**Aktion**) → New (**Neu**) → Virtual Machine (**Virtueller Computer**)
+   <p align="center"><img src="images/image1.jpg" width="650"></p>
+
+2. Click **Next** (**Weiter**)
+   <p align="center"><img src="images/image2.jpg" width="650"></p>
+
+3. **Specify Name and Location:** Enter the name of the new VM and, if necessary, a different storage location → **Next** (**Weiter**)
+   <p align="center"><img src="images/image3.jpg" width="650"></p>
+
+4. Select **Generation 2**
+
+   > **Note:** With Generation 2, you must manually press "Any Key" during startup to boot from the ISO image. If you miss this moment, the installation routine will not start!
+
+   <p align="center"><img src="images/image4.jpg" width="650"></p>
+
+5. **Assign Memory:** Startup memory (**Arbeitsspeicher beim Start**) → Enter value as needed (e.g., 4096 MB).
+   **Uncheck** the box: Use Dynamic Memory for this virtual machine (**Dynamischen Arbeitsspeicher für diesen virtuellen Computer verwenden**)
+   <p align="center"><img src="images/image5.jpg" width="650"></p>
+
+6. **Configure Networking:** Connection (**Verbindung**) → Not Connected (**Nicht verbunden**)
+   <p align="center"><img src="images/image6.jpg" width="650"></p>
+
+7. **Connect Virtual Hard Disk:** Define Name, Location (**Pfad**), and Size (**Größe**)
+   <p align="center"><img src="images/image7.jpg" width="650"></p>
+   The configured size corresponds to the minimum volume size of the future server in STACKIT.
+
+8. **Installation Options:** Install an operating system from a bootable CD/DVD-ROM (**Betriebssystem von einer startbaren CD/DVD-ROM installieren**) → Select Image file (**Abbilddatei (ISO)**) and use Browse (**Durchsuchen**) to select the required ISO image.
+   <p align="center"><img src="images/image8.jpg" width="650"></p>
+
+9. **Finish the New Virtual Machine Wizard:** Click **Finish** (**Fertig stellen**)
+   <p align="center"><img src="images/image9.jpg" width="650"></p>
+
+10. **Hyper-V Manager** view after creating the new VM
+    <p align="center"><img src="images/image10.jpg" width="650"></p>
+
+11. **Attach the Virtio drivers via ISO:**
+    <p align="center"><img src="images/image11.jpg" width="650"></p>
+
+12. Click **Connect** (**Verbinden**) to the new VM
+    <p align="center"><img src="images/image12.jpg" width="650"></p>
+    <p align="center"><img src="images/image13.jpg" width="650"></p>
+
+13. Start the new VM for the first time and perform the OS installation
+    <p align="center"><img src="images/image14.jpg" width="650"></p>
+
+14. **Perform Windows Server Setup** (Screenshots based on Windows Server 2022):
+    <p align="center"><img src="images/image15.jpg" width="650"></p>
+    <p align="center"><img src="images/image16.jpg" width="650"></p>
+
+15. <p align="center"><img src="images/image17.jpg" width="650"></p>
+
+16. <p align="center"><img src="images/image18.jpg" width="650"></p>
+
+17. <p align="center"><img src="images/image19.jpg" width="650"></p>
+
+18. Use the **Load Driver** (**Treiber laden**) selection
+    <p align="center"><img src="images/image20.jpg" width="650"></p>
+
+19. Installation of **three** Virtio drivers is now required so the image can be used on the STACKIT Hypervisor:
+    <p align="center"><img src="images/image21.jpg" width="650"></p>
+
+    **NetKVM Driver**
+    <p align="center"><img src="images/image22.jpg" width="650"></p>
+    <p align="center"><img src="images/image23.jpg" width="650"></p>
+
+    **Viostor**
+    <p align="center"><img src="images/image24.jpg" width="650"></p>
+    <p align="center"><img src="images/image41.jpg" width="650"></p>
+
+    **Vioscsi**
+    <p align="center"><img src="images/image24.jpg" width="650"></p>
+    <p align="center"><img src="images/image25.jpg" width="650"></p>
+
+20. <p align="center"><img src="images/image26.jpg" width="650"></p>
+
+21. <p align="center"><img src="images/image27.jpg" width="650"></p>
+
+22. <p align="center"><img src="images/image28.jpg" width="650"></p>
+
+23. **Display Configuration**
+    <p align="center"><img src="images/image29.jpg" width="650"></p>
+
+24. The two Virtio packages (**virtio-win-gt-x64.msi** and **virtio-win-guest-tools.exe**) from the Virtio ISO file should now be installed. It is also recommended to copy the content of the Virtio ISO file to the new system (e.g., `C:\temp\virtio\`). This has the advantage of being able to reinstall drivers relatively easily later.
+
+25. **Delete the Windows Recovery Partition**
+    This step is mandatory so that the volume of the future server on STACKIT can be flexibly expanded.
+
+| Step  | Command                     | Details / Notes                                                   |
+| :---- | :-------------------------- | :---------------------------------------------------------------- |
+| **1** | `diskpart`                  | Starts the partitioning program.                                  |
+| **2** | `select disk 0`             | Selects the hard disk. **Be sure to check** if Disk 0 is correct! |
+| **3** | `list partition`            | Displays all existing partitions.                                 |
+| **4** | `select partition <nr>`     | Select the number of the Recovery partition.                      |
+| **5** | `delete partition override` | Forces the deletion of the partition.                             |
+| **6** | `list partition`            | Check if the partition was successfully removed.                  |
+
+26. The Windows system can now be customized with individual software and prepared for the future image.
+
+27. Finally, run the [**Cloudbase-init Tool**](https://cloudbase.it/cloudbase-init/) on the Windows VM to bring Windows into the final starting position for the move to the STACKIT Cloud!
+
+28. Start **Cloudbase-Init Setup**
+    <p align="center"><img src="images/image30.jpg" width="650"></p>
+
+29. Agree to the **License Agreement** (**Lizenzvereinbarung**)
+    <p align="center"><img src="images/image31.jpg" width="650"></p>
+
+30. Confirm **Setup Type**
+    <p align="center"><img src="images/image32.jpg" width="650"></p>
+
+31. Define **Configuration Options**
+    <p align="center"><img src="images/image33.jpg" width="650"></p>
+
+32. Start **Installation**
+    <p align="center"><img src="images/image34.jpg" width="650"></p>
+
+33. Finish installation and execute **Sysprep** (**Sysprep ausführen**)
+    <p align="center"><img src="images/image35.jpg" width="650"></p>
+
+34. **Sysprep generalization** is running
+    <p align="center"><img src="images/image36.jpg" width="650"></p>
+
+---
+
+### **35. Image-Upload & VM Creation in STACKIT**
+
+After the local preparation is complete, the image is converted and transferred via STACKIT CLI.
+
+#### **36. Image Conversion (qCow2)**
+
+Convert the local VHDX into qcow2 format:
+
+````bash
+qemu-img convert -f vhdx -O qcow2 <Path_to_vhdx> <Path_to_qcow2>
+
+#### 37. STACKIT CLI Login
+Authenticate at the CLI:
+
+```bash
+stackit auth login
+````
+
+#### 38. Image Upload
+
+Upload the image to your STACKIT project:
+
+```bash
+stackit image create --name <win2025virtio> --disk-format=qcow2 --local-file-path="<path2qcow2>" -p <projectID>
+```
+
+#### 39. Status Check
+
+Check the upload progress and details:
+
+```bash
+stackit image list -p <projectID>
+stackit image describe <imageID> -p <projectID>
+```
+
+> **Important:** Take the generated `imageID` from the output. You must specify this ID as `<image_id>` in the next step to create the volume and the VM based on this image.
+
+#### 40. Provisioning (Volume & Server)
+
+First create the volume and then start the VM:
+
+**Step 1: Create Volume**
+
+```bash
+stackit volume create --availability-zone <AZ> \
+--name <volumename> --source-id <image_id> \
+--source-type image --size <GB> -p <projectID>
+```
+
+**Step 2: Instantiate Server**
+
+```bash
+stackit server create -n <servername> \
+--availability-zone <AZ> --machine-type <machineType> \
+--network-id <networkID> --boot-volume-source-id <volumeID> \
+--boot-volume-source-type volume -p <projectID>
+```
+
+#### 41. Image Sharing (Cross-Project)
+
+Share the image for other Project IDs within the organization:
+
+```bash
+stackit curl -X PATCH -H "Content-Type: application/json" \
+--data '{"projects": ["<ID1>", "<ID2>"]}' \
+https://iaas.api.eu01.stackit.cloud/v1/projects/<PROJECT_ID>/images/<IMAGE_ID>/share
+```
+
+#### 42. Completion
+
+Check if all drivers are correctly loaded in the operating system.
+After starting the VM in STACKIT, check the **Device Manager** (**Gerätemanager**) to verify that all drivers have been loaded properly.
+
+<p align="center"><img src="images/image37.jpg" width="650"></p>
+
+References:
+[https://docs.stackit.cloud/stackit/en/create-a-windows-server-via-stackit-iaas-api-cli-98304598.html](https://docs.stackit.cloud/stackit/en/create-a-windows-server-via-stackit-iaas-api-cli-98304598.html)

examples/iam-scim-integration/.terraform.lock.hcl

@@ -0,0 +1,146 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2026.2.0"
+  constraints = "2026.2.0"
+  hashes = [
+    "h1:On3/Zzv3W72aGsJ4AhW/tnpi4hvq9cxwgf7tF6Tg+a4=",
+    "zh:00c44e8ee842e75de9cc4fd6193b10258d1dc840e5be4aaaf118ffc180dceee0",
+    "zh:13057f08bce3b63613e1be3997dd454ff9568c569dd983987b1550280fbe3d01",
+    "zh:410a1ff2ae4647cc0ab37894f81e4d474b588a0a7f005d05d55e8c3a40978dd2",
+    "zh:43830834d12b3c0eeabe397842f82ca3a6b58a5bc8dd837d55b821419b55ed61",
+    "zh:56eaedd196ed7c4003cee0434b891b38242b4fde2031978d0ddcfdf6e16ee5ad",
+    "zh:5b3c10bb63c3c215ed9e0918e5808b240e3f2ee8248d10cd4d824a4998a213c5",
+    "zh:99c14891bcb92a6b21ef4c0e60f6c0df23e3452808f3eefd67cde78d132c80d9",
+    "zh:9a32cdda9f939f8484e27d4200d004c44f016fe97579a111201083f4beea78e8",
+    "zh:ae5086816144f68de9a0002e7696321169a71473f9d161793f4ae996388f56de",
+    "zh:bd09409dd34608a4ef3ea80cfc5e397268e7872f2e84c1ccdc9b5698e36ddad5",
+    "zh:be7af8b9eb61b0eb5053f14360e5a68caeb32c115efe8e1b583f2e7c91352a2a",
+    "zh:e11726812a1b2caf6b6784a3d074d1f50e3d406e9629c02096a001e5a5979331",
+    "zh:e39183d10d8158ccab51208f4f727c7419b1b1e596f4feb23dc42aebb36d01e3",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.1.1"
+  hashes = [
+    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
+    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
+    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
+    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
+    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
+    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
+    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
+    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
+    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
+    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
+    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
+    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "3.1.0"
+  constraints = "> 2.14.0"
+  hashes = [
+    "h1:G9QqKNpcztBRqrywtlNylFJSpGzDfRFtO8hcWLdkvRY=",
+    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
+    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
+    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
+    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
+    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
+    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
+    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
+    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
+    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
+    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.9.0"
+  hashes = [
+    "h1:m24fjcInWvTVZ1XSo2MaNuKPe+X/gfG8SIi09rA7a7M=",
+    "zh:0baa4566cf77f1ff52f4293d1c8536202dd23edc197c3196413a28343c3ac3a0",
+    "zh:16b5559c3c07088ddad11a9bb9e9c0799999363c2958e9a5be2bcbbf2cd9ca64",
+    "zh:197c79015a10d1cce904a8ea722cbc750c42aeae2da53f44a6a0751d9fd1aa90",
+    "zh:29d0b03e5343a80677ebfeb2e2c31cbe4b1f65e736e53417454a4277fec2544c",
+    "zh:4896bfa6cf1d2fd562b47ef2e87f47862ae92a04f8ad5d764380f0c6653473b8",
+    "zh:531f8529cbca49f681883e57761a05a8398afaef6d1ab0d205d26bf12f4428e8",
+    "zh:6aaf5011d83161c86d2bfb80c0923ec934e578288758da2f37acb7aec129004b",
+    "zh:7430275253d3d3c40aa6179e0ec0d63212874dbbc06c5a51b9d07ec590f9756c",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:be17dc611e95e26cdf6cad79dfccf1064f0e32032a2efeb939a9bbe7fb1cbfe9",
+    "zh:f0e3b0aa644202e1d79d2000dca91f6019425da71e9800fa23f27e51c034f195",
+    "zh:f62bae4519e4ead49182ddc8afe8cf61e2a4c3ba3973b0fbba967736a2696aa3",
+    "zh:fcafa360a5b0b96244f26f4e3a6d642b716a376557142c2442ff2fb12d11da18",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.9.0"
+  constraints = "3.9.0"
+  hashes = [
+    "h1:OO+IuvQJSPmWdN8AyyIEvPJbLvDQpgX/zbktoa9KsJE=",
+    "zh:161ad0bd9a75768c82f53fb6e7172a9d8be2d4889b012645a34795031aaf1bf1",
+    "zh:19dc9a5b17729725ccfc4f45b0500af0ee5bc6b6b160c7adb8f2bf617d2c80ea",
+    "zh:269eda8fe42daa7974d5a34d166c3ba9defe80cde86c01e4dadcfdf2e1f05e5f",
+    "zh:373f7c65566f8f2cc7f45d698654feb9d988996957e1266a69ca00c52d6d16d0",
+    "zh:5599d16804c41c83009ec621b6d6b6f74e102f5827678a4750f8809055546b61",
+    "zh:583be0440469a22bff70dcfa56593b01566860b29607437264adb51060cf46fc",
+    "zh:5f211d8ec3f2e1f414870d9584bfe26e6995560ef81c748f8447a48164767398",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7b547fd16216761ef86efc3ed516ac5ac0c5c42b7c7eb24a08cef2d93f69ed5e",
+    "zh:7e7c0679daf2a382151d05068c8c3f0dae6b7b7dccf818827b73dd08638df2ef",
+    "zh:8089dec888a8038b9b4fb23b3df7e1057293dbc5b60b42cc47ff690d69d4b61b",
+    "zh:c51f15a031edfd6f23ce8ced3446ca7f8d8d647e2499890d7d5d10d5016d7257",
+    "zh:c94784f005708890dc6895afd53636ec00ec1e430b15d41e5aebfb1d4b39bd04",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/time" {
+  version     = "0.14.0"
+  constraints = ">= 0.9.1"
+  hashes = [
+    "h1:/hlxsUpuN/lvPTNL9+NyVGsOyRsK5NsxwFMsj5CdOp4=",
+    "zh:12abfd6b800e4d7fa6db7310dec8ffd440b31993861ef188c7ed5260b3073937",
+    "zh:23005521e800bb19e1597bf755c5f70d675d30b685d4255001ed5fa47d9df3f1",
+    "zh:2fea249b582ae97cd1cc10385187ea50993bb47c28cc5df0305e57ceaabf0a10",
+    "zh:322018d3b987b7aad08697178029a2bb667bed699e88328f0c89c52a2fd41341",
+    "zh:32a08e98fce2d273cb9b2c89d6c54727cc9f0a32e15bfd896be4e02cc6b48f95",
+    "zh:3db89aabd0e619616bd4b0f8b373a7586dfe60feffcea12a84a0bdbc445714b3",
+    "zh:7488f56c81d742dc020f29063626c8f07ca188aa97be61e7307e8d62397020a2",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7cb4067f2e7559b13f7562ef722f948950901eb37834873e98360ab28f66e9d7",
+    "zh:9d552c8345f61e1b7db8e725144981345f18ac1014d58d6f5ddf0928a195fffb",
+    "zh:a8e69fb6b97fc9d86fb19a9f4d42abe33c4a68e700b15387ce2e17d2b9934bed",
+    "zh:aeeb900eb8dd0f790c60ea5c0e0c8d42bd6e4a54f391681d4decca15b544394b",
+    "zh:c239c619101a8c95e1f14061eb973c57a8d15fa0e68878ced5bbd76858ee5b79",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.96.0"
+  constraints = ">= 0.87.0, >= 0.95.0"
+  hashes = [
+    "h1:NgwbVCV5pfBVMO3xUMop4l5AzvVv3BuBzXpJjgoZfSU=",
+    "zh:04d309851424a53d3d014dde3b143fc1cdc19fbebf558eb4b927878103f78fb0",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:0ebcdf98a47f301e12925803198320d637552ef57abc49e2a48a009f1ddbf39a",
+    "zh:176238c057193c9c60c365b83463e758892186fcc2bd14bc9bbf69bf471f1d6b",
+    "zh:1c514ec6d09ee210ebb813d49b7d3a71b5b9d0b173c743bce9ab937b1e3d303a",
+    "zh:20433d0dc7e4aa2a806863fc289a2cecb19763624f199babfbe44f22d4d9150f",
+    "zh:452ceacbe4a1f70c81320b9223f4958c9bc122508c79e86bc97cb9241682c053",
+    "zh:5f893229f41f8dc2169b5b02785fb2988e8cad2141722a411711182bafefa015",
+    "zh:69383e27067a6413300d3acbcdad8f890bd187e16630580c09900ba379659284",
+    "zh:694de24bd05027c3c8b7a7c477973f76cd5a11d7fd38819026b5a0e588698fd9",
+    "zh:7c7399e3223dd76efb56ca2e3c9435b41bcbaf549839cec36023f801ca5bdcd2",
+    "zh:8a92b221694c59648d22e2e2a0059015872eff7034ae0ba9eb801fe399644a2c",
+    "zh:90a8ae716c9bc6c8804a38f7a903c7af7114ce324d0126c64e1447b6d255cdba",
+    "zh:d29eb17fde9460c5ce3c7a7975eef0ad7fea692eb17fad5e0421952e4d29dbd2",
+  ]
+}

examples/iam-scim-integration/010-provider.tf

@@ -0,0 +1,66 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">=0.95.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">2.14.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.0.0"
+    }
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2026.2.0"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9.1"
+    }
+  }
+}
+
+provider "authentik" {
+  url   = "https://${stackit_dns_record_set.authentik.name}.${stackit_dns_zone.this.dns_name}"
+  token = random_password.authentik_bootstrap_token.result
+}
+
+provider "stackit" {
+  default_region           = var.stackit_region
+  service_account_key_path = var.stackit_service_account_key_path
+  enable_beta_resources    = true
+}
+
+
+provider "kubernetes" {
+  host                   = yamldecode(module.ske.kubeconfig).clusters.0.cluster.server
+  client_certificate     = base64decode(yamldecode(module.ske.kubeconfig).users.0.user.client-certificate-data)
+  client_key             = base64decode(yamldecode(module.ske.kubeconfig).users.0.user.client-key-data)
+  cluster_ca_certificate = base64decode(yamldecode(module.ske.kubeconfig).clusters.0.cluster.certificate-authority-data)
+}
+
+provider "helm" {
+  kubernetes = {
+    host                   = yamldecode(module.ske.kubeconfig).clusters.0.cluster.server
+    client_certificate     = base64decode(yamldecode(module.ske.kubeconfig).users.0.user.client-certificate-data)
+    client_key             = base64decode(yamldecode(module.ske.kubeconfig).users.0.user.client-key-data)
+    cluster_ca_certificate = base64decode(yamldecode(module.ske.kubeconfig).clusters.0.cluster.certificate-authority-data)
+  }
+}

examples/iam-scim-integration/020-variables.tf

@@ -0,0 +1,47 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "stackit_project_id" {
+  type = string
+}
+
+variable "stackit_region" {
+  type    = string
+  default = "eu01"
+}
+
+variable "stackit_service_account_key_path" {
+  type = string
+}
+
+variable "acme_email" {
+  description = "The email address used for ACME registration."
+  type        = string
+}
+
+variable "authentik_scim_long_lived_token" {
+  description = "The SCIM synchronization token provided by the IDP team. This configuration uses a long-lived static token due to Authentik Community Edition limitations. For production environments, dynamically generated, short-lived tokens are highly recommended."
+  type        = string
+}
+
+variable "authentik_number_of_users" {
+  description = "The number of test users to generate"
+  type        = number
+}
+
+variable "authentik_default_user_password" {
+  description = "The default password assigned to all created test users"
+  type        = string
+  sensitive   = true
+}

examples/iam-scim-integration/030-ske-cluster.tf

@@ -0,0 +1,37 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module "ske" {
+  source       = "../../modules/test-ske"
+  project_id   = var.stackit_project_id
+  cluster_name = "ske-test"
+}
+
+resource "kubernetes_namespace_v1" "cert_manager" {
+  metadata {
+    name = "cert-manager"
+  }
+}
+
+resource "kubernetes_namespace_v1" "authentik" {
+  metadata {
+    name = "authentik"
+  }
+}
+
+resource "kubernetes_namespace_v1" "nginx" {
+  metadata {
+    name = "nginx"
+  }
+}

examples/iam-scim-integration/040-dns.tf

@@ -0,0 +1,46 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_public_ip" "ingress_floating_ip" {
+  project_id = var.stackit_project_id
+
+  lifecycle {
+    ignore_changes = [network_interface_id]
+  }
+}
+
+resource "random_string" "this" {
+  length  = 6
+  special = false
+  upper   = false
+}
+
+resource "stackit_dns_zone" "this" {
+  project_id    = var.stackit_project_id
+  name          = random_string.this.result
+  dns_name      = "${random_string.this.result}.runs.onstackit.cloud"
+  type          = "primary"
+  default_ttl   = 60
+  contact_email = "hostmaster@stackit.cloud"
+}
+
+resource "stackit_dns_record_set" "authentik" {
+  project_id = var.stackit_project_id
+  zone_id    = stackit_dns_zone.this.zone_id
+  name       = "authentik"
+  type       = "A"
+  ttl        = 60
+  comment    = "a record"
+  records    = [stackit_public_ip.ingress_floating_ip.ip]
+}

examples/iam-scim-integration/050-cert-manager.tf

@@ -0,0 +1,62 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "helm_release" "cert_manager" {
+  name       = "cert-manager"
+  repository = "https://charts.jetstack.io"
+  chart      = "cert-manager"
+  version    = "v1.15.1"
+
+  timeout         = 120
+  cleanup_on_fail = true
+  force_update    = false
+  namespace       = kubernetes_namespace_v1.cert_manager.metadata.0.name
+
+  set = [
+    {
+      name  = "crds.enabled"
+      value = "true"
+    }
+  ]
+}
+
+resource "kubernetes_manifest" "cluster_issuer" {
+  manifest = {
+    apiVersion = "cert-manager.io/v1"
+    kind       = "ClusterIssuer"
+    metadata = {
+      name = "letsencrypt-prod-cluster"
+    }
+    spec = {
+      acme = {
+        email  = var.acme_email
+        server = "https://acme-v02.api.letsencrypt.org/directory"
+        privateKeySecretRef = {
+          name = "letsencrypt-prod-cluster"
+        }
+        solvers = [
+          {
+            http01 = {
+              ingress = {
+                class = "nginx"
+              }
+            }
+          }
+        ]
+      }
+    }
+  }
+
+  depends_on = [helm_release.cert_manager]
+}

examples/iam-scim-integration/060-nginx-ingress.tf

@@ -0,0 +1,36 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "helm_release" "nginx_ingress" {
+  name       = "nginx-ingress"
+  repository = "https://kubernetes.github.io/ingress-nginx"
+  chart      = "ingress-nginx"
+  version    = "4.2.3"
+
+  namespace = kubernetes_namespace_v1.nginx.metadata.0.name
+
+  values = [
+    <<EOF
+controller:
+  replicaCount: 1
+  service:
+    type: LoadBalancer
+    annotations:
+      lb.stackit.cloud/ip-mode-proxy: "true"
+      lb.stackit.cloud/external-address: ${stackit_public_ip.ingress_floating_ip.ip}
+EOF
+  ]
+
+  timeout = 600
+}

examples/iam-scim-integration/070-authentik-chart.tf

@@ -0,0 +1,98 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "random_password" "authentik_secret_key" {
+  length  = 50
+  special = true
+}
+
+resource "random_password" "authentik_bootstrap_password" {
+  length  = 24
+  special = true
+}
+
+resource "random_password" "authentik_bootstrap_token" {
+  length  = 40
+  special = false
+}
+
+resource "random_password" "postgresql_password" {
+  length  = 24
+  special = false
+}
+
+locals {
+  authentik_values = {
+    authentik = {
+      secret_key         = random_password.authentik_secret_key.result
+      bootstrap_password = random_password.authentik_bootstrap_password.result
+      bootstrap_token    = random_password.authentik_bootstrap_token.result
+      postgresql = {
+        user     = "authentik"
+        name     = "authentik"
+        password = random_password.postgresql_password.result
+      }
+    }
+    postgresql = {
+      enabled = true
+      auth = {
+        username = "authentik"
+        database = "authentik"
+        password = random_password.postgresql_password.result
+      }
+    }
+    server = {
+      ingress = {
+        enabled          = true
+        ingressClassName = "nginx"
+        annotations = {
+          "cert-manager.io/cluster-issuer" = "letsencrypt-prod-cluster"
+        }
+        hosts = [
+          "${stackit_dns_record_set.authentik.name}.${stackit_dns_zone.this.dns_name}"
+        ]
+        paths = ["/"]
+        tls = [
+          {
+            secretName = "authentik-tls"
+            hosts = [
+              "${stackit_dns_record_set.authentik.name}.${stackit_dns_zone.this.dns_name}"
+            ]
+          }
+        ]
+      }
+    }
+  }
+}
+
+resource "helm_release" "authentik" {
+  name       = "authentik"
+  repository = "https://charts.goauthentik.io"
+  chart      = "authentik"
+  version    = "2026.2.3"
+
+  namespace = kubernetes_namespace_v1.authentik.metadata.0.name
+
+  values = [
+    yamlencode(local.authentik_values)
+  ]
+
+  timeout = 600
+}
+
+resource "time_sleep" "wait_60_seconds" {
+  depends_on = [helm_release.authentik]
+
+  create_duration = "60s"
+}

examples/iam-scim-integration/071-authentik-user-groups.tf

@@ -0,0 +1,47 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "authentik_user" "test_users" {
+  count = var.authentik_number_of_users
+
+  username = "testuser${count.index + 1}"
+  name     = "Test User ${count.index + 1}"
+  email    = "testuser${count.index + 1}@${stackit_dns_zone.this.dns_name}"
+
+  password = var.authentik_default_user_password
+
+  attributes = jsonencode({
+    given_name         = "Test${count.index + 1}"
+    family_name        = "User ${count.index + 1}"
+    preferred_username = "testuser${count.index + 1}"
+  })
+
+  depends_on = [time_sleep.wait_60_seconds]
+}
+
+resource "authentik_group" "stackit_test_user" {
+  name       = "stackit-admins"
+  users      = authentik_user.test_users[*].id
+  depends_on = [time_sleep.wait_60_seconds]
+}
+
+data "authentik_property_mapping_provider_scope" "scopes" {
+  managed_list = [
+    "goauthentik.io/providers/oauth2/scope-openid",
+    "goauthentik.io/providers/oauth2/scope-email",
+    "goauthentik.io/providers/oauth2/scope-profile"
+  ]
+
+  depends_on = [time_sleep.wait_60_seconds]
+}

examples/iam-scim-integration/072-authentik-provider-oauth2.tf

@@ -0,0 +1,82 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "random_password" "authentik_client_secret" {
+  length  = 40
+  special = true
+}
+
+data "authentik_flow" "default_authorization_flow" {
+  slug = "default-provider-authorization-implicit-consent"
+
+  depends_on = [time_sleep.wait_60_seconds]
+}
+
+data "authentik_flow" "default_invalidation_flow" {
+  slug = "default-provider-invalidation-flow"
+
+  depends_on = [time_sleep.wait_60_seconds]
+}
+
+resource "authentik_property_mapping_provider_scope" "stackit_custom_claims" {
+  name       = "stackit-custom-claims"
+  scope_name = "profile" # Attaches this data to the standard 'profile' scope
+  expression = <<EOT
+return {
+    "given_name": request.user.attributes.get("given_name", request.user.name),
+    "family_name": request.user.attributes.get("family_name", request.user.name),
+    "preferred_username": request.user.attributes.get("preferred_username", request.user.username)
+}
+EOT
+}
+
+data "authentik_certificate_key_pair" "this" {
+  name = "authentik Self-signed Certificate"
+}
+
+resource "authentik_provider_oauth2" "stackit" {
+  name          = "stackit"
+  client_id     = "stackit-client"
+  client_secret = random_password.authentik_client_secret.result
+
+  authorization_flow = data.authentik_flow.default_authorization_flow.id
+  invalidation_flow  = data.authentik_flow.default_invalidation_flow.id
+
+  allowed_redirect_uris = [
+    {
+      matching_mode = "strict"
+      url           = "https://accounts.stackit.cloud/ui/login/login/externalidp/callback"
+    },
+    # debugging
+    {
+      matching_mode = "strict"
+      url           = "http://localhost:8080/ui/login/login/externalidp/callback"
+    }
+  ]
+
+  signing_key = data.authentik_certificate_key_pair.this.id
+
+  property_mappings = concat(
+    data.authentik_property_mapping_provider_scope.scopes.ids,
+    [authentik_property_mapping_provider_scope.stackit_custom_claims.id]
+  )
+
+  include_claims_in_id_token = true
+
+  depends_on = [time_sleep.wait_60_seconds]
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}

examples/iam-scim-integration/073-authentik-scim-sync.tf

@@ -0,0 +1,48 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+data "authentik_property_mapping_provider_scim" "scim_user" {
+  managed_list = [
+    "goauthentik.io/providers/scim/user"
+  ]
+}
+
+data "authentik_property_mapping_provider_scim" "scim_group" {
+  managed_list = [
+    "goauthentik.io/providers/scim/group"
+  ]
+}
+
+resource "authentik_provider_scim" "stackit" {
+  name = "stackit-scim"
+  url  = "https://accounts.stackit.cloud/scim/v2/"
+
+  token = var.authentik_scim_long_lived_token
+
+  property_mappings       = data.authentik_property_mapping_provider_scim.scim_user.ids
+  property_mappings_group = data.authentik_property_mapping_provider_scim.scim_group.ids
+
+  exclude_users_service_account = true
+}
+
+resource "authentik_application" "stackit" {
+  name              = "STACKIT"
+  slug              = "stackit"
+  protocol_provider = authentik_provider_oauth2.stackit.id
+
+  # Connects the SCIM provisioning pipeline to this application
+  backchannel_providers = [
+    authentik_provider_scim.stackit.id
+  ]
+}

examples/iam-scim-integration/100-outputs.tf

@@ -0,0 +1,49 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+output "authentik_url" {
+  value = "https://${stackit_dns_record_set.authentik.name}.${stackit_dns_zone.this.dns_name}"
+}
+
+output "authentik_oidc_issuer" {
+  description = "Issuer identifier URL for your OIDC provider"
+  value       = "https://${stackit_dns_record_set.authentik.name}.${stackit_dns_zone.this.dns_name}/application/o/stackit/"
+}
+
+output "authentik_oidc_client_id" {
+  description = "ID assigned to our application"
+  value       = authentik_provider_oauth2.stackit.client_id
+}
+
+output "authentik_oidc_client_secret" {
+  description = "Secret key associated with the Client ID"
+  value       = random_password.authentik_client_secret.result
+  sensitive   = true
+}
+
+output "stackit_ticket_scopes" {
+  description = "Required permissions to include in the STACKIT Support Ticket"
+  value       = "openid email profile"
+}
+
+output "stackit_ticket_claims_mapping" {
+  description = "Standard Authentik claims mapping to copy into the STACKIT Support Ticket"
+  value = {
+    unique_user_id = "sub"
+    email_address  = "email"
+    preferred_name = "preferred_username" # Or "name"
+    first_name     = "given_name"
+    last_name      = "family_name"
+  }
+}