Merge pull request 'example(ske-azure-arc): add example on how to add ske cluster to azure arc' (#26) from example/ske-azure-arc-integeration into main

Reviewed-on: #26

.github/workflows/default-ci.yaml

@@ -1,4 +1,4 @@
-name: "Professional Services CI"
+name: "Default CI"
 
 on:
   push:
@@ -17,6 +17,23 @@ jobs:
       - name: TruffleHog Scan
         uses: edplato/trufflehog-actions-scan@master
 
+  todo-check:
+    name: "Check for Open TODOs"
+    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'stackit-ubuntu-22' }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v6
+
+      - name: Search codebase
+        run: |
+          # Searches recursively (-r), showing line numbers (-n), ignoring binary files (-I)
+          # Excludes the .git directory to prevent false positives
+          if grep -rnIE "# ?TODO" --exclude-dir=.git --exclude-dir=.github .; then
+            echo "Error: TODOs found in the codebase. Please resolve them before merging."
+            exit 1
+          fi
+          echo "No TODOs found. Proceeding."
+
   pre-commit-checks:
     name: "Pre-Commit Hooks"
     runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'stackit-ubuntu-22' }}

.github/workflows/github-mirror-ci.yaml

@@ -28,11 +28,11 @@ jobs:
       - name: Push to Public Repo
         run: |
           echo "Setting up remote..."
-          git config --global user.name "prof-service-sync-bot"
-          git config --global user.email "prof-service-sync-bot@digits.schwarz"
+          git config --global user.name "ps-sync-bot"
+          git config --global user.email "ps-sync-bot@digits.schwarz"
 
           # Add the GitHub remote using the SSH protocol
-          git remote add public git@github.com:stackitcloud/professional-services.git
+          git remote add public git@github.com:stackitcloud/professional-service.git
 
           echo "Pushing main branch to GitHub..."
           git push public main --force

.gitignore

@@ -67,3 +67,7 @@ go.work.sum
 ### Jetbrains
 .idea
 ssh
+keys
+
+### K8s
+.kubeconfig

GOVERNANCE.md

@@ -0,0 +1,41 @@
+# Project Governance: STACKIT Professional Service
+
+This document defines the management, ownership, and maintenance processes for the STACKIT Professional Service repository.
+
+## 1. Strategy & "The Story"
+
+This repository serves as a bridge between internal excellence and public visibility.
+
+- **Internal Git (Source of Truth):** The primary repository is hosted on our internal STACKIT Git instance. All internal communication, documentation, and chat links MUST point to the internal instance to promote our own infrastructure and tools.
+- **GitHub (Public Mirror):** The GitHub repository is a mirror intended for external visibility, SEO, and accessibility for AI models (LLMs). It helps customers find our solutions and establishes STACKIT as a thought leader in cloud automation.
+
+## 2. Ownership
+
+### 2.1 Organizational Ownership
+
+The repository is owned by the **STACKIT Professional Services** organization. High-level decisions regarding repository structure, licensing, and global policies are managed by the Core Maintainers team.
+
+### 2.2 Example & Module Ownership
+
+Individual examples or modules within the repository have specific owners, documented in their respective `MAINTAINERS.md` files.
+
+- **Responsibility:** Owners are responsible for the technical health, periodic updates (e.g., dependency bumps), and community feedback for their specific content.
+- **Handover:** If an owner leaves the project or company, ownership reverts to the Core Maintainers until a new owner is assigned.
+
+## 3. Review & Quality Assurance
+
+To ensure high standards and security, we follow a strict contribution process:
+
+- **4-Eyes Principle:** No code enters the `main` branch without at least one successful Peer Review.
+- **Automated Validation:** Every Pull Request must pass the CI pipeline, which includes:
+  - Linting and formatting checks.
+  - License header verification (Apache 2.0).
+  - Secret scanning (Trufflehog).
+- **Best Effort Policy:** While we strive for quality, the content is provided "as-is." Use in production environments requires independent validation by the user.
+
+## 4. Mirroring Process
+
+The synchronization between the internal Git and GitHub is fully automated:
+
+1.  Changes are merged into the internal `main` branch.
+2.  A GitHub Action triggers on every push to `main`.

README.md

@@ -1,12 +1,12 @@
-# STACKIT Professional Services
+# STACKIT Professional Service
 
-Welcome to the central repository for STACKIT Professional Services examples, scripts, and boilerplate code!
+Welcome to the central repository for STACKIT examples, scripts, and boilerplate code!
 
 > **⚠️ REPOSITORY MIRROR NOTICE**
 >
 > This GitHub repository is a **mirror**.
 > The primary, internal source of truth for this codebase lives at:
-> `https://professional-service.git.onstackit.cloud/professional-service-best-practices/professional-services`
+> `https://professional-service.git.onstackit.cloud/professional-service-best-practices/professional-service`
 >
 > We automatically sync changes from our STACKIT managed GIT instance to this public GitHub repository.
 >
@@ -20,7 +20,13 @@ Let's be upfront about how this repository is maintained:
 
 - **Strictly Best Effort:** Everything you find in this repository is provided on a "best effort" basis.
 - **No Guarantees on Freshness:** We try our best to keep the examples, Terraform modules, and scripts up to date with the latest provider releases and API changes. However, **we cannot guarantee it**. Things move fast in the cloud, and some examples might become outdated over time.
-- **Use Your Brain:** Do not blindly copy-paste code from here directly into a production environment.
+- **Review Before Deploying:** Do not blindly copy-paste code from here directly into a production environment.
+
+## Contents
+
+- [`examples/`](./examples) — Example solutions across a variety of STACKIT products.
+- [`scripts/`](./scripts/README.md) — Helper scripts for working with STACKIT services.
+- [`modules/`](./modules) — Ready-made Terraform modules to simplify your deployments.
 
 ## How to Use This Repository
 

examples/dbaas-otel-collect-metrics/.terraform.lock.hcl

@@ -0,0 +1,107 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.1.1"
+  hashes = [
+    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
+    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
+    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
+    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
+    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
+    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
+    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
+    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
+    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
+    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
+    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
+    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
+    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "3.1.0"
+  constraints = ">= 2.14.0"
+  hashes = [
+    "h1:G9QqKNpcztBRqrywtlNylFJSpGzDfRFtO8hcWLdkvRY=",
+    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
+    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
+    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
+    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
+    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
+    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
+    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
+    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
+    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
+    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.8.1"
+  constraints = ">= 3.6.3"
+  hashes = [
+    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
+    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
+    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
+    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
+    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
+    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
+    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
+    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
+    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
+    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
+    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
+    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/time" {
+  version = "0.13.1"
+  hashes = [
+    "h1:+W+DMrVoVnoXo3f3M4W+OpZbkCrUn6PnqDF33D2Cuf0=",
+    "h1:ZT5ppCNIModqk3iOkVt5my8b8yBHmDpl663JtXAIRqM=",
+    "zh:02cb9aab1002f0f2a94a4f85acec8893297dc75915f7404c165983f720a54b74",
+    "zh:04429b2b31a492d19e5ecf999b116d396dac0b24bba0d0fb19ecaefe193fdb8f",
+    "zh:26f8e51bb7c275c404ba6028c1b530312066009194db721a8427a7bc5cdbc83a",
+    "zh:772ff8dbdbef968651ab3ae76d04afd355c32f8a868d03244db3f8496e462690",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:898db5d2b6bd6ca5457dccb52eedbc7c5b1a71e4a4658381bcbb38cedbbda328",
+    "zh:8de913bf09a3fa7bedc29fec18c47c571d0c7a3d0644322c46f3aa648cf30cd8",
+    "zh:9402102c86a87bdfe7e501ffbb9c685c32bbcefcfcf897fd7d53df414c36877b",
+    "zh:b18b9bb1726bb8cfbefc0a29cf3657c82578001f514bcf4c079839b6776c47f0",
+    "zh:b9d31fdc4faecb909d7c5ce41d2479dd0536862a963df434be4b16e8e4edc94d",
+    "zh:c951e9f39cca3446c060bd63933ebb89cedde9523904813973fbc3d11863ba75",
+    "zh:e5b773c0d07e962291be0e9b413c7a22c044b8c7b58c76e8aa91d1659990dfb5",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.92.0"
+  constraints = ">= 0.87.0"
+  hashes = [
+    "h1:dE5sdzUaHkzVL8AW3+GXD2EEWX2PlS+sHT7F25SXcZ0=",
+    "h1:j26ncxqlAp4q0/NHFoiATuVdIg7KH0zZhWoSAd+4Yj0=",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:5eaa713f68a004ec33697f510ca4c7722940e2bab8080c025822ca547325ef98",
+    "zh:60ed4496492b9781f7cc581e346222a6356538a527e4ac67dce6815a64fc5c66",
+    "zh:6834a7819429e3482a5fdd547c442cc032d7047c3fb0dee30e8babb2438598e1",
+    "zh:6de632db0cbb42b429a9e752078df37716b0f335e5c39e883be5c55f7f1da553",
+    "zh:ac8b1bc8212236aaab789cef1dce718e6b8394bcf4b5f6c6f8dabf8c8a213573",
+    "zh:af4b1e805d6082a3ec94d2f5b68e8a62f04205af3f75a4a7d1b167e0f027d9ec",
+    "zh:b709258a4cd3acd0a9426809c1d7c1ed25859010b566c1b29481b132a7e2af13",
+    "zh:c7e8c5e8f2ca8c14c1bf5c92716a761b67792b38046b99653bdbf9ca423fc675",
+    "zh:c7f47c6b7e33d1f28bdc8d1aa5fda2734d74d6b1b0c6ef8b258489d9405af231",
+    "zh:d57dc6ad6b3a2879aa47012faf82f597a2ca1c3de1561bb96c6191e65072ea95",
+    "zh:d5b18390104164477913ced864e7a1cd5a678490f9412be887e5d8e3961d242e",
+    "zh:ead616306ab18c30a4c1110ad7fa8aee7d8a99e4410ceecbe5875beac5724f8a",
+    "zh:f73ad70183a35e5d04e4b48c44654c76fec48a8f4c913dd31a5befc2a1c2e4dc",
+  ]
+}

examples/dbaas-otel-collect-metrics/00-provider.tf

@@ -0,0 +1,55 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file defines the required Terraform providers and their configurations.
+# It sets up the STACKIT, Kubernetes, and Helm providers to manage resources in the project and the SKE cluster.
+terraform {
+  required_version = ">= 0.14.0"
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">= 0.87.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6.3"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">=2.14.0"
+    }
+  }
+}
+
+provider "stackit" {
+  default_region           = var.stackit_region
+  service_account_key_path = var.stackit_service_account_key_path
+  experiments              = ["iam"]
+}
+
+provider "kubernetes" {
+  host                   = yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.server
+  client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-certificate-data)
+  client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-key-data)
+  cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.certificate-authority-data)
+}
+
+provider "helm" {
+  kubernetes = {
+    host                   = yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.server
+    client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-certificate-data)
+    client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-key-data)
+    cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.certificate-authority-data)
+  }
+}

examples/dbaas-otel-collect-metrics/01-variables.tf

@@ -0,0 +1,33 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "stackit_project_id" {
+  type    = string
+  default = "d75e6aab-b616-4b42-ae3b-aaf161ad626d"
+}
+
+variable "stackit_region" {
+  type    = string
+  default = "eu01"
+}
+
+variable "stackit_service_account_key_path" {
+  type    = string
+  default = "../../keys/stackit-sa.json"
+}
+
+resource "stackit_key_pair" "admin_keypair" {
+  name       = "admin-keypair-12345"
+  public_key = chomp(file("~/.ssh/id_rsa.pub"))
+}

examples/dbaas-otel-collect-metrics/02-ske.tf

@@ -0,0 +1,67 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_ske_kubeconfig" "this" {
+  project_id   = var.stackit_project_id
+  cluster_name = stackit_ske_cluster.this.name
+  refresh      = true
+
+  depends_on = [stackit_ske_cluster.this]
+}
+
+data "stackit_ske_kubernetes_versions" "this" {
+  version_state = "SUPPORTED"
+}
+
+data "stackit_ske_machine_image_versions" "this" {
+  version_state = "SUPPORTED"
+}
+
+locals {
+  flatcar_supported_version = one(flatten([
+    for mi in data.stackit_ske_machine_image_versions.this.machine_images : [
+      for v in mi.versions :
+      v.version
+      if mi.name == "flatcar"
+    ]
+  ]))
+}
+
+resource "stackit_ske_cluster" "this" {
+  project_id             = var.stackit_project_id
+  name                   = "dbaas-otel"
+  kubernetes_version_min = data.stackit_ske_kubernetes_versions.this.kubernetes_versions.0.version
+
+  maintenance = {
+    enable_kubernetes_version_updates    = true
+    enable_machine_image_version_updates = true
+    start                                = "01:00:00Z"
+    end                                  = "02:00:00Z"
+  }
+
+  node_pools = [
+    {
+      name               = "standard"
+      machine_type       = "g2i.4"
+      minimum            = "3"
+      maximum            = "9"
+      max_surge          = "3"
+      availability_zones = ["eu01-1", "eu01-2", "eu01-3"]
+      os_version_min     = local.flatcar_supported_version
+      os_name            = "flatcar"
+      volume_size        = 150
+      volume_type        = "storage_premium_perf6"
+    },
+  ]
+}

examples/dbaas-otel-collect-metrics/03-observability.tf

@@ -0,0 +1,20 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_observability_instance" "example" {
+  project_id   = var.stackit_project_id
+  name         = "example-obs"
+  plan_name    = "Observability-Large-EU01"
+  alert_config = null
+}

examples/dbaas-otel-collect-metrics/04-postgres.tf

@@ -0,0 +1,44 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_postgresflex_instance" "this" {
+  project_id      = var.stackit_project_id
+  name            = "example-instance"
+  backup_schedule = "00 00 * * *"
+  flavor = {
+    cpu = 2
+    ram = 4
+  }
+  replicas = 3
+  storage = {
+    class = "premium-perf2-stackit"
+    size  = 15
+  }
+  version = 15
+  acl     = ["0.0.0.0/0"]
+}
+
+resource "stackit_postgresflex_user" "this" {
+  project_id  = var.stackit_project_id
+  instance_id = stackit_postgresflex_instance.this.instance_id
+  username    = "test"
+  roles       = ["createdb", "login"]
+}
+
+resource "stackit_postgresflex_database" "this" {
+  project_id  = var.stackit_project_id
+  instance_id = stackit_postgresflex_instance.this.instance_id
+  name        = "test"
+  owner       = stackit_postgresflex_user.this.username
+}

examples/dbaas-otel-collect-metrics/04-service-account.tf

@@ -0,0 +1,38 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_service_account" "this" {
+  name       = "prom-proxy"
+  project_id = var.stackit_project_id
+}
+
+resource "time_rotating" "rotate" {
+  rotation_days = 150
+}
+
+resource "stackit_service_account_key" "this" {
+  project_id            = var.stackit_project_id
+  service_account_email = stackit_service_account.this.email
+  ttl_days              = 180
+
+  rotate_when_changed = {
+    rotation = time_rotating.rotate.id
+  }
+}
+
+resource "stackit_authorization_project_role_assignment" "this" {
+  resource_id = var.stackit_project_id
+  role        = "prometheus-proxy.reader"
+  subject     = stackit_service_account.this.email
+}

examples/dbaas-otel-collect-metrics/05-otel-helm.tf

@@ -0,0 +1,65 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+locals {
+  sa_json = jsondecode(stackit_service_account_key.this.json)
+  otel_helm_values = templatefile("${path.module}/helm-values/otel-collector-values.tftpl", {
+    stackit_project_id             = var.stackit_project_id
+    stackit_region                 = var.stackit_region
+    stackit_postgres_instance_id   = stackit_postgresflex_instance.this.instance_id
+    observability_metrics_endpoint = stackit_observability_instance.example.metrics_push_url
+    secret_name                    = kubernetes_secret.otel_secret.metadata[0].name
+    sa_client_id                   = local.sa_json.credentials.sub
+    sa_issuer                      = local.sa_json.credentials.iss
+    sa_key_id                      = local.sa_json.credentials.kid
+  })
+}
+
+
+resource "stackit_observability_credential" "otel" {
+  project_id  = var.stackit_project_id
+  instance_id = stackit_observability_instance.example.instance_id
+}
+
+resource "kubernetes_namespace" "monitoring" {
+  metadata {
+    name = "monitoring"
+  }
+}
+
+resource "kubernetes_secret" "otel_secret" {
+  metadata {
+    name      = "otel-secrets"
+    namespace = kubernetes_namespace.monitoring.metadata[0].name
+  }
+
+  data = {
+    OBSERVABILITY_AUTHORIZATION_HEADER = "Basic ${base64encode("${stackit_observability_credential.otel.username}:${stackit_observability_credential.otel.password}")}"
+    JSON                               = stackit_service_account_key.this.json
+    PRIVATE_KEY                        = jsondecode(stackit_service_account_key.this.json).credentials.privateKey
+  }
+}
+
+resource "helm_release" "opentelemetry_collector" {
+  name       = "opentelemetry-collector"
+  repository = "https://open-telemetry.github.io/opentelemetry-helm-charts"
+  chart      = "opentelemetry-collector"
+  version    = "0.152.0"
+  namespace  = kubernetes_namespace.monitoring.metadata[0].name
+  timeout    = 30
+
+  values = [
+    local.otel_helm_values
+  ]
+}

examples/dbaas-otel-collect-metrics/MAINTAINERS.md

@@ -0,0 +1,9 @@
+# Maintainers
+
+General maintainers:
+
+- Mauritz Uphoff (Mauritz.Uphoff@digits.schwarz)
+
+This example is actively maintained. The owner is responsible for reviewing and updating dependencies and functionalities on a monthly basis.
+For questions, issues, or feature requests, please email general maintainers.
+Please include the BP name and version in your request. We will track your request as an issue.

examples/dbaas-otel-collect-metrics/README.md

@@ -0,0 +1,39 @@
+# DBaaS OpenTelemetry Metrics Collection
+
+Collect metrics from STACKIT PostgreSQL Flex and MongoDB instances using OpenTelemetry (OTel) and export them to STACKIT Observability.
+
+## Prerequisites
+
+- STACKIT Project ID and Service Account key.
+- Terraform, `kubectl`, and `helm` installed.
+
+## Usage
+
+1. **Configure**: Update `stackit_project_id` and `stackit_service_account_key_path` in `01-variables.tf`.
+2. **Deploy**:
+   ```bash
+   terraform init
+   terraform apply
+   ```
+
+## Scrape Configuration
+
+The OTel Collector scrapes metrics from:
+
+- **PostgreSQL**: `https://postgres-prom-proxy.api.stackit.cloud/v2/...`
+- **MongoDB**: `https://mongodb-prom-proxy.api.stackit.cloud/v2/...`
+
+_Note: MSSQL is not supported._
+
+## Debugging
+
+View live scrape data in the collector logs:
+
+```bash
+kubectl logs -l app.kubernetes.io/name=otel-collector -n monitoring -f
+```
+
+## Documentation
+
+- [PostgreSQL Flex Metrics](https://docs.stackit.cloud/products/databases/postgresql-flex/reference/observability-metrics-in-postgresql-flex/)
+- [MongoDB Flex Metrics](https://docs.stackit.cloud/products/databases/mongodb-flex/reference/observability-metrics/)

examples/dbaas-otel-collect-metrics/helm-values/otel-collector-values.tftpl

@@ -0,0 +1,79 @@
+fullnameOverride: otel-collector
+mode: deployment
+
+podAnnotations:
+  stackit-sa-key-id: "${sa_key_id}"
+
+image:
+  repository: "otel/opentelemetry-collector-contrib"
+
+config:
+  receivers:
+    prometheus:
+      config:
+        scrape_configs:
+          - job_name: stackit-postgres
+            metrics_path: /v2/projects/$${STACKIT_PROJECT_ID}/regions/$${STACKIT_REGION}/instances/$${STACKIT_POSTGRES_INSTANCE_ID}/metrics
+            oauth2:
+              audience: $${SA_TOKEN_REQUEST_AUDIENCE}
+              client_certificate_key_file: /mnt/secrets-store/private-key
+              client_certificate_key_id: $${SA_TOKEN_REQUEST_CLIENT_CERTIFICATE_KEY_ID}
+              client_id: $${SA_TOKEN_REQUEST_CLIENT_ID}
+              grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
+              iss: $${SA_TOKEN_REQUEST_ISSUER}
+              signature_algorithm: RS512
+              token_url: https://service-account.api.stackit.cloud/token
+            scheme: https
+            scrape_interval: 1m
+            static_configs:
+              - targets:
+                  - postgres-prom-proxy.api.stackit.cloud:443
+  exporters:
+    debug:
+      verbosity: normal
+    prometheusremotewrite:
+      endpoint: $${OBSERVABILITY_METRICS_ENDPOINT}
+      headers:
+        Authorization: $${OBSERVABILITY_AUTHORIZATION_HEADER}
+
+  service:
+    pipelines:
+      metrics:
+        receivers: [prometheus]
+        exporters: [prometheusremotewrite, debug]
+
+extraEnvs:
+  - name: STACKIT_PROJECT_ID
+    value: "${stackit_project_id}"
+  - name: STACKIT_REGION
+    value: "${stackit_region}"
+  - name: STACKIT_POSTGRES_INSTANCE_ID
+    value: "${stackit_postgres_instance_id}"
+  - name: OBSERVABILITY_METRICS_ENDPOINT
+    value: "${observability_metrics_endpoint}"
+  - name: OBSERVABILITY_AUTHORIZATION_HEADER
+    valueFrom:
+      secretKeyRef:
+        name: ${secret_name}
+        key: OBSERVABILITY_AUTHORIZATION_HEADER
+  - name: SA_TOKEN_REQUEST_CLIENT_ID
+    value: "${sa_client_id}"
+  - name: SA_TOKEN_REQUEST_ISSUER
+    value: "${sa_issuer}"
+  - name: SA_TOKEN_REQUEST_CLIENT_CERTIFICATE_KEY_ID
+    value: "${sa_key_id}"
+  - name: SA_TOKEN_REQUEST_AUDIENCE
+    value: "https://service-account.api.stackit.cloud/token"
+
+extraVolumes:
+  - name: otel-secrets
+    secret:
+      secretName: ${secret_name}
+      items:
+        - key: PRIVATE_KEY
+          path: private-key
+
+extraVolumeMounts:
+  - name: otel-secrets
+    mountPath: /mnt/secrets-store
+    readOnly: true

examples/iaas-cross-az-layer4-loadbalancer/.terraform.lock.hcl

@@ -0,0 +1,46 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.8.1"
+  constraints = ">= 3.6.3"
+  hashes = [
+    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
+    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
+    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
+    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
+    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
+    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
+    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
+    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
+    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
+    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
+    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
+    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.91.0"
+  constraints = ">= 0.87.0"
+  hashes = [
+    "h1:8de9n+Roq6Z2Ltp9poBBBN9a4zSpx73VLpgFS5mTyoI=",
+    "h1:RStdHSDwbtonYfg7mR5Y92v6fxIVX9FEz0UN+tm9kHI=",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:0ed12db90276ccd2d6f87135b7dd078657823c3ca33121c6a157d0bdf08f801e",
+    "zh:160b32bcf1d01666784cf8469e10e0a38d4c3d24c80c0c5be470cc63ef27ea62",
+    "zh:32e1909037235c24138b74131c6fb12ac99003f79750f1768ca5468cc05da6b0",
+    "zh:4376f1cdafbb35ad5f220e28153741908390b23161d9eae3828f7830039ce8ef",
+    "zh:458b054781ef6165d9136fc3d667f9bf37319e37d0f19300bbb63b703de2599d",
+    "zh:54a1864cf1315a118c043f834e02f2a1ca0ecbc8c2a246460589a95847da6c80",
+    "zh:83424712926ccef3c60cc011dfa298721bdbaee3598a0c8459da46bc6b7424cc",
+    "zh:a3c38ebffdbca21dd177b06acf891bed1a903907ba252d0219d91ff0ecf9d861",
+    "zh:c6325e583b77aa1e9df94e3b4b12479d7bf12c66a2ace71c1b8f64e46ac5c37e",
+    "zh:de6db8deeee895af5670df2449c8b8c34df051277f8a6e2f19c5c9ec1f0ddb12",
+    "zh:e18b05e7d8356caa6103c5c80b5ea373be3ff255b453cf577c68798ffe1b93ce",
+    "zh:f4d9215f7a2888c882892642539b2edd3ea97cb25904e4fa358db4f001c3ccd0",
+    "zh:f94d0c0c2bf843867122ababc8d8066d52257e68bbcb5c62a603f77c581e9668",
+  ]
+}

examples/iaas-cross-az-layer4-loadbalancer/00-provider.tf

@@ -0,0 +1,33 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Define required providers
+terraform {
+  required_version = ">= 0.14.0"
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">= 0.87.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6.3"
+    }
+  }
+}
+
+provider "stackit" {
+  default_region           = var.stackit_region
+  service_account_key_path = var.stackit_service_account_key_path
+}

examples/iaas-cross-az-layer4-loadbalancer/01-variables.tf

@@ -0,0 +1,37 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "stackit_project_id" {
+  type    = string
+  default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+
+variable "stackit_region" {
+  type    = string
+  default = "eu01"
+}
+
+variable "stackit_service_account_key_path" {
+  type    = string
+  default = "../../keys/stackit-sa.json"
+}
+
+resource "stackit_key_pair" "admin_keypair" {
+  name       = "admin-keypair-12345"
+  public_key = chomp(file("~/.ssh/id_rsa.pub"))
+}
+
+variable "jumphost_flavor" {
+  default = "c2i.1"
+}

examples/iaas-cross-az-layer4-loadbalancer/02-network.tf

@@ -0,0 +1,20 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_network" "network" {
+  project_id       = var.stackit_project_id
+  name             = "network01"
+  ipv4_nameservers = ["1.1.1.1", "9.9.9.9"]
+  ipv4_prefix      = "172.17.1.0/24"
+}

examples/iaas-cross-az-layer4-loadbalancer/03-machine01.tf

@@ -0,0 +1,27 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module "test-machine01" {
+  source = "../../modules/test-machine"
+
+  project_id        = var.stackit_project_id
+  network_id        = stackit_network.network.network_id
+  availability_zone = "eu01-1"
+
+  name         = "machine01"
+  machine_type = var.jumphost_flavor
+  disk_size    = 48
+
+  user_data = templatefile("${path.module}/apache-debug-user.yaml", {})
+}

examples/iaas-cross-az-layer4-loadbalancer/04-machine02.tf

@@ -0,0 +1,27 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module "test-machine02" {
+  source = "../../modules/test-machine"
+
+  project_id        = var.stackit_project_id
+  network_id        = stackit_network.network.network_id
+  availability_zone = "eu01-2"
+
+  name         = "machine02"
+  machine_type = var.jumphost_flavor
+  disk_size    = 48
+
+  user_data = templatefile("${path.module}/apache-debug-user.yaml", {})
+}

examples/iaas-cross-az-layer4-loadbalancer/05-l4-loadbalancer.tf

@@ -0,0 +1,84 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_public_ip" "public_ip" {
+  project_id = var.stackit_project_id
+
+  lifecycle {
+    ignore_changes = [network_interface_id]
+  }
+}
+
+resource "stackit_loadbalancer" "this" {
+  project_id                        = var.stackit_project_id
+  name                              = "lb-example-1"
+  disable_security_group_assignment = true
+
+  target_pools = [
+    {
+      name        = "pool-1"
+      target_port = 80
+      targets = [
+        {
+          display_name = "lb-target-1"
+          ip           = module.test-machine01.primary_ip
+        },
+        {
+          display_name = "lb-target-2"
+          ip           = module.test-machine02.primary_ip
+        }
+      ]
+      active_health_check = {
+        healthy_threshold   = 10
+        interval            = "3s"
+        interval_jitter     = "3s"
+        timeout             = "3s"
+        unhealthy_threshold = 10
+      }
+    },
+  ]
+
+  listeners = [
+    {
+      display_name = "listener1"
+      port         = 80
+      protocol     = "PROTOCOL_TCP"
+      target_pool  = "pool-1"
+    },
+  ]
+
+  networks = [
+    {
+      network_id = stackit_network.network.network_id
+      role       = "ROLE_LISTENERS_AND_TARGETS"
+    }
+  ]
+
+  external_address = stackit_public_ip.public_ip.ip
+
+  options = {
+    // for private loadbalancer usage
+    /*private_network_only = false*/
+  }
+}
+
+
+output "lb_external_address" {
+  value = stackit_loadbalancer.this.external_address
+}
+
+/*output "lb_private_ip_address" {
+  // for private loadbalancer usage
+  value = stackit_loadbalancer.lb_example.private_address
+}*/

examples/iaas-cross-az-layer4-loadbalancer/MAINTAINERS.md

@@ -0,0 +1,9 @@
+# Maintainers
+
+General maintainers:
+
+- Mauritz Uphoff (Mauritz.Uphoff@digits.schwarz)
+
+This example is actively maintained. The owner is responsible for reviewing and updating dependencies and functionalities on a monthly basis.
+For questions, issues, or feature requests, please email general maintainers.
+Please include the BP name and version in your request. We will track your request as an issue.

examples/iaas-cross-az-layer4-loadbalancer/README.md

@@ -0,0 +1,5 @@
+# IaaS cross AZ Layer4 Loadbalancer
+
+## Overview
+
+A classic highly-available architecture: provisioning multiple VMs across different Availability Zones (AZs) and putting them behind a STACKIT L4 Load Balancer.

examples/iaas-cross-az-layer4-loadbalancer/apache-debug-user.yaml

@@ -0,0 +1,22 @@
+#cloud-config
+users:
+  - name: debug
+    groups: sudo
+    shell: /bin/bash
+    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
+    lock_passwd: false
+    passwd: "$6$JZBVJ2zsw/o4C1UJ$FskGQWf.nqwj.o9bHbxkSGvSilQcHt03KdPYlgsiE3L77tNqFj0/vnlCXSf.SRb4jR2xsHk/.OlEyT16Txj4J." # hashed version of 'House123!'
+
+chpasswd:
+  expire: false
+
+ssh_pwauth: true
+
+packages:
+  - apache2
+
+runcmd:
+  - systemctl enable apache2
+  - systemctl start apache2
+  - echo "<h1>Hello from STACKIT Instance</h1><p>Hostname $(hostname)</p>" > /var/www/html/index.html
+  - chown www-data:www-data /var/www/html/index.html

examples/iaas-cross-az-layer7-loadbalancer-waf/.terraform-version

@@ -0,0 +1 @@
+v1.14.0

examples/iaas-cross-az-layer7-loadbalancer-waf/.terraform.lock.hcl

@@ -0,0 +1,90 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.8.1"
+  constraints = ">= 3.6.3"
+  hashes = [
+    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
+    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
+    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
+    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
+    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
+    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
+    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
+    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
+    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
+    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
+    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
+    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+  version = "4.2.1"
+  hashes = [
+    "h1:F5d6bQY8UlBo0D71Sv7CsV+3aZOFz0yeNF+vufog7h4=",
+    "h1:akFNuHwvrtnYMBofieoeXhPJDhYZzJVu/Q/BgZK2fgg=",
+    "zh:0d1e7d07ac973b97fa228f46596c800de830820506ee145626f079dd6bbf8d8a",
+    "zh:5c7e3d4348cb4861ab812973ef493814a4b224bdd3e9d534a7c8a7c992382b86",
+    "zh:7c6d4a86cd7a4e9c1025c6b3a3a6a45dea202af85d870cddbab455fb1bd568ad",
+    "zh:7d0864755ba093664c4b2c07c045d3f5e3d7c799dda1a3ef33d17ed1ac563191",
+    "zh:83734f57950ab67c0d6a87babdb3f13c908cbe0a48949333f489698532e1391b",
+    "zh:951e3c285218ebca0cf20eaa4265020b4ef042fea9c6ade115ad1558cfe459e5",
+    "zh:b9543955b4297e1d93b85900854891c0e645d936d8285a190030475379c5c635",
+    "zh:bb1bd9e86c003d08c30c1b00d44118ed5bbbf6b1d2d6f7eaac4fa5c6ebea5933",
+    "zh:c9477bfe00653629cd77ddac3968475f7ad93ac3ca8bc45b56d1d9efb25e4a6e",
+    "zh:d4cfda8687f736d0cba664c22ec49dae1188289e214ef57f5afe6a7217854fed",
+    "zh:dc77ee066cf96532a48f0578c35b1eaf6dc4d8ddd0e3ae8e029a3b10676dd5d3",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/mastercard/restapi" {
+  version     = "3.0.0"
+  constraints = ">= 3.0.0"
+  hashes = [
+    "h1:Fqxoc6bsydl6iWGx6ZvyqUDdGt7Cb4sW/BSHhBeHGgw=",
+    "h1:y1I3azDHOqRySTyDHsb3Xh1waP/99KfykZRagbRx1qI=",
+    "zh:0b63bd3c25a31f090a41933f90b7dd6e984add1c4261d8f5caa73f4d5aa065a4",
+    "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7",
+    "zh:2d31f322454d271eb328c2d3b3d41f426df98503982788be347799ddf68bf9bf",
+    "zh:47dd97e3f43bb89ae4254bba90ffbc6d521338554a1f94961e21214dd801b81b",
+    "zh:49636b072b9a30d15916468857bce91d39bc87bbba1c99fb3894fafa9409b8b4",
+    "zh:5566605a8e16478bc66c1fec8dea0890586c084221161dc82b73d162d44c08a7",
+    "zh:5859e0ad05aa6b3b108f0b718986e237a18d5176efea62d1ac1ef352561b4713",
+    "zh:76129b89e2b56d8d2af8f6e10cc748bea4ee6ec1105e916f1254cd124f4dcf9c",
+    "zh:bfc20b5fd03cb3243917e8cf360e5208284e757ab82f83c992da471ef16a0eab",
+    "zh:d1d2363009253cdfe5795a48b6412bff11104fe6a52fb0a57e5a95fc765a161e",
+    "zh:d1f0b981089ad709b73c4f989a9cd9118c4e3cb8fc0a2b303aa4d77cc5102a53",
+    "zh:dbfddb2f407481a4e88fdc17739c805d9d9fff2451efcb9226572d59ed2e9128",
+    "zh:df04a8c777d05896684171807b27c41befbf5f217f50b0e9b2b27164d4aacca5",
+    "zh:e68b450c66efe55d1132585477fa71207680806edafb3792ca44d9695d0a1d75",
+    "zh:f894e7e9913347e25e67d5d3bf91659c06877dd5fa11acf75820fa03fa34b8bd",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.91.0"
+  constraints = ">= 0.87.0"
+  hashes = [
+    "h1:8de9n+Roq6Z2Ltp9poBBBN9a4zSpx73VLpgFS5mTyoI=",
+    "h1:RStdHSDwbtonYfg7mR5Y92v6fxIVX9FEz0UN+tm9kHI=",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:0ed12db90276ccd2d6f87135b7dd078657823c3ca33121c6a157d0bdf08f801e",
+    "zh:160b32bcf1d01666784cf8469e10e0a38d4c3d24c80c0c5be470cc63ef27ea62",
+    "zh:32e1909037235c24138b74131c6fb12ac99003f79750f1768ca5468cc05da6b0",
+    "zh:4376f1cdafbb35ad5f220e28153741908390b23161d9eae3828f7830039ce8ef",
+    "zh:458b054781ef6165d9136fc3d667f9bf37319e37d0f19300bbb63b703de2599d",
+    "zh:54a1864cf1315a118c043f834e02f2a1ca0ecbc8c2a246460589a95847da6c80",
+    "zh:83424712926ccef3c60cc011dfa298721bdbaee3598a0c8459da46bc6b7424cc",
+    "zh:a3c38ebffdbca21dd177b06acf891bed1a903907ba252d0219d91ff0ecf9d861",
+    "zh:c6325e583b77aa1e9df94e3b4b12479d7bf12c66a2ace71c1b8f64e46ac5c37e",
+    "zh:de6db8deeee895af5670df2449c8b8c34df051277f8a6e2f19c5c9ec1f0ddb12",
+    "zh:e18b05e7d8356caa6103c5c80b5ea373be3ff255b453cf577c68798ffe1b93ce",
+    "zh:f4d9215f7a2888c882892642539b2edd3ea97cb25904e4fa358db4f001c3ccd0",
+    "zh:f94d0c0c2bf843867122ababc8d8066d52257e68bbcb5c62a603f77c581e9668",
+  ]
+}

examples/iaas-cross-az-layer7-loadbalancer-waf/00-provider.tf

@@ -0,0 +1,48 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Define required providers
+terraform {
+  required_version = ">= 0.14.0"
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">= 0.87.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6.3"
+    }
+    restapi = {
+      source  = "Mastercard/restapi"
+      version = ">= 3.0.0"
+    }
+  }
+}
+
+ephemeral "stackit_access_token" "alb" {}
+
+provider "restapi" {
+  uri          = "https://alb-waf.api.stackit.cloud"
+  bearer_token = ephemeral.stackit_access_token.alb.access_token
+
+  id_attribute         = "name"
+  write_returns_object = true
+}
+
+provider "stackit" {
+  default_region           = var.stackit_region
+  service_account_key_path = var.stackit_service_account_key_path
+  enable_beta_resources    = true
+}

examples/iaas-cross-az-layer7-loadbalancer-waf/01-variables.tf

@@ -0,0 +1,37 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "stackit_project_id" {
+  type    = string
+  default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+
+variable "stackit_region" {
+  type    = string
+  default = "eu01"
+}
+
+variable "stackit_service_account_key_path" {
+  type    = string
+  default = "../../keys/stackit-sa.json"
+}
+
+resource "stackit_key_pair" "admin_keypair" {
+  name       = "admin-keypair-12345"
+  public_key = chomp(file("~/.ssh/id_rsa.pub"))
+}
+
+variable "jumphost_flavor" {
+  default = "c2i.1"
+}

examples/iaas-cross-az-layer7-loadbalancer-waf/02-network.tf

@@ -0,0 +1,20 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_network" "network" {
+  project_id       = var.stackit_project_id
+  name             = "network01"
+  ipv4_nameservers = ["1.1.1.1", "9.9.9.9"]
+  ipv4_prefix      = "172.17.1.0/24"
+}

examples/iaas-cross-az-layer7-loadbalancer-waf/03-machine01.tf

@@ -0,0 +1,28 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module "test-machine01" {
+  source = "../../modules/test-machine"
+
+  project_id        = var.stackit_project_id
+  network_id        = stackit_network.network.network_id
+  availability_zone = "eu01-1"
+  security_enabled  = true
+
+  name         = "machine01"
+  machine_type = var.jumphost_flavor
+  disk_size    = 48
+
+  user_data = templatefile("${path.module}/apache-debug-user.yaml", {})
+}

examples/iaas-cross-az-layer7-loadbalancer-waf/04-machine02.tf

@@ -0,0 +1,28 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module "test-machine02" {
+  source = "../../modules/test-machine"
+
+  project_id        = var.stackit_project_id
+  network_id        = stackit_network.network.network_id
+  availability_zone = "eu01-2"
+  security_enabled  = true
+
+  name         = "machine02"
+  machine_type = var.jumphost_flavor
+  disk_size    = 48
+
+  user_data = templatefile("${path.module}/apache-debug-user.yaml", {})
+}

examples/iaas-cross-az-layer7-loadbalancer-waf/05-l7-loadbalancer.tf

@@ -0,0 +1,117 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "tls_private_key" "example" {
+  algorithm = "RSA"
+  rsa_bits  = 2048
+}
+
+resource "tls_self_signed_cert" "example" {
+  private_key_pem = tls_private_key.example.private_key_pem
+
+  subject {
+    common_name  = "localhost"
+    organization = "STACKIT Test"
+  }
+
+  validity_period_hours = 12
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+  ]
+}
+
+resource "stackit_public_ip" "public_ip" {
+  project_id = var.stackit_project_id
+
+  lifecycle {
+    ignore_changes = [network_interface_id]
+  }
+}
+
+resource "stackit_alb_certificate" "this" {
+  project_id  = var.stackit_project_id
+  name        = "example-certificate"
+  private_key = tls_private_key.example.private_key_pem
+  public_key  = tls_self_signed_cert.example.cert_pem
+}
+
+resource "stackit_application_load_balancer" "this" {
+  project_id       = var.stackit_project_id
+  region           = var.stackit_region
+  name             = "example-load-balancer"
+  plan_id          = "p10"
+  external_address = stackit_public_ip.public_ip.ip
+
+  listeners = [
+    {
+      name = "listener01"
+      port = 443
+      http = {
+        hosts = [{
+          host = "*"
+          rules = [{
+            target_pool = "target-pool-01"
+            /*path = {
+              prefix = "/path"
+            }*/
+          }]
+        }]
+      }
+      https = {
+        certificate_config = {
+          certificate_ids = [
+            stackit_alb_certificate.this.cert_id
+          ]
+        }
+      }
+      waf_config_name = restapi_object.waf.api_data.name
+      protocol        = "PROTOCOL_HTTPS"
+    }
+  ]
+  networks = [
+    {
+      network_id = stackit_network.network.network_id
+      role       = "ROLE_LISTENERS_AND_TARGETS"
+    }
+  ]
+  target_pools = [
+    {
+      name        = "target-pool-01"
+      target_port = 80
+      targets = [
+        {
+          display_name = "server01"
+          ip           = module.test-machine01.primary_ip
+        },
+        {
+          display_name = "server02"
+          ip           = module.test-machine02.primary_ip
+        }
+      ]
+    }
+  ]
+}
+
+
+output "alb_external_address" {
+  value = stackit_application_load_balancer.this.external_address
+}
+
+/*output "alb_private_ip_address" {
+  // for private alb loadbalancer usage
+  value = stackit_application_load_balancer.this.private_address
+}*/

examples/iaas-cross-az-layer7-loadbalancer-waf/06-waf.tf

@@ -0,0 +1,46 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "restapi_object" "waf_crs" {
+  path = "/v1alpha/projects/${var.stackit_project_id}/regions/${var.stackit_region}/core-rule-sets"
+  data = jsonencode({
+    name   = "example-crs"
+    active = true
+  })
+
+  ignore_server_additions = true
+}
+
+resource "restapi_object" "waf_rules" {
+  path = "/v1alpha/projects/${var.stackit_project_id}/regions/${var.stackit_region}/rules"
+  data = jsonencode({
+    name  = "example-rules"
+    rules = file("${path.module}/example-waf.conf")
+  })
+
+  ignore_server_additions = true
+  depends_on              = [restapi_object.waf_crs]
+}
+
+resource "restapi_object" "waf" {
+  path = "/v1alpha/projects/${var.stackit_project_id}/regions/${var.stackit_region}/wafs"
+  data = jsonencode({
+    name            = "example-waf"
+    coreRuleSetName = restapi_object.waf_crs.api_data.name
+    rulesConfigName = restapi_object.waf_rules.api_data.name
+  })
+
+  ignore_server_additions = true
+  depends_on              = [restapi_object.waf_rules]
+}

examples/iaas-cross-az-layer7-loadbalancer-waf/MAINTAINERS.md

@@ -0,0 +1,9 @@
+# Maintainers
+
+General maintainers:
+
+- Mauritz Uphoff (Mauritz.Uphoff@digits.schwarz)
+
+This example is actively maintained. The owner is responsible for reviewing and updating dependencies and functionalities on a monthly basis.
+For questions, issues, or feature requests, please email general maintainers.
+Please include the BP name and version in your request. We will track your request as an issue.

examples/iaas-cross-az-layer7-loadbalancer-waf/README.md

@@ -0,0 +1,36 @@
+# IaaS cross AZ Layer 7 Loadbalancer
+
+## Overview
+
+A classic highly-available architecture: provisioning multiple VMs across different Availability Zones (AZs) and putting them behind a STACKIT L7 Load Balancer. This example also includes a Web Application Firewall (WAF) configuration to secure the backend workloads against malicious traffic.
+
+## ⚠️ Important Note: [WAF Implementation](06-waf.tf)
+
+Currently, the official STACKIT Terraform provider does not natively support Web Application Firewall (WAF) resources.
+
+To bridge this gap and fully automate the deployment, this example utilizes a `restapi` provider as a workaround. This allows Terraform to interact directly with the STACKIT WAF REST API (`/v1alpha/projects/...`) to create and attach the Core Rule Sets and custom SecLang rules until native support is released.
+
+## Testing the WAF
+
+This deployment includes rules written in SecLang. These rules are specifically designed to safely verify that the WAF is successfully deployed, actively intercepting traffic, and applying your configurations.
+
+Once `terraform apply` completes successfully, extract the public IP of your Load Balancer from the Terraform outputs:
+
+```bash
+# Export the Load Balancer IP to an environment variable
+export ALB_IP=$(terraform output -raw alb_external_address)
+```
+
+Now, use curl to trigger the custom rules. Because the WAF is configured to block these specific signatures, both of the following commands should return an HTTP 403 Forbidden status code.
+
+Test 1: Trigger via Query Parameter
+
+```Bash
+curl -k -I -X GET "https://${ALB_IP}/?waf_test=trigger"
+```
+
+Test 2: Trigger via Custom HTTP Header
+
+```Bash
+curl -k -I -H "X-WAF-Test: trigger" "https://${ALB_IP}/"
+```

examples/iaas-cross-az-layer7-loadbalancer-waf/apache-debug-user.yaml

@@ -0,0 +1,22 @@
+#cloud-config
+users:
+  - name: debug
+    groups: sudo
+    shell: /bin/bash
+    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
+    lock_passwd: false
+    passwd: "$6$JZBVJ2zsw/o4C1UJ$FskGQWf.nqwj.o9bHbxkSGvSilQcHt03KdPYlgsiE3L77tNqFj0/vnlCXSf.SRb4jR2xsHk/.OlEyT16Txj4J." # hashed version of 'House123!'
+
+chpasswd:
+  expire: false
+
+ssh_pwauth: true
+
+packages:
+  - apache2
+
+runcmd:
+  - systemctl enable apache2
+  - systemctl start apache2
+  - echo "<h1>Hello from STACKIT Instance</h1><p>Hostname $(hostname)</p>" > /var/www/html/index.html
+  - chown www-data:www-data /var/www/html/index.html

examples/iaas-cross-az-layer7-loadbalancer-waf/example-waf.conf

@@ -0,0 +1,23 @@
+# ------------------------------------------------------------------------
+# WAF TEST RULES
+# Custom rule IDs should generally start at 1000000 to avoid conflicting
+# with the OWASP Core Rule Set (which uses the 900000 - 999999 range).
+# ------------------------------------------------------------------------
+
+# Test Rule 1: Block based on a specific query parameter (?waf_test=trigger)
+SecRule ARGS:waf_test "@streq trigger" \
+    "id:1000001,\
+    phase:1,\
+    deny,\
+    status:403,\
+    log,\
+    msg:'WAF Test Rule Triggered via Query Parameter'"
+
+# Test Rule 2: Block based on a specific custom header (X-WAF-Test: trigger)
+SecRule REQUEST_HEADERS:X-WAF-Test "@streq trigger" \
+    "id:1000002,\
+    phase:1,\
+    deny,\
+    status:403,\
+    log,\
+    msg:'WAF Test Rule Triggered via Custom Header'"

examples/iaas-ha-vrrp/.terraform.lock.hcl

@@ -5,6 +5,7 @@ provider "registry.terraform.io/hashicorp/random" {
   version     = "3.8.1"
   constraints = ">= 3.6.3"
   hashes = [
+    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
     "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
     "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
     "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
@@ -25,6 +26,7 @@ provider "registry.terraform.io/stackitcloud/stackit" {
   version     = "0.90.0"
   constraints = ">= 0.87.0"
   hashes = [
+    "h1:QgP6TOtucJ3A6fA51rdUvxhYGjl9RrWvXQZpjHTOuiU=",
     "h1:W29Kv6XUxYssF2Gy8KcmTx3EFstt6k8sKgPRIBbq+qs=",
     "zh:003af58a84884558bbb2fc40fcbefa6774ec20aa9e4b97cf3f950190a600afd2",
     "zh:026ee9cef4670cf33369f8654c6b9b1d8c0e116ceb0b353c882be222951ecdd4",

examples/iaas-ha-vrrp/01-config.tf

@@ -14,7 +14,7 @@
 
 variable "stackit_project_id" {
   type    = string
-  default = "d75e6aab-b616-4b42-ae3b-aaf161ad626d"
+  default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 }
 
 variable "stackit_region" {

examples/iaas-volume-encryption/.terraform.lock.hcl

@@ -5,6 +5,7 @@ provider "registry.terraform.io/stackitcloud/stackit" {
   version     = "0.80.0"
   constraints = "0.80.0"
   hashes = [
+    "h1:VqmLlSV9sMOX7aq5Bnsj18KNKCUPFahZzf0SA5fTkVk=",
     "h1:wz7uGwzVoo1NO18CDLcfjLraTSiWQ5EzJnDeCKcFi60=",
     "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
     "zh:3a0e6cb125ef76a24b2b5ff9c786c57058f385571d283bd68f633225fcca695a",

examples/iaas-volume-encryption/01-config.tf

@@ -29,5 +29,5 @@ variable "zone" {
 variable "STACKIT_PROJECT_ID" {
   type        = string
   description = "STACKIT Project ID"
-  default     = "16ec118f-90d0-466d-8393-99eea504c536"
+  default     = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 }

examples/iaas-volume-encryption/05-server.tf

@@ -33,7 +33,7 @@ resource "stackit_network_interface" "nic" {
 
 data "stackit_security_group" "default" {
   project_id        = var.STACKIT_PROJECT_ID
-  security_group_id = "a6b4708e-b8ee-48ba-b084-a4892e9a73af"
+  security_group_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 }
 
 data "stackit_network" "default" {

examples/iam-scim-integration/.terraform.lock.hcl

@@ -0,0 +1,146 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2026.2.0"
+  constraints = "2026.2.0"
+  hashes = [
+    "h1:On3/Zzv3W72aGsJ4AhW/tnpi4hvq9cxwgf7tF6Tg+a4=",
+    "zh:00c44e8ee842e75de9cc4fd6193b10258d1dc840e5be4aaaf118ffc180dceee0",
+    "zh:13057f08bce3b63613e1be3997dd454ff9568c569dd983987b1550280fbe3d01",
+    "zh:410a1ff2ae4647cc0ab37894f81e4d474b588a0a7f005d05d55e8c3a40978dd2",
+    "zh:43830834d12b3c0eeabe397842f82ca3a6b58a5bc8dd837d55b821419b55ed61",
+    "zh:56eaedd196ed7c4003cee0434b891b38242b4fde2031978d0ddcfdf6e16ee5ad",
+    "zh:5b3c10bb63c3c215ed9e0918e5808b240e3f2ee8248d10cd4d824a4998a213c5",
+    "zh:99c14891bcb92a6b21ef4c0e60f6c0df23e3452808f3eefd67cde78d132c80d9",
+    "zh:9a32cdda9f939f8484e27d4200d004c44f016fe97579a111201083f4beea78e8",
+    "zh:ae5086816144f68de9a0002e7696321169a71473f9d161793f4ae996388f56de",
+    "zh:bd09409dd34608a4ef3ea80cfc5e397268e7872f2e84c1ccdc9b5698e36ddad5",
+    "zh:be7af8b9eb61b0eb5053f14360e5a68caeb32c115efe8e1b583f2e7c91352a2a",
+    "zh:e11726812a1b2caf6b6784a3d074d1f50e3d406e9629c02096a001e5a5979331",
+    "zh:e39183d10d8158ccab51208f4f727c7419b1b1e596f4feb23dc42aebb36d01e3",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.1.1"
+  hashes = [
+    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
+    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
+    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
+    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
+    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
+    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
+    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
+    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
+    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
+    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
+    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
+    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "3.1.0"
+  constraints = "> 2.14.0"
+  hashes = [
+    "h1:G9QqKNpcztBRqrywtlNylFJSpGzDfRFtO8hcWLdkvRY=",
+    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
+    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
+    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
+    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
+    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
+    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
+    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
+    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
+    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
+    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.9.0"
+  hashes = [
+    "h1:m24fjcInWvTVZ1XSo2MaNuKPe+X/gfG8SIi09rA7a7M=",
+    "zh:0baa4566cf77f1ff52f4293d1c8536202dd23edc197c3196413a28343c3ac3a0",
+    "zh:16b5559c3c07088ddad11a9bb9e9c0799999363c2958e9a5be2bcbbf2cd9ca64",
+    "zh:197c79015a10d1cce904a8ea722cbc750c42aeae2da53f44a6a0751d9fd1aa90",
+    "zh:29d0b03e5343a80677ebfeb2e2c31cbe4b1f65e736e53417454a4277fec2544c",
+    "zh:4896bfa6cf1d2fd562b47ef2e87f47862ae92a04f8ad5d764380f0c6653473b8",
+    "zh:531f8529cbca49f681883e57761a05a8398afaef6d1ab0d205d26bf12f4428e8",
+    "zh:6aaf5011d83161c86d2bfb80c0923ec934e578288758da2f37acb7aec129004b",
+    "zh:7430275253d3d3c40aa6179e0ec0d63212874dbbc06c5a51b9d07ec590f9756c",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:be17dc611e95e26cdf6cad79dfccf1064f0e32032a2efeb939a9bbe7fb1cbfe9",
+    "zh:f0e3b0aa644202e1d79d2000dca91f6019425da71e9800fa23f27e51c034f195",
+    "zh:f62bae4519e4ead49182ddc8afe8cf61e2a4c3ba3973b0fbba967736a2696aa3",
+    "zh:fcafa360a5b0b96244f26f4e3a6d642b716a376557142c2442ff2fb12d11da18",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.9.0"
+  constraints = "3.9.0"
+  hashes = [
+    "h1:OO+IuvQJSPmWdN8AyyIEvPJbLvDQpgX/zbktoa9KsJE=",
+    "zh:161ad0bd9a75768c82f53fb6e7172a9d8be2d4889b012645a34795031aaf1bf1",
+    "zh:19dc9a5b17729725ccfc4f45b0500af0ee5bc6b6b160c7adb8f2bf617d2c80ea",
+    "zh:269eda8fe42daa7974d5a34d166c3ba9defe80cde86c01e4dadcfdf2e1f05e5f",
+    "zh:373f7c65566f8f2cc7f45d698654feb9d988996957e1266a69ca00c52d6d16d0",
+    "zh:5599d16804c41c83009ec621b6d6b6f74e102f5827678a4750f8809055546b61",
+    "zh:583be0440469a22bff70dcfa56593b01566860b29607437264adb51060cf46fc",
+    "zh:5f211d8ec3f2e1f414870d9584bfe26e6995560ef81c748f8447a48164767398",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7b547fd16216761ef86efc3ed516ac5ac0c5c42b7c7eb24a08cef2d93f69ed5e",
+    "zh:7e7c0679daf2a382151d05068c8c3f0dae6b7b7dccf818827b73dd08638df2ef",
+    "zh:8089dec888a8038b9b4fb23b3df7e1057293dbc5b60b42cc47ff690d69d4b61b",
+    "zh:c51f15a031edfd6f23ce8ced3446ca7f8d8d647e2499890d7d5d10d5016d7257",
+    "zh:c94784f005708890dc6895afd53636ec00ec1e430b15d41e5aebfb1d4b39bd04",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/time" {
+  version     = "0.14.0"
+  constraints = ">= 0.9.1"
+  hashes = [
+    "h1:/hlxsUpuN/lvPTNL9+NyVGsOyRsK5NsxwFMsj5CdOp4=",
+    "zh:12abfd6b800e4d7fa6db7310dec8ffd440b31993861ef188c7ed5260b3073937",
+    "zh:23005521e800bb19e1597bf755c5f70d675d30b685d4255001ed5fa47d9df3f1",
+    "zh:2fea249b582ae97cd1cc10385187ea50993bb47c28cc5df0305e57ceaabf0a10",
+    "zh:322018d3b987b7aad08697178029a2bb667bed699e88328f0c89c52a2fd41341",
+    "zh:32a08e98fce2d273cb9b2c89d6c54727cc9f0a32e15bfd896be4e02cc6b48f95",
+    "zh:3db89aabd0e619616bd4b0f8b373a7586dfe60feffcea12a84a0bdbc445714b3",
+    "zh:7488f56c81d742dc020f29063626c8f07ca188aa97be61e7307e8d62397020a2",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7cb4067f2e7559b13f7562ef722f948950901eb37834873e98360ab28f66e9d7",
+    "zh:9d552c8345f61e1b7db8e725144981345f18ac1014d58d6f5ddf0928a195fffb",
+    "zh:a8e69fb6b97fc9d86fb19a9f4d42abe33c4a68e700b15387ce2e17d2b9934bed",
+    "zh:aeeb900eb8dd0f790c60ea5c0e0c8d42bd6e4a54f391681d4decca15b544394b",
+    "zh:c239c619101a8c95e1f14061eb973c57a8d15fa0e68878ced5bbd76858ee5b79",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.96.0"
+  constraints = ">= 0.87.0, >= 0.95.0"
+  hashes = [
+    "h1:NgwbVCV5pfBVMO3xUMop4l5AzvVv3BuBzXpJjgoZfSU=",
+    "zh:04d309851424a53d3d014dde3b143fc1cdc19fbebf558eb4b927878103f78fb0",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:0ebcdf98a47f301e12925803198320d637552ef57abc49e2a48a009f1ddbf39a",
+    "zh:176238c057193c9c60c365b83463e758892186fcc2bd14bc9bbf69bf471f1d6b",
+    "zh:1c514ec6d09ee210ebb813d49b7d3a71b5b9d0b173c743bce9ab937b1e3d303a",
+    "zh:20433d0dc7e4aa2a806863fc289a2cecb19763624f199babfbe44f22d4d9150f",
+    "zh:452ceacbe4a1f70c81320b9223f4958c9bc122508c79e86bc97cb9241682c053",
+    "zh:5f893229f41f8dc2169b5b02785fb2988e8cad2141722a411711182bafefa015",
+    "zh:69383e27067a6413300d3acbcdad8f890bd187e16630580c09900ba379659284",
+    "zh:694de24bd05027c3c8b7a7c477973f76cd5a11d7fd38819026b5a0e588698fd9",
+    "zh:7c7399e3223dd76efb56ca2e3c9435b41bcbaf549839cec36023f801ca5bdcd2",
+    "zh:8a92b221694c59648d22e2e2a0059015872eff7034ae0ba9eb801fe399644a2c",
+    "zh:90a8ae716c9bc6c8804a38f7a903c7af7114ce324d0126c64e1447b6d255cdba",
+    "zh:d29eb17fde9460c5ce3c7a7975eef0ad7fea692eb17fad5e0421952e4d29dbd2",
+  ]
+}

examples/iam-scim-integration/010-provider.tf

@@ -0,0 +1,66 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">=0.95.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">2.14.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.0.0"
+    }
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2026.2.0"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9.1"
+    }
+  }
+}
+
+provider "authentik" {
+  url   = "https://${stackit_dns_record_set.authentik.name}.${stackit_dns_zone.this.dns_name}"
+  token = random_password.authentik_bootstrap_token.result
+}
+
+provider "stackit" {
+  default_region           = var.stackit_region
+  service_account_key_path = var.stackit_service_account_key_path
+  enable_beta_resources    = true
+}
+
+
+provider "kubernetes" {
+  host                   = yamldecode(module.ske.kubeconfig).clusters.0.cluster.server
+  client_certificate     = base64decode(yamldecode(module.ske.kubeconfig).users.0.user.client-certificate-data)
+  client_key             = base64decode(yamldecode(module.ske.kubeconfig).users.0.user.client-key-data)
+  cluster_ca_certificate = base64decode(yamldecode(module.ske.kubeconfig).clusters.0.cluster.certificate-authority-data)
+}
+
+provider "helm" {
+  kubernetes = {
+    host                   = yamldecode(module.ske.kubeconfig).clusters.0.cluster.server
+    client_certificate     = base64decode(yamldecode(module.ske.kubeconfig).users.0.user.client-certificate-data)
+    client_key             = base64decode(yamldecode(module.ske.kubeconfig).users.0.user.client-key-data)
+    cluster_ca_certificate = base64decode(yamldecode(module.ske.kubeconfig).clusters.0.cluster.certificate-authority-data)
+  }
+}

examples/iam-scim-integration/020-variables.tf

@@ -0,0 +1,47 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "stackit_project_id" {
+  type = string
+}
+
+variable "stackit_region" {
+  type    = string
+  default = "eu01"
+}
+
+variable "stackit_service_account_key_path" {
+  type = string
+}
+
+variable "acme_email" {
+  description = "The email address used for ACME registration."
+  type        = string
+}
+
+variable "authentik_scim_long_lived_token" {
+  description = "The SCIM synchronization token provided by the IDP team. This configuration uses a long-lived static token due to Authentik Community Edition limitations. For production environments, dynamically generated, short-lived tokens are highly recommended."
+  type        = string
+}
+
+variable "authentik_number_of_users" {
+  description = "The number of test users to generate"
+  type        = number
+}
+
+variable "authentik_default_user_password" {
+  description = "The default password assigned to all created test users"
+  type        = string
+  sensitive   = true
+}

examples/iam-scim-integration/030-ske-cluster.tf

@@ -0,0 +1,37 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module "ske" {
+  source       = "../../modules/test-ske"
+  project_id   = var.stackit_project_id
+  cluster_name = "ske-test"
+}
+
+resource "kubernetes_namespace_v1" "cert_manager" {
+  metadata {
+    name = "cert-manager"
+  }
+}
+
+resource "kubernetes_namespace_v1" "authentik" {
+  metadata {
+    name = "authentik"
+  }
+}
+
+resource "kubernetes_namespace_v1" "nginx" {
+  metadata {
+    name = "nginx"
+  }
+}

examples/iam-scim-integration/040-dns.tf

@@ -0,0 +1,46 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "stackit_public_ip" "ingress_floating_ip" {
+  project_id = var.stackit_project_id
+
+  lifecycle {
+    ignore_changes = [network_interface_id]
+  }
+}
+
+resource "random_string" "this" {
+  length  = 6
+  special = false
+  upper   = false
+}
+
+resource "stackit_dns_zone" "this" {
+  project_id    = var.stackit_project_id
+  name          = random_string.this.result
+  dns_name      = "${random_string.this.result}.runs.onstackit.cloud"
+  type          = "primary"
+  default_ttl   = 60
+  contact_email = "hostmaster@stackit.cloud"
+}
+
+resource "stackit_dns_record_set" "authentik" {
+  project_id = var.stackit_project_id
+  zone_id    = stackit_dns_zone.this.zone_id
+  name       = "authentik"
+  type       = "A"
+  ttl        = 60
+  comment    = "a record"
+  records    = [stackit_public_ip.ingress_floating_ip.ip]
+}

examples/iam-scim-integration/050-cert-manager.tf

@@ -0,0 +1,62 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "helm_release" "cert_manager" {
+  name       = "cert-manager"
+  repository = "https://charts.jetstack.io"
+  chart      = "cert-manager"
+  version    = "v1.15.1"
+
+  timeout         = 120
+  cleanup_on_fail = true
+  force_update    = false
+  namespace       = kubernetes_namespace_v1.cert_manager.metadata.0.name
+
+  set = [
+    {
+      name  = "crds.enabled"
+      value = "true"
+    }
+  ]
+}
+
+resource "kubernetes_manifest" "cluster_issuer" {
+  manifest = {
+    apiVersion = "cert-manager.io/v1"
+    kind       = "ClusterIssuer"
+    metadata = {
+      name = "letsencrypt-prod-cluster"
+    }
+    spec = {
+      acme = {
+        email  = var.acme_email
+        server = "https://acme-v02.api.letsencrypt.org/directory"
+        privateKeySecretRef = {
+          name = "letsencrypt-prod-cluster"
+        }
+        solvers = [
+          {
+            http01 = {
+              ingress = {
+                class = "nginx"
+              }
+            }
+          }
+        ]
+      }
+    }
+  }
+
+  depends_on = [helm_release.cert_manager]
+}

examples/iam-scim-integration/060-nginx-ingress.tf

@@ -0,0 +1,36 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "helm_release" "nginx_ingress" {
+  name       = "nginx-ingress"
+  repository = "https://kubernetes.github.io/ingress-nginx"
+  chart      = "ingress-nginx"
+  version    = "4.2.3"
+
+  namespace = kubernetes_namespace_v1.nginx.metadata.0.name
+
+  values = [
+    <<EOF
+controller:
+  replicaCount: 1
+  service:
+    type: LoadBalancer
+    annotations:
+      lb.stackit.cloud/ip-mode-proxy: "true"
+      lb.stackit.cloud/external-address: ${stackit_public_ip.ingress_floating_ip.ip}
+EOF
+  ]
+
+  timeout = 600
+}

examples/iam-scim-integration/070-authentik-chart.tf

@@ -0,0 +1,98 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "random_password" "authentik_secret_key" {
+  length  = 50
+  special = true
+}
+
+resource "random_password" "authentik_bootstrap_password" {
+  length  = 24
+  special = true
+}
+
+resource "random_password" "authentik_bootstrap_token" {
+  length  = 40
+  special = false
+}
+
+resource "random_password" "postgresql_password" {
+  length  = 24
+  special = false
+}
+
+locals {
+  authentik_values = {
+    authentik = {
+      secret_key         = random_password.authentik_secret_key.result
+      bootstrap_password = random_password.authentik_bootstrap_password.result
+      bootstrap_token    = random_password.authentik_bootstrap_token.result
+      postgresql = {
+        user     = "authentik"
+        name     = "authentik"
+        password = random_password.postgresql_password.result
+      }
+    }
+    postgresql = {
+      enabled = true
+      auth = {
+        username = "authentik"
+        database = "authentik"
+        password = random_password.postgresql_password.result
+      }
+    }
+    server = {
+      ingress = {
+        enabled          = true
+        ingressClassName = "nginx"
+        annotations = {
+          "cert-manager.io/cluster-issuer" = "letsencrypt-prod-cluster"
+        }
+        hosts = [
+          "${stackit_dns_record_set.authentik.name}.${stackit_dns_zone.this.dns_name}"
+        ]
+        paths = ["/"]
+        tls = [
+          {
+            secretName = "authentik-tls"
+            hosts = [
+              "${stackit_dns_record_set.authentik.name}.${stackit_dns_zone.this.dns_name}"
+            ]
+          }
+        ]
+      }
+    }
+  }
+}
+
+resource "helm_release" "authentik" {
+  name       = "authentik"
+  repository = "https://charts.goauthentik.io"
+  chart      = "authentik"
+  version    = "2026.2.3"
+
+  namespace = kubernetes_namespace_v1.authentik.metadata.0.name
+
+  values = [
+    yamlencode(local.authentik_values)
+  ]
+
+  timeout = 600
+}
+
+resource "time_sleep" "wait_60_seconds" {
+  depends_on = [helm_release.authentik]
+
+  create_duration = "60s"
+}

examples/iam-scim-integration/071-authentik-user-groups.tf

@@ -0,0 +1,47 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "authentik_user" "test_users" {
+  count = var.authentik_number_of_users
+
+  username = "testuser${count.index + 1}"
+  name     = "Test User ${count.index + 1}"
+  email    = "testuser${count.index + 1}@${stackit_dns_zone.this.dns_name}"
+
+  password = var.authentik_default_user_password
+
+  attributes = jsonencode({
+    given_name         = "Test${count.index + 1}"
+    family_name        = "User ${count.index + 1}"
+    preferred_username = "testuser${count.index + 1}"
+  })
+
+  depends_on = [time_sleep.wait_60_seconds]
+}
+
+resource "authentik_group" "stackit_test_user" {
+  name       = "stackit-admins"
+  users      = authentik_user.test_users[*].id
+  depends_on = [time_sleep.wait_60_seconds]
+}
+
+data "authentik_property_mapping_provider_scope" "scopes" {
+  managed_list = [
+    "goauthentik.io/providers/oauth2/scope-openid",
+    "goauthentik.io/providers/oauth2/scope-email",
+    "goauthentik.io/providers/oauth2/scope-profile"
+  ]
+
+  depends_on = [time_sleep.wait_60_seconds]
+}

examples/iam-scim-integration/072-authentik-provider-oauth2.tf

@@ -0,0 +1,82 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "random_password" "authentik_client_secret" {
+  length  = 40
+  special = true
+}
+
+data "authentik_flow" "default_authorization_flow" {
+  slug = "default-provider-authorization-implicit-consent"
+
+  depends_on = [time_sleep.wait_60_seconds]
+}
+
+data "authentik_flow" "default_invalidation_flow" {
+  slug = "default-provider-invalidation-flow"
+
+  depends_on = [time_sleep.wait_60_seconds]
+}
+
+resource "authentik_property_mapping_provider_scope" "stackit_custom_claims" {
+  name       = "stackit-custom-claims"
+  scope_name = "profile" # Attaches this data to the standard 'profile' scope
+  expression = <<EOT
+return {
+    "given_name": request.user.attributes.get("given_name", request.user.name),
+    "family_name": request.user.attributes.get("family_name", request.user.name),
+    "preferred_username": request.user.attributes.get("preferred_username", request.user.username)
+}
+EOT
+}
+
+data "authentik_certificate_key_pair" "this" {
+  name = "authentik Self-signed Certificate"
+}
+
+resource "authentik_provider_oauth2" "stackit" {
+  name          = "stackit"
+  client_id     = "stackit-client"
+  client_secret = random_password.authentik_client_secret.result
+
+  authorization_flow = data.authentik_flow.default_authorization_flow.id
+  invalidation_flow  = data.authentik_flow.default_invalidation_flow.id
+
+  allowed_redirect_uris = [
+    {
+      matching_mode = "strict"
+      url           = "https://accounts.stackit.cloud/ui/login/login/externalidp/callback"
+    },
+    # debugging
+    {
+      matching_mode = "strict"
+      url           = "http://localhost:8080/ui/login/login/externalidp/callback"
+    }
+  ]
+
+  signing_key = data.authentik_certificate_key_pair.this.id
+
+  property_mappings = concat(
+    data.authentik_property_mapping_provider_scope.scopes.ids,
+    [authentik_property_mapping_provider_scope.stackit_custom_claims.id]
+  )
+
+  include_claims_in_id_token = true
+
+  depends_on = [time_sleep.wait_60_seconds]
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}

examples/iam-scim-integration/073-authentik-scim-sync.tf

@@ -0,0 +1,48 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+data "authentik_property_mapping_provider_scim" "scim_user" {
+  managed_list = [
+    "goauthentik.io/providers/scim/user"
+  ]
+}
+
+data "authentik_property_mapping_provider_scim" "scim_group" {
+  managed_list = [
+    "goauthentik.io/providers/scim/group"
+  ]
+}
+
+resource "authentik_provider_scim" "stackit" {
+  name = "stackit-scim"
+  url  = "https://accounts.stackit.cloud/scim/v2/"
+
+  token = var.authentik_scim_long_lived_token
+
+  property_mappings       = data.authentik_property_mapping_provider_scim.scim_user.ids
+  property_mappings_group = data.authentik_property_mapping_provider_scim.scim_group.ids
+
+  exclude_users_service_account = true
+}
+
+resource "authentik_application" "stackit" {
+  name              = "STACKIT"
+  slug              = "stackit"
+  protocol_provider = authentik_provider_oauth2.stackit.id
+
+  # Connects the SCIM provisioning pipeline to this application
+  backchannel_providers = [
+    authentik_provider_scim.stackit.id
+  ]
+}

examples/iam-scim-integration/100-outputs.tf

@@ -0,0 +1,49 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+output "authentik_url" {
+  value = "https://${stackit_dns_record_set.authentik.name}.${stackit_dns_zone.this.dns_name}"
+}
+
+output "authentik_oidc_issuer" {
+  description = "Issuer identifier URL for your OIDC provider"
+  value       = "https://${stackit_dns_record_set.authentik.name}.${stackit_dns_zone.this.dns_name}/application/o/stackit/"
+}
+
+output "authentik_oidc_client_id" {
+  description = "ID assigned to our application"
+  value       = authentik_provider_oauth2.stackit.client_id
+}
+
+output "authentik_oidc_client_secret" {
+  description = "Secret key associated with the Client ID"
+  value       = random_password.authentik_client_secret.result
+  sensitive   = true
+}
+
+output "stackit_ticket_scopes" {
+  description = "Required permissions to include in the STACKIT Support Ticket"
+  value       = "openid email profile"
+}
+
+output "stackit_ticket_claims_mapping" {
+  description = "Standard Authentik claims mapping to copy into the STACKIT Support Ticket"
+  value = {
+    unique_user_id = "sub"
+    email_address  = "email"
+    preferred_name = "preferred_username" # Or "name"
+    first_name     = "given_name"
+    last_name      = "family_name"
+  }
+}

examples/iam-scim-integration/MAINTAINERS.md

@@ -0,0 +1,9 @@
+# Maintainers
+
+General maintainers:
+
+- Mauritz Uphoff (mauritz.uphoff@digits.schwarz)
+
+This example is actively maintained. The owner is responsible for reviewing and updating dependencies and functionalities on a monthly basis.
+For questions, issues, or feature requests, please email general maintainers.
+Please include the BP name and version in your request. We will track your request as an issue.

examples/iam-scim-integration/README.md

@@ -0,0 +1,104 @@
+# STACKIT IAM-SCIM Integration with Authentik
+
+This repository provides an automated setup for **Authentik** on STACKIT SKE, pre-configured as an Identity Provider (IdP) for STACKIT with both **OIDC** and **SCIM** support.
+
+## Integration Details
+
+### OAuth2 / OIDC
+
+Authentik acts as the OIDC issuer. The provider is configured with the following:
+
+- **Client ID**: `stackit-client`
+- **Scopes**: `openid`, `email`, `profile`
+- **Custom Claims**: Maps `given_name`, `family_name`, and `preferred_username` from Authentik user attributes.
+
+### SCIM Provisioning
+
+Automated user and group synchronization to STACKIT:
+
+- **Endpoint**: `https://accounts.stackit.cloud/scim/v2/`
+- **Authentication**: Uses a long-lived token (required for Authentik Community Edition).
+- **Mapping**: Synchronizes both Users and Groups (e.g., `stackit-admins`).
+
+---
+
+## ⚠️ STACKIT Integration Process
+
+**Self-service provisioning for configuring external Identity Providers is currently a Work In Progress.** Until this is released, you must request the integration by opening a STACKIT support ticket.
+
+### What to supply in your ticket:
+
+Please open a support ticket with STACKIT containing the following details:
+
+**General Information**
+
+- **Federation type:** OpenID Connect (OIDC)
+- **Reason for integration:** Brief explanation (e.g., "Enable SSO and SCIM for enterprise users via Authentik")
+- **Email domains:** All email domains your employees use for login (e.g., `@example.com` and `@foobar.com`)
+
+**OIDC-Specific Information**
+
+- **Issuer:** The Issuer identifier URL for your Authentik instance (e.g., `https://authentik.example.com/`)
+- **Client ID:** The ID assigned to the application (`stackit-client`)
+- **Client Secret:** The secret key associated with your Client ID _(Note: Provide this securely!)_
+- **Scopes:** `openid`, `profile`, `email`
+- **Display name:** Internal name for this federation (e.g., `my_company_authentik`)
+- **Claims mapping:** \* Unique user ID -> `sub`
+  - Email address -> `email`
+  - Preferred name -> `preferred_username`
+  - First name -> `given_name`
+  - Last name -> `family_name`
+
+### What you will receive in return:
+
+Once STACKIT support processes your ticket, they will configure the trust relationship on their end. You will receive:
+
+1. **Confirmation of Federation:** Your Authentik instance will officially be trusted by the STACKIT login portal.
+2. **SCIM Credentials:** You will be provided with the required OAuth credentials to generate the necessary Bearer tokens so Authentik can communicate with the STACKIT SCIM API.
+
+---
+
+## Testing the SCIM Integration
+
+### Scenario 1: User Sync
+
+1. **Create a User**: In the Authentik UI (_Directory -> Users_), create a new test user.
+2. **Assign to Application**: Ensure the user is assigned to the `STACKIT` application.
+3. **Verify**: Log in to the STACKIT Portal. If the user doesn't appear immediately, go to _Applications -> STACKIT -> Backchannel Providers_ and click **Sync Now**.
+
+### Scenario 2: Group & Role Mapping (RBAC)
+
+1. **Create/Assign Group**: Add your user to the `stackit-admins` group in Authentik.
+2. **Map to STACKIT Role**: In the STACKIT Org settings, map this group to the `Owner` or `Admin` role.
+3. **Verify Access**:
+   - Log in to the STACKIT Portal. The user should have the assigned organization-level permissions.
+   - **Remove Group**: Remove the user from the group in Authentik. After sync, the user's permissions in the STACKIT Org will be revoked.
+
+---
+
+## Visual Verification
+
+### 1. Dashboard/Application Overview
+
+![Dashboard](docs/authentik-dashboard-overview.png)
+![Application](docs/authentik-application-overview.png)
+
+### 2. User & Group Management
+
+![Groups](docs/authentik-user-management.png)
+![Provider](docs/authentik-group-management.png)
+
+### 3. SCIM Sync
+
+![Scim](docs/authentik-scim-sync.png)
+
+### 4. Group on STACKIT Side
+
+![Stackit-group-sync](docs/search-for-group-stackit-admins.png)
+
+---
+
+## References & Documentation
+
+- [Generic OIDC 2.0 Federation Guide](https://docs.stackit.cloud/platform/access-and-identity/stackit-idp/how-tos/generic-oidc-2_0-federation-guide/)
+- [SCIM Endpoint STACKIT IdP Guide](https://docs.stackit.cloud/platform/access-and-identity/stackit-idp/how-tos/scim-endpoint/)

examples/pfsense-hub-and-spoke/cloud-init/user-init-linux.yml

@@ -8,7 +8,7 @@
 # default password in production.
 #
 # Generate a SHA-512 hash on Linux/macOS:
-#   python3 -c "import crypt; print(crypt.crypt('YourPassword', crypt.mksalt(crypt.METHOD_SHA512)))"
+#   openssl passwd -6 "YourPassword"
 # ---------------------------------------------------------------------------
 users:
   - name: admin-user

examples/resourcemanager-nested-folders/.terraform.lock.hcl

@@ -5,6 +5,7 @@ provider "registry.terraform.io/hashicorp/random" {
   version     = "3.6.3"
   constraints = "3.6.3"
   hashes = [
+    "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=",
     "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=",
     "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451",
     "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8",
@@ -25,6 +26,7 @@ provider "registry.terraform.io/stackitcloud/stackit" {
   version     = "0.90.0"
   constraints = ">= 0.66.0"
   hashes = [
+    "h1:QgP6TOtucJ3A6fA51rdUvxhYGjl9RrWvXQZpjHTOuiU=",
     "h1:W29Kv6XUxYssF2Gy8KcmTx3EFstt6k8sKgPRIBbq+qs=",
     "zh:003af58a84884558bbb2fc40fcbefa6774ec20aa9e4b97cf3f950190a600afd2",
     "zh:026ee9cef4670cf33369f8654c6b9b1d8c0e116ceb0b353c882be222951ecdd4",

examples/resourcemanager-nested-folders/01-variables.tf

@@ -24,7 +24,7 @@ variable "stackit_service_account_key_path" {
 
 variable "stackit_org_id" {
   type    = string
-  default = "03a34540-3c1a-4794-b2c6-7111ecf824ef"
+  default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 }
 
 variable "owner_email" {

examples/resourcemanager-nested-folders/README.md

@@ -2,4 +2,6 @@
 
 ## Overview
 
+> ⚠️ Two levels of folders must be enabled via a support ticket. By default, only one level is possible.
+
 This repository demonstrates code to generate nested folders within a project.

examples/s3-aws-terraform-provider/.terraform.lock.hcl

@@ -0,0 +1,47 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.100.0"
+  constraints = "~> 5.0"
+  hashes = [
+    "h1:edXOJWE4ORX8Fm+dpVpICzMZJat4AX0VRCAy/xkcOc0=",
+    "zh:054b8dd49f0549c9a7cc27d159e45327b7b65cf404da5e5a20da154b90b8a644",
+    "zh:0b97bf8d5e03d15d83cc40b0530a1f84b459354939ba6f135a0086c20ebbe6b2",
+    "zh:1589a2266af699cbd5d80737a0fe02e54ec9cf2ca54e7e00ac51c7359056f274",
+    "zh:6330766f1d85f01ae6ea90d1b214b8b74cc8c1badc4696b165b36ddd4cc15f7b",
+    "zh:7c8c2e30d8e55291b86fcb64bdf6c25489d538688545eb48fd74ad622e5d3862",
+    "zh:99b1003bd9bd32ee323544da897148f46a527f622dc3971af63ea3e251596342",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9f8b909d3ec50ade83c8062290378b1ec553edef6a447c56dadc01a99f4eaa93",
+    "zh:aaef921ff9aabaf8b1869a86d692ebd24fbd4e12c21205034bb679b9caf883a2",
+    "zh:ac882313207aba00dd5a76dbd572a0ddc818bb9cbf5c9d61b28fe30efaec951e",
+    "zh:bb64e8aff37becab373a1a0cc1080990785304141af42ed6aa3dd4913b000421",
+    "zh:dfe495f6621df5540d9c92ad40b8067376350b005c637ea6efac5dc15028add4",
+    "zh:f0ddf0eaf052766cfe09dea8200a946519f653c384ab4336e2a4a64fdd6310e9",
+    "zh:f1b7e684f4c7ae1eed272b6de7d2049bb87a0275cb04dbb7cda6636f600699c9",
+    "zh:ff461571e3f233699bf690db319dfe46aec75e58726636a0d97dd9ac6e32fb70",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.94.0"
+  constraints = "> 0.90.0"
+  hashes = [
+    "h1:ikFzd4yeJ1LR8ojP2PsZwiK2ZLhxBjRXkEg2HJrI07U=",
+    "zh:06c8da7d8a048216e825fa7d1e45949c1bda2a5f53f9bb0556b83b6610703fe6",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:19e82636cfd52a65105e0cf030bc8a0c815082818ef953b84f9b1e349a87318c",
+    "zh:24af9b7d2f1bb38f480b1aa8cf5e4ecf483bd4403642a9e8a5accbe1ae212feb",
+    "zh:3b10850e9242bcd00c519ff4140130e8443002fd60b6dff90983e7cb1973b2c3",
+    "zh:54837a0fa4ddbcf0b8407718f8823b831322deba3bd7ec8492e4578928f50633",
+    "zh:5cfd6a6b1ca73826a03f8746ef84a5c4059648bc49abf8056c8e0f9b87800a23",
+    "zh:6ab3bcfef6ff65b4ce76d333b4ad99e5f91991fcf5bddbe1958aadde6ee05eab",
+    "zh:81b96dc29b055f15e475d8bc32482617a582785949b3c02f44ef15d19951f69c",
+    "zh:85f478c2fcf10219263462d0f06b5cc41603b1edad813c336e100b3e0a55bfe8",
+    "zh:9adbb7655fddfe4d4081746d0d7e39c3e8fbf8aa3d8b7d3b5164f30c16a6bd93",
+    "zh:9c24b39e788283ead8a8ce1f013a47562ff0dc1ccb642a8e18644cbdcda0f1c4",
+    "zh:a425f28d6a5f6f024cab56c848c55025e84a09db946f1b00a2655d9567251cea",
+    "zh:f28aa62d2f06e08fe6d18ef9103a8164aa9278540779bebd61120f810c603c6b",
+  ]
+}

examples/secretsmanager-vault-terraform-provider/.terraform.lock.hcl

@@ -0,0 +1,44 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/vault" {
+  version     = "5.9.0"
+  constraints = "5.9.0"
+  hashes = [
+    "h1:8wcXxEMo7XvCnrtZHSpAuWmRfYiZkWn2tssshB1BDzo=",
+    "zh:16e23a37c0965938544af282a7bc13dabca445f462ab27829f98e936ace4d263",
+    "zh:249fcf9da1a690fe9aa44a7421fad89a425afb0c2ce7eaf306d75daddd691af5",
+    "zh:3d92af386049a229a428f21b938a22df61703447c8ceed65c73f111a64e627d2",
+    "zh:4033fedf9d4f54f0aacf7c4a79e20978bcd67c0a8ab9411acd447db1469108a4",
+    "zh:51c78d0dc378037bbaf3cd26ff29fae7c40d7b134b40d059b982257987c15f9f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:86e414b7327343de676ec506d30c557a514dbd992b27a2670466adaf9ed69718",
+    "zh:879c3a61ed8d183a68ddb590e63a7e0d6aab8d8044fd4a13658e7b1661395a9d",
+    "zh:8d548617543ee2ce0340972a5df93e7ac37b7895d4bf506bd587f8daac58e6d6",
+    "zh:8d75b3bbfd9a536c8c1d84504cb3d1c8e1a3fd30e377a51a6311476632363103",
+    "zh:922f625a36642c49daa432e07c12e72ff75025e0b9afda8d7240f38c6789fe46",
+    "zh:fbceae685b395acaff6c820ed7d7eaa6250ef4769e04481145dc50e09b89db2f",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.94.0"
+  constraints = ">= 0.94.0"
+  hashes = [
+    "h1:ikFzd4yeJ1LR8ojP2PsZwiK2ZLhxBjRXkEg2HJrI07U=",
+    "zh:06c8da7d8a048216e825fa7d1e45949c1bda2a5f53f9bb0556b83b6610703fe6",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:19e82636cfd52a65105e0cf030bc8a0c815082818ef953b84f9b1e349a87318c",
+    "zh:24af9b7d2f1bb38f480b1aa8cf5e4ecf483bd4403642a9e8a5accbe1ae212feb",
+    "zh:3b10850e9242bcd00c519ff4140130e8443002fd60b6dff90983e7cb1973b2c3",
+    "zh:54837a0fa4ddbcf0b8407718f8823b831322deba3bd7ec8492e4578928f50633",
+    "zh:5cfd6a6b1ca73826a03f8746ef84a5c4059648bc49abf8056c8e0f9b87800a23",
+    "zh:6ab3bcfef6ff65b4ce76d333b4ad99e5f91991fcf5bddbe1958aadde6ee05eab",
+    "zh:81b96dc29b055f15e475d8bc32482617a582785949b3c02f44ef15d19951f69c",
+    "zh:85f478c2fcf10219263462d0f06b5cc41603b1edad813c336e100b3e0a55bfe8",
+    "zh:9adbb7655fddfe4d4081746d0d7e39c3e8fbf8aa3d8b7d3b5164f30c16a6bd93",
+    "zh:9c24b39e788283ead8a8ce1f013a47562ff0dc1ccb642a8e18644cbdcda0f1c4",
+    "zh:a425f28d6a5f6f024cab56c848c55025e84a09db946f1b00a2655d9567251cea",
+    "zh:f28aa62d2f06e08fe6d18ef9103a8164aa9278540779bebd61120f810c603c6b",
+  ]
+}

examples/secretsmanager-vault-terraform-provider/main.tf

@@ -12,11 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-provider "stackit" {
-  default_region           = "eu01"
-  service_account_key_path = ""
-}
-
 resource "stackit_secretsmanager_instance" "example" {
   project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   name       = "example-instance"
@@ -29,16 +24,6 @@ resource "stackit_secretsmanager_user" "example" {
   write_enabled = true
 }
 
-provider "vault" {
-  address          = "https://prod.sm.eu01.stackit.cloud"
-  skip_child_token = true
-
-  auth_login_userpass {
-    username = stackit_secretsmanager_user.example.username
-    password = stackit_secretsmanager_user.example.password
-  }
-}
-
 resource "stackit_observability_instance" "example" {
   project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   name       = "example-instance"

examples/secretsmanager-vault-terraform-provider/provider.tf

@@ -0,0 +1,41 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">= 0.94.0"
+    }
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.9.0"
+    }
+  }
+}
+
+provider "stackit" {
+  default_region           = "eu01"
+  service_account_key_path = ""
+}
+
+provider "vault" {
+  address          = "https://prod.sm.eu01.stackit.cloud"
+  skip_child_token = true
+
+  auth_login_userpass {
+    username = stackit_secretsmanager_user.example.username
+    password = stackit_secretsmanager_user.example.password
+  }
+}

examples/ske-azure-arc-integration/.terraform.lock.hcl

@@ -0,0 +1,104 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+  version     = "4.72.0"
+  constraints = "4.72.0"
+  hashes = [
+    "h1:QYnPAHT/PYheOOZz52ucHqw/ZO9PxWyPLtO7UD/jSMg=",
+    "zh:073472587c3752e89738522814d2b4eb2fd69eb2cb19c5a5ead3c7d2eabdc279",
+    "zh:1950effc0c315b6002c8cb6327b94fe59bda210e699367d9727bc66490d651d2",
+    "zh:47c990db75658525de57c8955a05b4752b88f3a900fffac0e7661d4a749e94f2",
+    "zh:610f2cbd6fab76750d8b093f03beabbb7162dc8c6affe0109f534ce240b3ff0f",
+    "zh:6739d645fe548c5a489d711f7748f32368cf68d723d2c59d3f2e21456304d692",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:a277ab095cc8aff3aede9e43eca2a699936472ef90abb272adf3daa609eb9141",
+    "zh:b1fdcdaf926c86de0d884beda90d78cb94a42ddede03a1f0b92c36b321d4f07e",
+    "zh:c003f1f15e52c54e189301ae2c7d8dd65acb2e5a7527d201355f2757b5465ba9",
+    "zh:c45f2d2206c0f8f71f207cd39eec73da9619d35932bbe1a5b8be7679c50a151e",
+    "zh:d7040d8ec295481bc1d30346ed7f3075c40ede87c0fedf1db34dd91c1c367a10",
+    "zh:e595f0b870cd5fd5debdc926fc1740201d2b66188b9b132dc598bdd6444e7348",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.1.1"
+  hashes = [
+    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
+    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
+    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
+    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
+    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
+    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
+    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
+    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
+    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
+    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
+    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
+    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "3.1.0"
+  constraints = "> 2.14.0"
+  hashes = [
+    "h1:G9QqKNpcztBRqrywtlNylFJSpGzDfRFtO8hcWLdkvRY=",
+    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
+    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
+    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
+    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
+    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
+    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
+    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
+    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
+    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
+    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.9.0"
+  constraints = "3.9.0"
+  hashes = [
+    "h1:OO+IuvQJSPmWdN8AyyIEvPJbLvDQpgX/zbktoa9KsJE=",
+    "zh:161ad0bd9a75768c82f53fb6e7172a9d8be2d4889b012645a34795031aaf1bf1",
+    "zh:19dc9a5b17729725ccfc4f45b0500af0ee5bc6b6b160c7adb8f2bf617d2c80ea",
+    "zh:269eda8fe42daa7974d5a34d166c3ba9defe80cde86c01e4dadcfdf2e1f05e5f",
+    "zh:373f7c65566f8f2cc7f45d698654feb9d988996957e1266a69ca00c52d6d16d0",
+    "zh:5599d16804c41c83009ec621b6d6b6f74e102f5827678a4750f8809055546b61",
+    "zh:583be0440469a22bff70dcfa56593b01566860b29607437264adb51060cf46fc",
+    "zh:5f211d8ec3f2e1f414870d9584bfe26e6995560ef81c748f8447a48164767398",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7b547fd16216761ef86efc3ed516ac5ac0c5c42b7c7eb24a08cef2d93f69ed5e",
+    "zh:7e7c0679daf2a382151d05068c8c3f0dae6b7b7dccf818827b73dd08638df2ef",
+    "zh:8089dec888a8038b9b4fb23b3df7e1057293dbc5b60b42cc47ff690d69d4b61b",
+    "zh:c51f15a031edfd6f23ce8ced3446ca7f8d8d647e2499890d7d5d10d5016d7257",
+    "zh:c94784f005708890dc6895afd53636ec00ec1e430b15d41e5aebfb1d4b39bd04",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.96.0"
+  constraints = ">= 0.95.0"
+  hashes = [
+    "h1:NgwbVCV5pfBVMO3xUMop4l5AzvVv3BuBzXpJjgoZfSU=",
+    "zh:04d309851424a53d3d014dde3b143fc1cdc19fbebf558eb4b927878103f78fb0",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:0ebcdf98a47f301e12925803198320d637552ef57abc49e2a48a009f1ddbf39a",
+    "zh:176238c057193c9c60c365b83463e758892186fcc2bd14bc9bbf69bf471f1d6b",
+    "zh:1c514ec6d09ee210ebb813d49b7d3a71b5b9d0b173c743bce9ab937b1e3d303a",
+    "zh:20433d0dc7e4aa2a806863fc289a2cecb19763624f199babfbe44f22d4d9150f",
+    "zh:452ceacbe4a1f70c81320b9223f4958c9bc122508c79e86bc97cb9241682c053",
+    "zh:5f893229f41f8dc2169b5b02785fb2988e8cad2141722a411711182bafefa015",
+    "zh:69383e27067a6413300d3acbcdad8f890bd187e16630580c09900ba379659284",
+    "zh:694de24bd05027c3c8b7a7c477973f76cd5a11d7fd38819026b5a0e588698fd9",
+    "zh:7c7399e3223dd76efb56ca2e3c9435b41bcbaf549839cec36023f801ca5bdcd2",
+    "zh:8a92b221694c59648d22e2e2a0059015872eff7034ae0ba9eb801fe399644a2c",
+    "zh:90a8ae716c9bc6c8804a38f7a903c7af7114ce324d0126c64e1447b6d255cdba",
+    "zh:d29eb17fde9460c5ce3c7a7975eef0ad7fea692eb17fad5e0421952e4d29dbd2",
+  ]
+}

examples/ske-azure-arc-integration/010-provider.tf

@@ -0,0 +1,57 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">=0.95.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">2.14.0"
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "4.72.0"
+    }
+  }
+}
+
+provider "stackit" {
+  default_region           = var.stackit_region
+  service_account_key_path = var.stackit_service_account_key_path
+  enable_beta_resources    = true
+}
+
+provider "azurerm" {
+  features {}
+  subscription_id = var.azure_subscription_id
+}
+
+provider "kubernetes" {
+  host                   = yamldecode(module.ske.kubeconfig).clusters.0.cluster.server
+  client_certificate     = base64decode(yamldecode(module.ske.kubeconfig).users.0.user.client-certificate-data)
+  client_key             = base64decode(yamldecode(module.ske.kubeconfig).users.0.user.client-key-data)
+  cluster_ca_certificate = base64decode(yamldecode(module.ske.kubeconfig).clusters.0.cluster.certificate-authority-data)
+}
+
+provider "helm" {
+  kubernetes = {
+    host                   = yamldecode(module.ske.kubeconfig).clusters.0.cluster.server
+    client_certificate     = base64decode(yamldecode(module.ske.kubeconfig).users.0.user.client-certificate-data)
+    client_key             = base64decode(yamldecode(module.ske.kubeconfig).users.0.user.client-key-data)
+    cluster_ca_certificate = base64decode(yamldecode(module.ske.kubeconfig).clusters.0.cluster.certificate-authority-data)
+  }
+}

examples/ske-azure-arc-integration/020-variables.tf

@@ -0,0 +1,30 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "stackit_project_id" {
+  type = string
+}
+
+variable "stackit_region" {
+  type    = string
+  default = "eu01"
+}
+
+variable "stackit_service_account_key_path" {
+  type = string
+}
+
+variable "azure_subscription_id" {
+  type = string
+}

examples/ske-azure-arc-integration/030-stackit-azure-arc.tf

@@ -0,0 +1,23 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module "ske" {
+  source     = "../../modules/test-ske"
+  project_id = var.stackit_project_id
+}
+
+resource "azurerm_resource_group" "arc_rg" {
+  name     = "rg-stackit-arc-poc"
+  location = "West Europe"
+}

examples/ske-azure-arc-integration/040-outputs.tf

@@ -0,0 +1,30 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+output "kubeconfig" {
+  value     = module.ske.kubeconfig
+  sensitive = true
+}
+
+output "cluster_name" {
+  value = module.ske.cluster_name
+}
+
+output "azure_resource_group" {
+  value = azurerm_resource_group.arc_rg.name
+}
+
+output "azure_location" {
+  value = azurerm_resource_group.arc_rg.location
+}

examples/ske-azure-arc-integration/MAINTAINERS.md

@@ -0,0 +1,9 @@
+# Maintainers
+
+General maintainers:
+
+- Mauritz Uphoff (mauritz.uphoff@digits.schwarz)
+
+This example is actively maintained. The owner is responsible for reviewing and updating dependencies and functionalities on a monthly basis.
+For questions, issues, or feature requests, please email general maintainers.
+Please include the BP name and version in your request. We will track your request as an issue.

examples/ske-azure-arc-integration/README.md

@@ -0,0 +1,46 @@
+# STACKIT SKE Azure Arc Integration
+
+This repository contains Terraform and CLI steps to connect a **STACKIT SKE cluster** to **Azure Arc**.
+
+## Prerequisites
+
+- Azure CLI installed and authenticated (`az login`)
+- Terraform installed
+- STACKIT Project & Service Account configured
+
+## Setup Guide
+
+### 1. Provision Infrastructure
+
+Deploy the SKE cluster and an Azure Resource Group to host the Arc connection:
+
+```bash
+terraform init
+terraform apply
+```
+
+### 2. Connect to Azure Arc
+
+Run the following commands to register required Azure providers and connect the cluster:
+
+```bash
+# Register Azure Arc providers
+az extension add --name connectedk8s
+az provider register --namespace Microsoft.Kubernetes
+az provider register --namespace Microsoft.KubernetesConfiguration
+az provider register --namespace Microsoft.ExtendedLocation
+
+# Export SKE Kubeconfig
+terraform output -raw kubeconfig > .kubeconfig
+
+# Connect cluster to Azure Arc
+az connectedk8s connect \
+  --name "stackit-$(terraform output -raw cluster_name)" \
+  --resource-group "$(terraform output -raw azure_resource_group)" \
+  --location "$(terraform output -raw azure_location)" \
+  --kube-config .kubeconfig
+```
+
+## References
+
+- [Azure Arc Quickstart](https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/quickstart-connect-cluster?tabs=azure-cli)

examples/ske-encrypted-volumes/.terraform.lock.hcl

@@ -0,0 +1,44 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "3.1.0"
+  constraints = ">= 3.1.0"
+  hashes = [
+    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
+    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
+    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
+    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
+    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
+    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
+    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
+    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
+    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
+    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.94.0"
+  constraints = ">= 0.94.0"
+  hashes = [
+    "h1:ikFzd4yeJ1LR8ojP2PsZwiK2ZLhxBjRXkEg2HJrI07U=",
+    "zh:06c8da7d8a048216e825fa7d1e45949c1bda2a5f53f9bb0556b83b6610703fe6",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:19e82636cfd52a65105e0cf030bc8a0c815082818ef953b84f9b1e349a87318c",
+    "zh:24af9b7d2f1bb38f480b1aa8cf5e4ecf483bd4403642a9e8a5accbe1ae212feb",
+    "zh:3b10850e9242bcd00c519ff4140130e8443002fd60b6dff90983e7cb1973b2c3",
+    "zh:54837a0fa4ddbcf0b8407718f8823b831322deba3bd7ec8492e4578928f50633",
+    "zh:5cfd6a6b1ca73826a03f8746ef84a5c4059648bc49abf8056c8e0f9b87800a23",
+    "zh:6ab3bcfef6ff65b4ce76d333b4ad99e5f91991fcf5bddbe1958aadde6ee05eab",
+    "zh:81b96dc29b055f15e475d8bc32482617a582785949b3c02f44ef15d19951f69c",
+    "zh:85f478c2fcf10219263462d0f06b5cc41603b1edad813c336e100b3e0a55bfe8",
+    "zh:9adbb7655fddfe4d4081746d0d7e39c3e8fbf8aa3d8b7d3b5164f30c16a6bd93",
+    "zh:9c24b39e788283ead8a8ce1f013a47562ff0dc1ccb642a8e18644cbdcda0f1c4",
+    "zh:a425f28d6a5f6f024cab56c848c55025e84a09db946f1b00a2655d9567251cea",
+    "zh:f28aa62d2f06e08fe6d18ef9103a8164aa9278540779bebd61120f810c603c6b",
+  ]
+}

examples/ske-encrypted-volumes/main.tf

@@ -12,18 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-provider "stackit" {
-  default_region           = "eu01"
-  service_account_key_path = ""
-}
-
-provider "kubernetes" {
-  host                   = yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.server
-  client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-certificate-data)
-  client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-key-data)
-  cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.certificate-authority-data)
-}
-
 resource "stackit_ske_cluster" "default" {
   project_id             = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   name                   = "ske-enc-vol"

examples/ske-encrypted-volumes/provider.tf

@@ -0,0 +1,38 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">= 0.94.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 3.1.0"
+    }
+  }
+}
+
+provider "stackit" {
+  default_region           = "eu01"
+  service_account_key_path = ""
+}
+
+provider "kubernetes" {
+  host                   = yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.server
+  client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-certificate-data)
+  client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-key-data)
+  cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.certificate-authority-data)
+}

examples/ske-external-secrets-sync/.terraform.lock.hcl

@@ -5,6 +5,7 @@ provider "registry.terraform.io/hashicorp/helm" {
   version     = "2.17.0"
   constraints = "2.17.0"
   hashes = [
+    "h1:K5FEjxvDnxb1JF1kG1xr8J3pNGxoaR3Z0IBG9Csm/Is=",
     "h1:kQMkcPVvHOguOqnxoEU2sm1ND9vCHiT8TvZ2x6v/Rsw=",
     "zh:06fb4e9932f0afc1904d2279e6e99353c2ddac0d765305ce90519af410706bd4",
     "zh:104eccfc781fc868da3c7fec4385ad14ed183eb985c96331a1a937ac79c2d1a7",
@@ -26,6 +27,7 @@ provider "registry.terraform.io/hashicorp/kubernetes" {
   constraints = ">= 2.25.2"
   hashes = [
     "h1:P0c8knzZnouTNFIRij8IS7+pqd0OKaFDYX0j4GRsiqo=",
+    "h1:vyHdH0p6bf9xp1NPePObAJkXTJb/I09FQQmmevTzZe0=",
     "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281",
     "zh:20b93a51bfeed82682b3c12f09bac3031f5bdb4977c47c97a042e4df4fb2f9ba",
     "zh:6e14486ecfaee38c09ccf33d4fdaf791409f90795c1b66e026c226fad8bc03c7",
@@ -45,6 +47,7 @@ provider "registry.terraform.io/hashicorp/random" {
   version     = "3.7.2"
   constraints = "3.7.2"
   hashes = [
+    "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=",
     "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=",
     "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f",
     "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc",
@@ -64,6 +67,7 @@ provider "registry.terraform.io/hashicorp/random" {
 provider "registry.terraform.io/hashicorp/vault" {
   version = "5.8.0"
   hashes = [
+    "h1:eSJgYoJoVMce2xjJJCeAZnJELsC4RoqaotD0fgfn6dw=",
     "h1:gk1cR+x1D+TEz05MKWmpp0p06+Trob5cN0eYU1vZGJs=",
     "zh:18e79b42c8c155a5c541a45d54a6ccdeab23c404c239acdeed336a17cbfc2fd4",
     "zh:241f50d1ea40030578034b4440e41676f1c9b5e8a2be5cd3afdb6e387914e0bf",
@@ -84,6 +88,7 @@ provider "registry.terraform.io/stackitcloud/stackit" {
   version     = "0.90.0"
   constraints = ">= 0.66.0"
   hashes = [
+    "h1:QgP6TOtucJ3A6fA51rdUvxhYGjl9RrWvXQZpjHTOuiU=",
     "h1:W29Kv6XUxYssF2Gy8KcmTx3EFstt6k8sKgPRIBbq+qs=",
     "zh:003af58a84884558bbb2fc40fcbefa6774ec20aa9e4b97cf3f950190a600afd2",
     "zh:026ee9cef4670cf33369f8654c6b9b1d8c0e116ceb0b353c882be222951ecdd4",

examples/ske-external-secrets-sync/020-variables.tf

@@ -14,7 +14,7 @@
 
 variable "stackit_project_id" {
   type    = string
-  default = "d75e6aab-b616-4b42-ae3b-aaf161ad626d"
+  default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 }
 
 variable "stackit_region" {

examples/ske-external-secrets-sync/050-random-secret.tf

@@ -24,11 +24,12 @@ resource "vault_kv_secret_v2" "random_secret" {
   name                = "random-secret"
   cas                 = 1
   delete_all_versions = true
-  data_json = jsonencode(
+  data_json_wo = jsonencode(
     {
       admin = ephemeral.random_password.this.result
     }
   )
+  data_json_wo_version = 1
 
   depends_on = [stackit_secretsmanager_user.user]
 }

examples/ske-gpu-operator/.terraform.lock.hcl

@@ -0,0 +1,66 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.1.1"
+  hashes = [
+    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
+    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
+    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
+    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
+    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
+    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
+    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
+    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
+    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
+    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
+    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
+    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
+    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "3.0.1"
+  constraints = ">= 2.14.0"
+  hashes = [
+    "h1:P0c8knzZnouTNFIRij8IS7+pqd0OKaFDYX0j4GRsiqo=",
+    "h1:vyHdH0p6bf9xp1NPePObAJkXTJb/I09FQQmmevTzZe0=",
+    "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281",
+    "zh:20b93a51bfeed82682b3c12f09bac3031f5bdb4977c47c97a042e4df4fb2f9ba",
+    "zh:6e14486ecfaee38c09ccf33d4fdaf791409f90795c1b66e026c226fad8bc03c7",
+    "zh:8d0656ff422df94575668e32c310980193fccb1c28117e5c78dd2d4050a760a6",
+    "zh:9795119b30ec0c1baa99a79abace56ac850b6e6fbce60e7f6067792f6eb4b5f4",
+    "zh:b388c87acc40f6bd9620f4e23f01f3c7b41d9b88a68d5255dec0a72f0bdec249",
+    "zh:b59abd0a980649c2f97f172392f080eaeb18e486b603f83bf95f5d93aeccc090",
+    "zh:ba6e3060fddf4a022087d8f09e38aa0001c705f21170c2ded3d1c26c12f70d97",
+    "zh:c12626d044b1d5501cf95ca78cbe507c13ad1dd9f12d4736df66eb8e5f336eb8",
+    "zh:c55203240d50f4cdeb3df1e1760630d677679f5b1a6ffd9eba23662a4ad05119",
+    "zh:ea206a5a32d6e0d6e32f1849ad703da9a28355d9c516282a8458b5cf1502b2a1",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.91.0"
+  constraints = ">= 0.60.0"
+  hashes = [
+    "h1:8de9n+Roq6Z2Ltp9poBBBN9a4zSpx73VLpgFS5mTyoI=",
+    "h1:RStdHSDwbtonYfg7mR5Y92v6fxIVX9FEz0UN+tm9kHI=",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:0ed12db90276ccd2d6f87135b7dd078657823c3ca33121c6a157d0bdf08f801e",
+    "zh:160b32bcf1d01666784cf8469e10e0a38d4c3d24c80c0c5be470cc63ef27ea62",
+    "zh:32e1909037235c24138b74131c6fb12ac99003f79750f1768ca5468cc05da6b0",
+    "zh:4376f1cdafbb35ad5f220e28153741908390b23161d9eae3828f7830039ce8ef",
+    "zh:458b054781ef6165d9136fc3d667f9bf37319e37d0f19300bbb63b703de2599d",
+    "zh:54a1864cf1315a118c043f834e02f2a1ca0ecbc8c2a246460589a95847da6c80",
+    "zh:83424712926ccef3c60cc011dfa298721bdbaee3598a0c8459da46bc6b7424cc",
+    "zh:a3c38ebffdbca21dd177b06acf891bed1a903907ba252d0219d91ff0ecf9d861",
+    "zh:c6325e583b77aa1e9df94e3b4b12479d7bf12c66a2ace71c1b8f64e46ac5c37e",
+    "zh:de6db8deeee895af5670df2449c8b8c34df051277f8a6e2f19c5c9ec1f0ddb12",
+    "zh:e18b05e7d8356caa6103c5c80b5ea373be3ff255b453cf577c68798ffe1b93ce",
+    "zh:f4d9215f7a2888c882892642539b2edd3ea97cb25904e4fa358db4f001c3ccd0",
+    "zh:f94d0c0c2bf843867122ababc8d8066d52257e68bbcb5c62a603f77c581e9668",
+  ]
+}

examples/ske-gpu-operator/MAINTAINERS.md

@@ -0,0 +1,9 @@
+# Maintainers
+
+General maintainers:
+
+- Mauritz Uphoff (mauritz.uphoff@digits.schwarz)
+
+This example is actively maintained. The owner is responsible for reviewing and updating dependencies and functionalities on a monthly basis.
+For questions, issues, or feature requests, please email general maintainers.
+Please include the BP name and version in your request. We will track your request as an issue.

examples/ske-gpu-operator/README.md

@@ -0,0 +1,7 @@
+# SKE Kubernetes GPU Operator Installation
+
+## Overview
+
+This example demonstrates how to deploy a SKE cluster with an NVIDIA H100 node pool and install the GPU Operator.
+
+**Note:** Currently, GPU-enabled node pools on SKE are only supported when using Ubuntu as the node operating system.

examples/ske-gpu-operator/gpu-operator-values.yaml.tftpl

@@ -0,0 +1,10 @@
+dcgm:
+  enabled: true
+
+dcgmExporter:
+  enabled: true
+  serviceMonitor:
+    enabled: true
+    additionalLabels:
+      # this label needs to be set for prometheus to use the service monitor
+      release: kube-prometheus-stack

examples/ske-gpu-operator/main.tf

@@ -0,0 +1,157 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">=0.60.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">=2.14.0"
+    }
+  }
+}
+
+variable "project_id" {
+  default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+
+variable "stackit_service_account_key_path" {
+  default = ""
+}
+
+provider "kubernetes" {
+  host                   = yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.server
+  client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-certificate-data)
+  client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-key-data)
+  cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.certificate-authority-data)
+}
+
+provider "helm" {
+  kubernetes = {
+    host                   = yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.server
+    client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-certificate-data)
+    client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-key-data)
+    cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.certificate-authority-data)
+  }
+}
+
+provider "stackit" {
+  default_region           = "eu01"
+  service_account_key_path = var.stackit_service_account_key_path
+}
+
+resource "stackit_ske_kubeconfig" "this" {
+  project_id   = var.project_id
+  cluster_name = stackit_ske_cluster.this.name
+  refresh      = true
+
+  depends_on = [stackit_ske_cluster.this]
+}
+
+data "stackit_ske_kubernetes_versions" "this" {
+  version_state = "SUPPORTED"
+}
+
+data "stackit_ske_machine_image_versions" "this" {
+  version_state = "SUPPORTED"
+}
+
+locals {
+  flatcar_supported_version = one(flatten([
+    for mi in data.stackit_ske_machine_image_versions.this.machine_images : [
+      for v in mi.versions :
+      v.version
+      if mi.name == "flatcar"
+    ]
+  ]))
+  ubuntu_supported_version = one(flatten([
+    for mi in data.stackit_ske_machine_image_versions.this.machine_images : [
+      for v in mi.versions :
+      v.version
+      if mi.name == "ubuntu"
+    ]
+  ]))
+  gpu_operator_helm_values = templatefile("${path.module}/gpu-operator-values.yaml.tftpl", {})
+}
+
+resource "stackit_ske_cluster" "this" {
+  project_id             = var.project_id
+  name                   = "ske-gpu"
+  kubernetes_version_min = data.stackit_ske_kubernetes_versions.this.kubernetes_versions.0.version
+
+  maintenance = {
+    enable_kubernetes_version_updates    = true
+    enable_machine_image_version_updates = true
+    start                                = "01:00:00Z"
+    end                                  = "02:00:00Z"
+  }
+
+  node_pools = [
+    {
+      name               = "standard"
+      machine_type       = "g2i.4"
+      minimum            = "3"
+      maximum            = "9"
+      max_surge          = "3"
+      availability_zones = ["eu01-1", "eu01-2", "eu01-3"]
+      os_version_min     = local.flatcar_supported_version
+      os_name            = "flatcar"
+      volume_size        = 150
+      volume_type        = "storage_premium_perf6"
+    },
+    {
+      name               = "gpu-pool-h100-2"
+      machine_type       = "n3.14d.g1"
+      os_version_min     = local.ubuntu_supported_version
+      os_name            = "ubuntu"
+      minimum            = "1"
+      maximum            = "1"
+      max_surge          = "1"
+      availability_zones = ["eu01-2"]
+      volume_size        = 150
+      volume_type        = "storage_premium_perf6"
+      labels = {
+        "dedicated" = "gpu"
+      }
+      taints = [
+        {
+          effect = "NoSchedule"
+          key    = "nvidia.com/gpu"
+          value  = "true"
+        },
+      ]
+    },
+  ]
+}
+
+resource "kubernetes_namespace_v1" "gpu_operator" {
+  metadata {
+    name = "gpu-operator"
+  }
+}
+
+resource "helm_release" "gpu_operator" {
+  name       = "gpu-operator"
+  namespace  = kubernetes_namespace_v1.gpu_operator.metadata[0].name
+  repository = "https://helm.ngc.nvidia.com/nvidia"
+  chart      = "gpu-operator"
+  version    = "25.3.1"
+
+  values = [
+    local.gpu_operator_helm_values
+  ]
+}

examples/ske-kubernetes-terraform-provider/.terraform.lock.hcl

@@ -0,0 +1,44 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "2.38.0"
+  constraints = "~> 2.24"
+  hashes = [
+    "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=",
+    "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0",
+    "zh:1be998e67206f7cfc4ffe77c01a09ac91ce725de0abaec9030b22c0a832af44f",
+    "zh:326803fe5946023687d603f6f1bab24de7af3d426b01d20e51d4e6fbe4e7ec1b",
+    "zh:4a99ec8d91193af961de1abb1f824be73df07489301d62e6141a656b3ebfff12",
+    "zh:5136e51765d6a0b9e4dbcc3b38821e9736bd2136cf15e9aac11668f22db117d2",
+    "zh:63fab47349852d7802fb032e4f2b6a101ee1ce34b62557a9ad0f0f0f5b6ecfdc",
+    "zh:924fb0257e2d03e03e2bfe9c7b99aa73c195b1f19412ca09960001bee3c50d15",
+    "zh:b63a0be5e233f8f6727c56bed3b61eb9456ca7a8bb29539fba0837f1badf1396",
+    "zh:d39861aa21077f1bc899bc53e7233262e530ba8a3a2d737449b100daeb303e4d",
+    "zh:de0805e10ebe4c83ce3b728a67f6b0f9d18be32b25146aa89116634df5145ad4",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.94.0"
+  constraints = "~> 0.35"
+  hashes = [
+    "h1:ikFzd4yeJ1LR8ojP2PsZwiK2ZLhxBjRXkEg2HJrI07U=",
+    "zh:06c8da7d8a048216e825fa7d1e45949c1bda2a5f53f9bb0556b83b6610703fe6",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:19e82636cfd52a65105e0cf030bc8a0c815082818ef953b84f9b1e349a87318c",
+    "zh:24af9b7d2f1bb38f480b1aa8cf5e4ecf483bd4403642a9e8a5accbe1ae212feb",
+    "zh:3b10850e9242bcd00c519ff4140130e8443002fd60b6dff90983e7cb1973b2c3",
+    "zh:54837a0fa4ddbcf0b8407718f8823b831322deba3bd7ec8492e4578928f50633",
+    "zh:5cfd6a6b1ca73826a03f8746ef84a5c4059648bc49abf8056c8e0f9b87800a23",
+    "zh:6ab3bcfef6ff65b4ce76d333b4ad99e5f91991fcf5bddbe1958aadde6ee05eab",
+    "zh:81b96dc29b055f15e475d8bc32482617a582785949b3c02f44ef15d19951f69c",
+    "zh:85f478c2fcf10219263462d0f06b5cc41603b1edad813c336e100b3e0a55bfe8",
+    "zh:9adbb7655fddfe4d4081746d0d7e39c3e8fbf8aa3d8b7d3b5164f30c16a6bd93",
+    "zh:9c24b39e788283ead8a8ce1f013a47562ff0dc1ccb642a8e18644cbdcda0f1c4",
+    "zh:a425f28d6a5f6f024cab56c848c55025e84a09db946f1b00a2655d9567251cea",
+    "zh:f28aa62d2f06e08fe6d18ef9103a8164aa9278540779bebd61120f810c603c6b",
+  ]
+}

examples/ske-nginx-rate-limit/.terraform.lock.hcl

@@ -5,6 +5,7 @@ provider "registry.terraform.io/hashicorp/helm" {
   version = "3.1.1"
   hashes = [
     "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
+    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
     "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
     "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
     "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
@@ -25,6 +26,7 @@ provider "registry.terraform.io/hashicorp/kubernetes" {
   constraints = ">= 2.14.0"
   hashes = [
     "h1:P0c8knzZnouTNFIRij8IS7+pqd0OKaFDYX0j4GRsiqo=",
+    "h1:vyHdH0p6bf9xp1NPePObAJkXTJb/I09FQQmmevTzZe0=",
     "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281",
     "zh:20b93a51bfeed82682b3c12f09bac3031f5bdb4977c47c97a042e4df4fb2f9ba",
     "zh:6e14486ecfaee38c09ccf33d4fdaf791409f90795c1b66e026c226fad8bc03c7",
@@ -43,6 +45,7 @@ provider "registry.terraform.io/hashicorp/kubernetes" {
 provider "registry.terraform.io/hashicorp/random" {
   version = "3.8.1"
   hashes = [
+    "h1:Eexl06+6J+s75uD46+WnZtpJZYRVUMB0AiuPBifK6Jc=",
     "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
     "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
     "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
@@ -63,6 +66,7 @@ provider "registry.terraform.io/stackitcloud/stackit" {
   version     = "0.90.0"
   constraints = ">= 0.66.0"
   hashes = [
+    "h1:QgP6TOtucJ3A6fA51rdUvxhYGjl9RrWvXQZpjHTOuiU=",
     "h1:W29Kv6XUxYssF2Gy8KcmTx3EFstt6k8sKgPRIBbq+qs=",
     "zh:003af58a84884558bbb2fc40fcbefa6774ec20aa9e4b97cf3f950190a600afd2",
     "zh:026ee9cef4670cf33369f8654c6b9b1d8c0e116ceb0b353c882be222951ecdd4",

examples/ske-nginx-rate-limit/01-variables.tf

@@ -14,7 +14,7 @@
 
 variable "stackit_project_id" {
   type    = string
-  default = "d75e6aab-b616-4b42-ae3b-aaf161ad626d"
+  default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 }
 
 variable "stackit_region" {

examples/ske-observability-alerting-kube-state-metrics/.terraform.lock.hcl

@@ -0,0 +1,64 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "3.1.1"
+  constraints = ">= 3.1.1"
+  hashes = [
+    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
+    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
+    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
+    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
+    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
+    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
+    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
+    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
+    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
+    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
+    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
+    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "3.1.0"
+  constraints = ">= 3.1.0"
+  hashes = [
+    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
+    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
+    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
+    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
+    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
+    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
+    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
+    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
+    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
+    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.94.0"
+  constraints = ">= 0.94.0"
+  hashes = [
+    "h1:ikFzd4yeJ1LR8ojP2PsZwiK2ZLhxBjRXkEg2HJrI07U=",
+    "zh:06c8da7d8a048216e825fa7d1e45949c1bda2a5f53f9bb0556b83b6610703fe6",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:19e82636cfd52a65105e0cf030bc8a0c815082818ef953b84f9b1e349a87318c",
+    "zh:24af9b7d2f1bb38f480b1aa8cf5e4ecf483bd4403642a9e8a5accbe1ae212feb",
+    "zh:3b10850e9242bcd00c519ff4140130e8443002fd60b6dff90983e7cb1973b2c3",
+    "zh:54837a0fa4ddbcf0b8407718f8823b831322deba3bd7ec8492e4578928f50633",
+    "zh:5cfd6a6b1ca73826a03f8746ef84a5c4059648bc49abf8056c8e0f9b87800a23",
+    "zh:6ab3bcfef6ff65b4ce76d333b4ad99e5f91991fcf5bddbe1958aadde6ee05eab",
+    "zh:81b96dc29b055f15e475d8bc32482617a582785949b3c02f44ef15d19951f69c",
+    "zh:85f478c2fcf10219263462d0f06b5cc41603b1edad813c336e100b3e0a55bfe8",
+    "zh:9adbb7655fddfe4d4081746d0d7e39c3e8fbf8aa3d8b7d3b5164f30c16a6bd93",
+    "zh:9c24b39e788283ead8a8ce1f013a47562ff0dc1ccb642a8e18644cbdcda0f1c4",
+    "zh:a425f28d6a5f6f024cab56c848c55025e84a09db946f1b00a2655d9567251cea",
+    "zh:f28aa62d2f06e08fe6d18ef9103a8164aa9278540779bebd61120f810c603c6b",
+  ]
+}

examples/ske-observability-alerting-kube-state-metrics/main.tf

@@ -12,27 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-provider "stackit" {
-  default_region           = "eu01"
-  service_account_key_path = ""
-}
-
-provider "kubernetes" {
-  host                   = yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.server
-  client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-certificate-data)
-  client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-key-data)
-  cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.certificate-authority-data)
-}
-
-provider "helm" {
-  kubernetes {
-    host                   = yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.server
-    client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-certificate-data)
-    client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-key-data)
-    cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.certificate-authority-data)
-  }
-}
-
 resource "stackit_ske_cluster" "example" {
   project_id             = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   name                   = "example"

examples/ske-observability-alerting-kube-state-metrics/provider.tf

@@ -0,0 +1,51 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">= 0.94.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 3.1.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 3.1.1"
+    }
+  }
+}
+
+provider "stackit" {
+  default_region           = "eu01"
+  service_account_key_path = ""
+}
+
+provider "kubernetes" {
+  host                   = yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.server
+  client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-certificate-data)
+  client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-key-data)
+  cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.certificate-authority-data)
+}
+
+provider "helm" {
+  kubernetes = {
+    host                   = yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.server
+    client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-certificate-data)
+    client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-key-data)
+    cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.certificate-authority-data)
+  }
+}

examples/ske-observability-log-alerts/.terraform.lock.hcl

@@ -0,0 +1,64 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "3.1.1"
+  constraints = ">= 3.1.1"
+  hashes = [
+    "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=",
+    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
+    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
+    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
+    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
+    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
+    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
+    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
+    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
+    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
+    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
+    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "3.1.0"
+  constraints = ">= 3.1.0"
+  hashes = [
+    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
+    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
+    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
+    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
+    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
+    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
+    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
+    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
+    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
+    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+  ]
+}
+
+provider "registry.terraform.io/stackitcloud/stackit" {
+  version     = "0.94.0"
+  constraints = ">= 0.94.0"
+  hashes = [
+    "h1:ikFzd4yeJ1LR8ojP2PsZwiK2ZLhxBjRXkEg2HJrI07U=",
+    "zh:06c8da7d8a048216e825fa7d1e45949c1bda2a5f53f9bb0556b83b6610703fe6",
+    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
+    "zh:19e82636cfd52a65105e0cf030bc8a0c815082818ef953b84f9b1e349a87318c",
+    "zh:24af9b7d2f1bb38f480b1aa8cf5e4ecf483bd4403642a9e8a5accbe1ae212feb",
+    "zh:3b10850e9242bcd00c519ff4140130e8443002fd60b6dff90983e7cb1973b2c3",
+    "zh:54837a0fa4ddbcf0b8407718f8823b831322deba3bd7ec8492e4578928f50633",
+    "zh:5cfd6a6b1ca73826a03f8746ef84a5c4059648bc49abf8056c8e0f9b87800a23",
+    "zh:6ab3bcfef6ff65b4ce76d333b4ad99e5f91991fcf5bddbe1958aadde6ee05eab",
+    "zh:81b96dc29b055f15e475d8bc32482617a582785949b3c02f44ef15d19951f69c",
+    "zh:85f478c2fcf10219263462d0f06b5cc41603b1edad813c336e100b3e0a55bfe8",
+    "zh:9adbb7655fddfe4d4081746d0d7e39c3e8fbf8aa3d8b7d3b5164f30c16a6bd93",
+    "zh:9c24b39e788283ead8a8ce1f013a47562ff0dc1ccb642a8e18644cbdcda0f1c4",
+    "zh:a425f28d6a5f6f024cab56c848c55025e84a09db946f1b00a2655d9567251cea",
+    "zh:f28aa62d2f06e08fe6d18ef9103a8164aa9278540779bebd61120f810c603c6b",
+  ]
+}

examples/ske-observability-log-alerts/main.tf

@@ -12,27 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-provider "stackit" {
-  default_region           = "eu01"
-  service_account_key_path = ""
-}
-
-provider "kubernetes" {
-  host                   = yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.server
-  client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-certificate-data)
-  client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-key-data)
-  cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.certificate-authority-data)
-}
-
-provider "helm" {
-  kubernetes {
-    host                   = yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.server
-    client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-certificate-data)
-    client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-key-data)
-    cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.certificate-authority-data)
-  }
-}
-
 resource "stackit_ske_cluster" "example" {
   project_id             = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   name                   = "example"

examples/ske-observability-log-alerts/provider.tf

@@ -0,0 +1,51 @@
+# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = ">= 0.94.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 3.1.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 3.1.1"
+    }
+  }
+}
+
+provider "stackit" {
+  default_region           = "eu01"
+  service_account_key_path = ""
+}
+
+provider "kubernetes" {
+  host                   = yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.server
+  client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-certificate-data)
+  client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-key-data)
+  cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.certificate-authority-data)
+}
+
+provider "helm" {
+  kubernetes = {
+    host                   = yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.server
+    client_certificate     = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-certificate-data)
+    client_key             = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users.0.user.client-key-data)
+    cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters.0.cluster.certificate-authority-data)
+  }
+}

examples/ske-stackit-sfs-integration/.terraform.lock.hcl

@@ -5,6 +5,7 @@ provider "registry.terraform.io/stackitcloud/stackit" {
   version     = "0.79.0"
   constraints = "0.79.0"
   hashes = [
+    "h1:AB51ok4llxeTmkVadjYpsafPbzSU5xEHLzcVBuVHxqc=",
     "h1:l7AeT3WWi/u7QB7E1SaksYc5VjU9JS2LYc4OnavI3kw=",
     "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
     "zh:1eb8276c0d8a4b5b92534020df0cb270ed7c4d91dfed6db089ee775b50a8f5e3",