examples: fmt examples #35
124 changed files with 927 additions and 619 deletions
|
|
@ -60,11 +60,19 @@ repos:
|
|||
|
||||
- repo: local
|
||||
hooks:
|
||||
# Requires `addlicense` to be installed locally (go install github.com/google/addlicense@latest)
|
||||
- id: addlicense
|
||||
name: Add License Headers
|
||||
description: Ensures all files have the Apache 2.0 license header
|
||||
# Requires `addlicense` to be installed locally (go install github.com/google/addlicense@latest)
|
||||
entry: addlicense -c "Schwarz Digits Cloud GmbH & Co. KG" -l apache
|
||||
language: system
|
||||
types_or: [terraform, python, go, javascript, yaml, json]
|
||||
pass_filenames: true
|
||||
|
||||
- id: terraform-numbered-files
|
||||
name: Terraform Files Must Have Number Prefix
|
||||
description: Ensures all committed .tf files start with a number (e.g., 01-, 010-, 100-)
|
||||
entry: scripts/check-terraform-numbered-files.sh
|
||||
language: script
|
||||
types: [terraform]
|
||||
pass_filenames: true
|
||||
|
|
|
|||
|
|
@ -58,6 +58,7 @@ To maintain a clean and secure codebase, we enforce a strict CI pipeline on all
|
|||
// limitations under the License.
|
||||
```
|
||||
|
||||
- **Terraform file naming:** All `.tf` files in examples **must** be prefixed with exactly 3 digits to enforce consistent ordering (e.g., `010-provider.tf`, `020-variables.tf`, `030-resources.tf`, `100-outputs.tf`). Files inside `modules/` directories are exempt from this rule. This check is enforced automatically by pre-commit.
|
||||
- **Scan for Secrets:** Never commit credentials. We use `trufflehog` in the CI pipeline. Ensure you have no hardcoded tokens or passwords in your code.
|
||||
|
||||
### Repository structure
|
||||
|
|
@ -78,8 +79,7 @@ If you built a great module for a customer project and want to share it, follow
|
|||
- `variables.tf` (Inputs with clear descriptions and types)
|
||||
- `outputs.tf` (Values to return to the caller)
|
||||
- `README.md` (Documentation on what the module does and its inputs/outputs. We recommend using `terraform-docs` to generate this automatically).
|
||||
3. **Provide an example:** A module is only as good as its documentation. Create a working example in the `examples/` folder showing how to instantiate your module.
|
||||
4. **Test it locally:** Run `terraform init`, `terraform plan`, and ideally `terraform apply` in a sandbox environment to ensure your code works before opening a PR.
|
||||
3. **Test it locally:** Run `terraform init`, `terraform plan`, and ideally `terraform apply` in a sandbox environment to ensure your code works before opening a PR.
|
||||
|
||||
### Adding a new Script
|
||||
|
||||
|
|
|
|||
|
|
@ -25,53 +25,23 @@ terraform {
|
|||
}
|
||||
}
|
||||
|
||||
variable "project_id" {
|
||||
description = "The STACKIT Project ID where the Object Storage will be created"
|
||||
type = string
|
||||
}
|
||||
|
||||
provider "stackit" {
|
||||
default_region = "eu01"
|
||||
service_account_key_path = ""
|
||||
}
|
||||
|
||||
resource "stackit_objectstorage_bucket" "example" {
|
||||
project_id = var.project_id
|
||||
name = "my-stackit-s3-bucket"
|
||||
}
|
||||
|
||||
resource "stackit_objectstorage_credentials_group" "example" {
|
||||
project_id = var.project_id
|
||||
name = "my-credentials-group"
|
||||
}
|
||||
|
||||
resource "stackit_objectstorage_credential" "example" {
|
||||
project_id = var.project_id
|
||||
credentials_group_id = stackit_objectstorage_credentials_group.example.credentials_group_id
|
||||
}
|
||||
|
||||
provider "aws" {
|
||||
region = "eu01"
|
||||
access_key = stackit_objectstorage_credential.example.access_key
|
||||
secret_key = stackit_objectstorage_credential.example.secret_access_key
|
||||
|
||||
# These flags are mandatory when connecting to a custom S3-compatible backend
|
||||
skip_credentials_validation = true
|
||||
skip_region_validation = true
|
||||
skip_requesting_account_id = true
|
||||
skip_metadata_api_check = true
|
||||
s3_use_path_style = true
|
||||
|
||||
# STACKIT S3 Endpoint
|
||||
endpoints {
|
||||
s3 = "https://object.storage.eu01.onstackit.cloud"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_s3_object" "example_file" {
|
||||
depends_on = [stackit_objectstorage_bucket.example]
|
||||
|
||||
bucket = stackit_objectstorage_bucket.example.name
|
||||
key = "hello-world.txt"
|
||||
content = "Hello from STACKIT Object Storage managed via the AWS Terraform Provider!"
|
||||
}
|
||||
18
examples/s3-aws-terraform-provider/020-variables.tf
Normal file
18
examples/s3-aws-terraform-provider/020-variables.tf
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
variable "project_id" {
|
||||
description = "The STACKIT Project ID where the Object Storage will be created"
|
||||
type = string
|
||||
}
|
||||
28
examples/s3-aws-terraform-provider/030-object-storage.tf
Normal file
28
examples/s3-aws-terraform-provider/030-object-storage.tf
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
resource "stackit_objectstorage_bucket" "example" {
|
||||
project_id = var.project_id
|
||||
name = "my-stackit-s3-bucket"
|
||||
}
|
||||
|
||||
resource "stackit_objectstorage_credentials_group" "example" {
|
||||
project_id = var.project_id
|
||||
name = "my-credentials-group"
|
||||
}
|
||||
|
||||
resource "stackit_objectstorage_credential" "example" {
|
||||
project_id = var.project_id
|
||||
credentials_group_id = stackit_objectstorage_credentials_group.example.credentials_group_id
|
||||
}
|
||||
21
examples/s3-aws-terraform-provider/040-aws-s3-object.tf
Normal file
21
examples/s3-aws-terraform-provider/040-aws-s3-object.tf
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
resource "aws_s3_object" "example_file" {
|
||||
depends_on = [stackit_objectstorage_bucket.example]
|
||||
|
||||
bucket = stackit_objectstorage_bucket.example.name
|
||||
key = "hello-world.txt"
|
||||
content = "Hello from STACKIT Object Storage managed via the AWS Terraform Provider!"
|
||||
}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
resource "stackit_secretsmanager_instance" "example" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
name = "example-instance"
|
||||
}
|
||||
|
||||
resource "stackit_secretsmanager_user" "example" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
instance_id = stackit_secretsmanager_instance.example.instance_id
|
||||
description = "Example user"
|
||||
write_enabled = true
|
||||
}
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
resource "stackit_observability_instance" "example" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
name = "example-instance"
|
||||
plan_name = "Observability-Monitoring-Medium-EU01"
|
||||
}
|
||||
|
|
@ -12,24 +12,6 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
resource "stackit_secretsmanager_instance" "example" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
name = "example-instance"
|
||||
}
|
||||
|
||||
resource "stackit_secretsmanager_user" "example" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
instance_id = stackit_secretsmanager_instance.example.instance_id
|
||||
description = "Example user"
|
||||
write_enabled = true
|
||||
}
|
||||
|
||||
resource "stackit_observability_instance" "example" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
name = "example-instance"
|
||||
plan_name = "Observability-Monitoring-Medium-EU01"
|
||||
}
|
||||
|
||||
resource "vault_kv_secret_v2" "example" {
|
||||
mount = stackit_secretsmanager_instance.example.instance_id
|
||||
name = "my-secret"
|
||||
42
examples/ske-encrypted-volumes/020-ske-cluster.tf
Normal file
42
examples/ske-encrypted-volumes/020-ske-cluster.tf
Normal file
|
|
@ -0,0 +1,42 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
resource "stackit_ske_cluster" "default" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
name = "ske-enc-vol"
|
||||
kubernetes_version_min = "1.33"
|
||||
|
||||
node_pools = [{
|
||||
name = "standard"
|
||||
machine_type = "c2i.4"
|
||||
minimum = 1
|
||||
maximum = 3
|
||||
availability_zones = ["eu01-1"]
|
||||
os_name = "flatcar"
|
||||
volume_size = 32
|
||||
}]
|
||||
}
|
||||
|
||||
resource "stackit_ske_kubeconfig" "default" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
cluster_name = stackit_ske_cluster.default.name
|
||||
refresh = true
|
||||
}
|
||||
|
||||
data "stackit_service_accounts" "ske_internal" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
email_suffix = "@ske.sa.stackit.cloud"
|
||||
|
||||
depends_on = [stackit_ske_cluster.default]
|
||||
}
|
||||
27
examples/ske-encrypted-volumes/030-kms.tf
Normal file
27
examples/ske-encrypted-volumes/030-kms.tf
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
resource "stackit_kms_keyring" "encryption" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
display_name = "ske-volume-keyring"
|
||||
}
|
||||
|
||||
resource "stackit_kms_key" "volume_key" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
keyring_id = stackit_kms_keyring.encryption.keyring_id
|
||||
display_name = "volume-encryption-key"
|
||||
protection = "software"
|
||||
algorithm = "aes_256_gcm"
|
||||
purpose = "symmetric_encrypt_decrypt"
|
||||
}
|
||||
30
examples/ske-encrypted-volumes/040-authorization.tf
Normal file
30
examples/ske-encrypted-volumes/040-authorization.tf
Normal file
|
|
@ -0,0 +1,30 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
resource "stackit_service_account" "kms_manager" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
name = "volume-encryptor"
|
||||
}
|
||||
|
||||
resource "stackit_authorization_project_role_assignment" "kms_user" {
|
||||
resource_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
role = "kms.admin"
|
||||
subject = stackit_service_account.kms_manager.email
|
||||
}
|
||||
|
||||
resource "stackit_authorization_service_account_role_assignment" "ske_impersonation" {
|
||||
resource_id = stackit_service_account.kms_manager.service_account_id
|
||||
role = "user"
|
||||
subject = data.stackit_service_accounts.ske_internal.items[0].email
|
||||
}
|
||||
82
examples/ske-encrypted-volumes/050-k8s-storage.tf
Normal file
82
examples/ske-encrypted-volumes/050-k8s-storage.tf
Normal file
|
|
@ -0,0 +1,82 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
resource "kubernetes_storage_class_v1" "encrypted_premium" {
|
||||
metadata {
|
||||
name = "stackit-encrypted-premium"
|
||||
}
|
||||
|
||||
storage_provisioner = "block-storage.csi.stackit.cloud"
|
||||
reclaim_policy = "Delete"
|
||||
allow_volume_expansion = true
|
||||
volume_binding_mode = "WaitForFirstConsumer"
|
||||
|
||||
parameters = {
|
||||
type = "storage_premium_perf6"
|
||||
encrypted = "true"
|
||||
kmsKeyID = stackit_kms_key.volume_key.key_id
|
||||
kmsKeyringID = stackit_kms_keyring.encryption.keyring_id
|
||||
kmsProjectID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
kmsKeyVersion = "1"
|
||||
kmsServiceAccount = stackit_service_account.kms_manager.email
|
||||
}
|
||||
|
||||
depends_on = [
|
||||
stackit_authorization_service_account_role_assignment.ske_impersonation,
|
||||
stackit_authorization_project_role_assignment.kms_user
|
||||
]
|
||||
}
|
||||
|
||||
resource "kubernetes_persistent_volume_claim_v1" "test_pvc" {
|
||||
metadata {
|
||||
name = "test-encryption-pvc"
|
||||
}
|
||||
|
||||
spec {
|
||||
access_modes = ["ReadWriteOnce"]
|
||||
|
||||
resources {
|
||||
requests = {
|
||||
storage = "10Gi"
|
||||
}
|
||||
}
|
||||
|
||||
storage_class_name = kubernetes_storage_class_v1.encrypted_premium.metadata[0].name
|
||||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_pod_v1" "test_app" {
|
||||
metadata {
|
||||
name = "encrypted-volume-test"
|
||||
}
|
||||
|
||||
spec {
|
||||
container {
|
||||
image = "nginx:latest"
|
||||
name = "web-server"
|
||||
|
||||
volume_mount {
|
||||
mount_path = "/usr/share/nginx/html"
|
||||
name = "data-volume"
|
||||
}
|
||||
}
|
||||
|
||||
volume {
|
||||
name = "data-volume"
|
||||
persistent_volume_claim {
|
||||
claim_name = "test-encryption-pvc"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,158 +0,0 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
resource "stackit_ske_cluster" "default" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
name = "ske-enc-vol"
|
||||
kubernetes_version_min = "1.33"
|
||||
|
||||
node_pools = [{
|
||||
name = "standard"
|
||||
machine_type = "c2i.4"
|
||||
minimum = 1
|
||||
maximum = 3
|
||||
availability_zones = ["eu01-1"]
|
||||
os_name = "flatcar"
|
||||
volume_size = 32
|
||||
}]
|
||||
}
|
||||
|
||||
resource "stackit_ske_kubeconfig" "default" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
cluster_name = stackit_ske_cluster.default.name
|
||||
refresh = true
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------------------
|
||||
# 2. Identify the Internal SKE Service Account
|
||||
# ------------------------------------------------------------------------
|
||||
data "stackit_service_accounts" "ske_internal" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
email_suffix = "@ske.sa.stackit.cloud"
|
||||
|
||||
depends_on = [stackit_ske_cluster.default]
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------------------
|
||||
# 3. Setup KMS Infrastructure
|
||||
# ------------------------------------------------------------------------
|
||||
resource "stackit_kms_keyring" "encryption" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
display_name = "ske-volume-keyring"
|
||||
}
|
||||
|
||||
resource "stackit_kms_key" "volume_key" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
keyring_id = stackit_kms_keyring.encryption.keyring_id
|
||||
display_name = "volume-encryption-key"
|
||||
protection = "software"
|
||||
algorithm = "aes_256_gcm"
|
||||
purpose = "symmetric_encrypt_decrypt"
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------------------
|
||||
# 4. Configure Identity and Permissions (Act-As)
|
||||
# ------------------------------------------------------------------------
|
||||
# Create the service account that 'owns' the KMS access
|
||||
resource "stackit_service_account" "kms_manager" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
name = "volume-encryptor"
|
||||
}
|
||||
|
||||
# Grant the 'kms.admin' role to the manager service-account
|
||||
resource "stackit_authorization_project_role_assignment" "kms_user" {
|
||||
// in this case the STACKIT project_id
|
||||
resource_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
role = "kms.admin"
|
||||
subject = stackit_service_account.kms_manager.email
|
||||
}
|
||||
|
||||
# Authorize the internal SKE account to impersonate the kms manager service-account (Act-As)
|
||||
resource "stackit_authorization_service_account_role_assignment" "ske_impersonation" {
|
||||
resource_id = stackit_service_account.kms_manager.service_account_id
|
||||
role = "user"
|
||||
subject = data.stackit_service_accounts.ske_internal.items[0].email
|
||||
}
|
||||
|
||||
resource "kubernetes_storage_class_v1" "encrypted_premium" {
|
||||
metadata {
|
||||
name = "stackit-encrypted-premium"
|
||||
}
|
||||
|
||||
storage_provisioner = "block-storage.csi.stackit.cloud"
|
||||
reclaim_policy = "Delete"
|
||||
allow_volume_expansion = true
|
||||
volume_binding_mode = "WaitForFirstConsumer"
|
||||
|
||||
parameters = {
|
||||
type = "storage_premium_perf6"
|
||||
encrypted = "true"
|
||||
kmsKeyID = stackit_kms_key.volume_key.key_id
|
||||
kmsKeyringID = stackit_kms_keyring.encryption.keyring_id
|
||||
kmsProjectID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
kmsKeyVersion = "1"
|
||||
kmsServiceAccount = stackit_service_account.kms_manager.email
|
||||
}
|
||||
|
||||
depends_on = [
|
||||
stackit_authorization_service_account_role_assignment.ske_impersonation,
|
||||
stackit_authorization_project_role_assignment.kms_user
|
||||
]
|
||||
}
|
||||
|
||||
resource "kubernetes_persistent_volume_claim_v1" "test_pvc" {
|
||||
metadata {
|
||||
name = "test-encryption-pvc"
|
||||
}
|
||||
|
||||
spec {
|
||||
access_modes = ["ReadWriteOnce"]
|
||||
|
||||
resources {
|
||||
requests = {
|
||||
storage = "10Gi"
|
||||
}
|
||||
}
|
||||
|
||||
storage_class_name = kubernetes_storage_class_v1.encrypted_premium.metadata[0].name
|
||||
}
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------------------
|
||||
# 7. Create a Pod to Consume the Volume
|
||||
# ------------------------------------------------------------------------
|
||||
resource "kubernetes_pod_v1" "test_app" {
|
||||
metadata {
|
||||
name = "encrypted-volume-test"
|
||||
}
|
||||
|
||||
spec {
|
||||
container {
|
||||
image = "nginx:latest"
|
||||
name = "web-server"
|
||||
|
||||
volume_mount {
|
||||
mount_path = "/usr/share/nginx/html"
|
||||
name = "data-volume"
|
||||
}
|
||||
}
|
||||
|
||||
volume {
|
||||
name = "data-volume"
|
||||
persistent_volume_claim {
|
||||
claim_name = "test-encryption-pvc"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
51
examples/ske-gpu-operator/010-provider.tf
Normal file
51
examples/ske-gpu-operator/010-provider.tf
Normal file
|
|
@ -0,0 +1,51 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_providers {
|
||||
stackit = {
|
||||
source = "stackitcloud/stackit"
|
||||
version = ">=0.60.0"
|
||||
}
|
||||
kubernetes = {
|
||||
source = "hashicorp/kubernetes"
|
||||
version = ">=2.14.0"
|
||||
}
|
||||
helm = {
|
||||
source = "hashicorp/helm"
|
||||
version = ">= 2.14.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
provider "stackit" {
|
||||
default_region = "eu01"
|
||||
service_account_key_path = var.stackit_service_account_key_path
|
||||
}
|
||||
|
||||
provider "kubernetes" {
|
||||
host = yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.server
|
||||
client_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-certificate-data)
|
||||
client_key = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-key-data)
|
||||
cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.certificate-authority-data)
|
||||
}
|
||||
|
||||
provider "helm" {
|
||||
kubernetes = {
|
||||
host = yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.server
|
||||
client_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-certificate-data)
|
||||
client_key = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-key-data)
|
||||
cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.certificate-authority-data)
|
||||
}
|
||||
}
|
||||
21
examples/ske-gpu-operator/020-variables.tf
Normal file
21
examples/ske-gpu-operator/020-variables.tf
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
variable "project_id" {
|
||||
default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
}
|
||||
|
||||
variable "stackit_service_account_key_path" {
|
||||
default = ""
|
||||
}
|
||||
|
|
@ -12,56 +12,6 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_providers {
|
||||
stackit = {
|
||||
source = "stackitcloud/stackit"
|
||||
version = ">=0.60.0"
|
||||
}
|
||||
kubernetes = {
|
||||
source = "hashicorp/kubernetes"
|
||||
version = ">=2.14.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
variable "project_id" {
|
||||
default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
}
|
||||
|
||||
variable "stackit_service_account_key_path" {
|
||||
default = ""
|
||||
}
|
||||
|
||||
provider "kubernetes" {
|
||||
host = yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.server
|
||||
client_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-certificate-data)
|
||||
client_key = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-key-data)
|
||||
cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.certificate-authority-data)
|
||||
}
|
||||
|
||||
provider "helm" {
|
||||
kubernetes = {
|
||||
host = yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.server
|
||||
client_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-certificate-data)
|
||||
client_key = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).users.0.user.client-key-data)
|
||||
cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.this.kube_config).clusters.0.cluster.certificate-authority-data)
|
||||
}
|
||||
}
|
||||
|
||||
provider "stackit" {
|
||||
default_region = "eu01"
|
||||
service_account_key_path = var.stackit_service_account_key_path
|
||||
}
|
||||
|
||||
resource "stackit_ske_kubeconfig" "this" {
|
||||
project_id = var.project_id
|
||||
cluster_name = stackit_ske_cluster.this.name
|
||||
refresh = true
|
||||
|
||||
depends_on = [stackit_ske_cluster.this]
|
||||
}
|
||||
|
||||
data "stackit_ske_kubernetes_versions" "this" {
|
||||
version_state = "SUPPORTED"
|
||||
}
|
||||
|
|
@ -85,7 +35,6 @@ locals {
|
|||
if mi.name == "ubuntu"
|
||||
]
|
||||
]))
|
||||
gpu_operator_helm_values = templatefile("${path.module}/gpu-operator-values.yaml.tftpl", {})
|
||||
}
|
||||
|
||||
resource "stackit_ske_cluster" "this" {
|
||||
|
|
@ -138,20 +87,10 @@ resource "stackit_ske_cluster" "this" {
|
|||
]
|
||||
}
|
||||
|
||||
resource "kubernetes_namespace_v1" "gpu_operator" {
|
||||
metadata {
|
||||
name = "gpu-operator"
|
||||
}
|
||||
}
|
||||
resource "stackit_ske_kubeconfig" "this" {
|
||||
project_id = var.project_id
|
||||
cluster_name = stackit_ske_cluster.this.name
|
||||
refresh = true
|
||||
|
||||
resource "helm_release" "gpu_operator" {
|
||||
name = "gpu-operator"
|
||||
namespace = kubernetes_namespace_v1.gpu_operator.metadata[0].name
|
||||
repository = "https://helm.ngc.nvidia.com/nvidia"
|
||||
chart = "gpu-operator"
|
||||
version = "25.3.1"
|
||||
|
||||
values = [
|
||||
local.gpu_operator_helm_values
|
||||
]
|
||||
depends_on = [stackit_ske_cluster.this]
|
||||
}
|
||||
35
examples/ske-gpu-operator/040-gpu-operator.tf
Normal file
35
examples/ske-gpu-operator/040-gpu-operator.tf
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
locals {
|
||||
gpu_operator_helm_values = templatefile("${path.module}/gpu-operator-values.yaml.tftpl", {})
|
||||
}
|
||||
|
||||
resource "kubernetes_namespace_v1" "gpu_operator" {
|
||||
metadata {
|
||||
name = "gpu-operator"
|
||||
}
|
||||
}
|
||||
|
||||
resource "helm_release" "gpu_operator" {
|
||||
name = "gpu-operator"
|
||||
namespace = kubernetes_namespace_v1.gpu_operator.metadata[0].name
|
||||
repository = "https://helm.ngc.nvidia.com/nvidia"
|
||||
chart = "gpu-operator"
|
||||
version = "25.3.1"
|
||||
|
||||
values = [
|
||||
local.gpu_operator_helm_values
|
||||
]
|
||||
}
|
||||
|
|
@ -25,52 +25,14 @@ terraform {
|
|||
}
|
||||
}
|
||||
|
||||
variable "project_id" {
|
||||
description = "The STACKIT Project ID"
|
||||
type = string
|
||||
}
|
||||
|
||||
provider "stackit" {
|
||||
default_region = "eu01"
|
||||
service_account_key_path = ""
|
||||
}
|
||||
|
||||
resource "stackit_ske_cluster" "example" {
|
||||
project_id = var.project_id
|
||||
name = "example"
|
||||
kubernetes_version_min = "1.33"
|
||||
|
||||
node_pools = [
|
||||
{
|
||||
name = "example-node-pool"
|
||||
machine_type = "g2i.4"
|
||||
minimum = 1
|
||||
maximum = 2
|
||||
availability_zones = ["eu01-1"]
|
||||
os_version_min = "3815.2.5"
|
||||
os_name = "flatcar"
|
||||
volume_size = 32
|
||||
volume_type = "storage_premium_perf6"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
|
||||
resource "stackit_ske_kubeconfig" "example" {
|
||||
project_id = var.project_id
|
||||
cluster_name = stackit_ske_cluster.example.name
|
||||
expiration = 3600
|
||||
}
|
||||
|
||||
provider "kubernetes" {
|
||||
host = yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters[0].cluster.server
|
||||
client_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users[0].user["client-certificate-data"])
|
||||
client_key = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).users[0].user["client-key-data"])
|
||||
cluster_ca_certificate = base64decode(yamldecode(stackit_ske_kubeconfig.example.kube_config).clusters[0].cluster["certificate-authority-data"])
|
||||
}
|
||||
|
||||
resource "kubernetes_namespace" "example" {
|
||||
metadata {
|
||||
name = "stackit-demo-namespace"
|
||||
}
|
||||
}
|
||||
18
examples/ske-kubernetes-terraform-provider/020-variables.tf
Normal file
18
examples/ske-kubernetes-terraform-provider/020-variables.tf
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
variable "project_id" {
|
||||
description = "The STACKIT Project ID"
|
||||
type = string
|
||||
}
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
resource "stackit_ske_cluster" "example" {
|
||||
project_id = var.project_id
|
||||
name = "example"
|
||||
kubernetes_version_min = "1.33"
|
||||
|
||||
node_pools = [
|
||||
{
|
||||
name = "example-node-pool"
|
||||
machine_type = "g2i.4"
|
||||
minimum = 1
|
||||
maximum = 2
|
||||
availability_zones = ["eu01-1"]
|
||||
os_version_min = "3815.2.5"
|
||||
os_name = "flatcar"
|
||||
volume_size = 32
|
||||
volume_type = "storage_premium_perf6"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
resource "stackit_ske_kubeconfig" "example" {
|
||||
project_id = var.project_id
|
||||
cluster_name = stackit_ske_cluster.example.name
|
||||
expiration = 3600
|
||||
}
|
||||
19
examples/ske-kubernetes-terraform-provider/040-namespace.tf
Normal file
19
examples/ske-kubernetes-terraform-provider/040-namespace.tf
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
resource "kubernetes_namespace" "example" {
|
||||
metadata {
|
||||
name = "stackit-demo-namespace"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
resource "stackit_ske_cluster" "example" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
name = "example"
|
||||
kubernetes_version_min = "1.31"
|
||||
node_pools = [
|
||||
{
|
||||
name = "standard"
|
||||
machine_type = "c2i.4"
|
||||
minimum = "3"
|
||||
maximum = "9"
|
||||
max_surge = "3"
|
||||
availability_zones = ["eu01-1", "eu01-2", "eu01-3"]
|
||||
os_version_min = "4081.2.1"
|
||||
os_name = "flatcar"
|
||||
volume_size = 32
|
||||
volume_type = "storage_premium_perf6"
|
||||
}
|
||||
]
|
||||
maintenance = {
|
||||
enable_kubernetes_version_updates = true
|
||||
enable_machine_image_version_updates = true
|
||||
start = "01:00:00Z"
|
||||
end = "02:00:00Z"
|
||||
}
|
||||
}
|
||||
|
||||
resource "stackit_ske_kubeconfig" "example" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
cluster_name = stackit_ske_cluster.example.name
|
||||
refresh = true
|
||||
}
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
# Copyright 2026 Schwarz Digits Cloud GmbH & Co. KG
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
locals {
|
||||
alert_config = {
|
||||
route = {
|
||||
receiver = "EmailStackit",
|
||||
repeat_interval = "1m"
|
||||
}
|
||||
receivers = [
|
||||
{
|
||||
name = "EmailStackit",
|
||||
email_configs = [
|
||||
{
|
||||
to = "<email>"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
resource "stackit_observability_instance" "example" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
name = "example"
|
||||
plan_name = "Observability-Large-EU01"
|
||||
alert_config = local.alert_config
|
||||
}
|
||||
|
||||
resource "stackit_observability_credential" "example" {
|
||||
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
instance_id = stackit_observability_instance.example.instance_id
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue