rm project_old dir

.gitignore

@@ -1,2 +1,4 @@
 .terraform*
 terraform.tfstate*
+.env
+kubeconfig*

01-network.tf

@@ -1,106 +0,0 @@
-// ------- project 1 - landingzone ------------
-// This file defines the network setup for the first project landingzone.
-resource "stackit_network" "wan_network" {
-  project_id          = module.project.project_info["project1"].project_id
-  name                = "wan_network"
-  ipv4_nameservers    = ["1.1.1.1", "8.8.8.8"]
-  ipv4_prefix_length  = 24
-  ipv4_prefix         = "10.220.0.0/24"
-  routed              = true
-}
-
-resource "stackit_network" "lan_network1" {
-  project_id         = module.project.project_info["project1"].project_id
-  name               = "lan_network1"
-  ipv4_prefix_length = 24
-  ipv4_prefix        = "10.220.1.0/24"
-  routed              = true
-}
-
-resource "stackit_network" "lan_network2" {
-  project_id         = module.project.project_info["project1"].project_id
-  name               = "lan_network2"
-  ipv4_prefix_length = 24
-  ipv4_prefix        = "10.220.2.0/24"
-  routed              = true
-}
-
-resource "stackit_network" "lan_network3" {
-  project_id         = module.project.project_info["project1"].project_id
-  name               = "lan_network3"
-  ipv4_prefix_length = 24
-  ipv4_prefix        = "10.220.3.0/24"
-  routed              = false
-}
-
-resource "stackit_network_interface" "wan" {
-  project_id        = module.project.project_info["project1"].project_id
-  network_id        = stackit_network.wan_network.network_id
-  security          = false
-  name              = "MGMT"
-  ipv4              = "10.220.0.254"
-
-}
-
-resource "stackit_network_interface" "lan1" {
-  project_id         = module.project.project_info["project1"].project_id
-  network_id         = stackit_network.lan_network1.network_id
-  security           = false
-  name              = "LAN1"
-}
-
-resource "stackit_network_interface" "lan2" {
-  project_id         = module.project.project_info["project1"].project_id
-  network_id         = stackit_network.lan_network2.network_id
-  security           = false
-  name              = "LAN2"
-}
-
-resource "stackit_network_interface" "lan3" {
-  project_id         = module.project.project_info["project1"].project_id
-  network_id         = stackit_network.lan_network3.network_id
-  security           = false
-  name              = "LAN3"
-}
-
-# ---------- project 2 core ------------------
-// This file defines the network setup for the second project (core).
-
-resource "stackit_network" "p2_lan_network1" {
-  project_id         = module.project.project_info["project2"].project_id
-  name               = "p2_lan_network"
-  ipv4_prefix_length = 24
-  ipv4_prefix        = "10.220.5.0/24"
-  routed              = true
-}
-
-resource "stackit_network_interface" "p2_lan1" {
-  project_id         = module.project.project_info["project2"].project_id
-  network_id         = stackit_network.p2_lan_network1.network_id
-  security           = true 
-  name              = "P2LAN1"
-  security_group_ids = [ stackit_security_group.example.security_group_id ]
-}
-
-
-// ---------- public IPs ------------------
-// This file defines the public IPs for the projects.
-resource "stackit_public_ip" "wan_ip" {
-  project_id           = module.project.project_info["project1"].project_id
-  network_interface_id = stackit_network_interface.wan.network_interface_id
-}
-
-/*resource "stackit_public_ip" "wan_server" {
-  project_id           = module.project.project_info["project2"].project_id
-  network_interface_id = stackit_network_interface.p2_wan_interface1.network_interface_id
-}
-*/
-
-// Output the public IPs for both projects
-output "public_ips" {
-  value = {
-    "wan_ip"   = stackit_public_ip.wan_ip.ip
-    //"wan_server"   = stackit_public_ip.wan_server.ip
-  }
-}
-

06-security-group.tf

@@ -1,51 +0,0 @@
-
-// Security Group and Security Group Rules
-resource "stackit_security_group" "example" {
-  project_id = module.project.project_info["project2"].project_id
-  name       = "test"
-  labels = {
-    "key" = "example"
-  }
-}
-
-resource "stackit_security_group_rule" "icmp_ingress" {
-  security_group_id = stackit_security_group.example.security_group_id
-  project_id = module.project.project_info["project2"].project_id
-  direction         = "ingress"
-  icmp_parameters = {
-    code = 0
-    type = 8
-  }
-  protocol = {
-    name = "icmp"
-  }
-}
-resource "stackit_security_group_rule" "icmp_egress" {
-  project_id = module.project.project_info["project2"].project_id
-  security_group_id = stackit_security_group.example.security_group_id
-  direction         = "egress"
-  icmp_parameters = {
-    code = 0
-    type = 8
-  }
-  protocol = {
-    name = "icmp"
-  }
-}
-
-resource "stackit_security_group_rule" "ssh_ingress" {
-  security_group_id = stackit_security_group.example.security_group_id
-  project_id = module.project.project_info["project2"].project_id
-  direction         = "ingress"
-
-  protocol = {
-    name = "tcp"
-  }
-  port_range = {
-    max = 22
-    min = 22
-  }
-}
-
-
-

main.tf

@@ -1,30 +1,130 @@
-# main.tf 
+resource "stackit_network_area" "project_sna" {
+  organization_id  = var.organization_id
+  name             = var.SNA_name
+  network_ranges   = var.SNA_network_ranges
+  transfer_network = var.SNA_transfer_network
+}
 
-terraform {
+module "projects" {
-  required_providers {
+  source = "./project"
-    stackit = {
+
-      source  = "stackitcloud/stackit"
+  projects        = var.Projects_map
-      version = ">=0.54"
+  organization_id = var.organization_id
-    }
+  sna_id          = stackit_network_area.project_sna.network_area_id
+  labels          = var.labels != null ? var.labels : {}
+}
+
+locals {
+  project_ids = { for k, v in module.projects.created_projects : k => v.project_id }
+}
+
+module "stackit_ske_cluster" {
+  source = "./ske"
+  for_each = var.ske_clusters
+
+  project_id = local.project_ids[each.value.project_key]
+  name       = each.value.name
+  node_pools = each.value.node_pools
+  kubernetes_version_min = lookup(each.value, "kubernetes_version_min", null)
+  hibernations           = lookup(each.value, "hibernations", null)
+  maintenance            = lookup(each.value, "maintenance", null)
+  extensions             = lookup(each.value, "extensions", null)
+  default_region         = var.default_region
+}
+
+module "security_groups" {
+  source = "./security-group"
+
+  for_each = var.security_groups
+
+  project_id  = local.project_ids[each.value.project_key]
+  name        = each.value.name
+  description = each.value.description != null ? each.value.description : ""
+  rules       = each.value.rules
+}
+
+locals {
+  security_group_ids_by_name = {
+    for key, m in module.security_groups :
+    m.name => m.security_group_id
   }
 }
 
-provider "stackit" {
+module "net" {
-  default_region             = var.default_region
+  depends_on = [module.security_groups]
-  service_account_key_path = var.service_account_key_path
+  source     = "./network"
-  private_key_path         = var.private_key_path
+
-  enable_beta_resources    = true
+  for_each = var.networks
+
+  project_id = local.project_ids[each.value.project_key]
+  name       = each.value.name
+
+  ipv4_gateway       = each.value.ipv4_gateway
+  ipv4_nameservers   = each.value.ipv4_nameservers
+  ipv4_prefix        = each.value.ipv4_prefix
+  ipv4_prefix_length = each.value.ipv4_prefix_length
+
+  ipv6_gateway       = each.value.ipv6_gateway
+  ipv6_nameservers   = each.value.ipv6_nameservers
+  ipv6_prefix        = each.value.ipv6_prefix
+  ipv6_prefix_length = each.value.ipv6_prefix_length
+
+  no_ipv4_gateway = each.value.no_ipv4_gateway
+  no_ipv6_gateway = each.value.no_ipv6_gateway
+  routed          = each.value.routed
+  labels          = each.value.labels
+
+  nics                       = each.value.nics
+  security_group_ids_by_name = local.security_group_ids_by_name
 }
 
+module "postgres" {
+  source = "./postgres"
 
-module "project" {
+  for_each = var.postgres_instances
-  source = "./project"
-
-  # -- variables for project module
-  organization_id = var.organization_id
-  sna_net = var.sna_net
 
+  project_id      = local.project_ids[each.value.project_key]
+  name            = each.value.name
+  ver             = each.value.version
+  flavor          = each.value.flavor
+  storage         = each.value.storage
+  replicas        = each.value.replicas
+  acl             = each.value.acl
+  backup_schedule = each.value.backup_schedule
+  users           = each.value.users
+  databases       = each.value.databases
 }
 
+module "observability" {
+  source   = "./observability"
+  for_each = var.observability_instances
 
+  project_id = local.project_ids[each.value.project_key]
 
+  name      = each.value.name
+  plan_name = each.value.plan_name
+
+  acl                                    = each.value.acl
+  metrics_retention_days                 = each.value.metrics_retention_days
+  metrics_retention_days_5m_downsampling = each.value.metrics_retention_days_5m_downsampling
+  metrics_retention_days_1h_downsampling = each.value.metrics_retention_days_1h_downsampling
+  alert_config                           = each.value.alert_config
+  parameters                             = each.value.parameters
+
+  # Credentials
+  create_credentials = each.value.create_credentials
+  credentials_count  = each.value.credentials_count
+
+  alertgroups = each.value.alertgroups
+
+  logalertgroups = each.value.logalertgroups
+
+  scrapeconfigs = each.value.scrapeconfigs
+}
+
+output "obs_url" {
+  value = {
+    for key, instance in module.observability :
+    key => instance.observability_urls
+  }
+}

network/main.tf

@@ -1,31 +1,51 @@
 resource "stackit_network" "this" {
   project_id = var.project_id
   name       = var.name
+  labels     = var.labels
 
-  ipv4_gateway        = var.routed == false ? var.ipv4_gateway : null
+  # IPv4 settings
-  ipv4_nameservers    = var.ipv4_nameservers
+  ipv4_gateway       = var.ipv4_gateway
-  ipv4_prefix         = var.ipv4_prefix
+  ipv4_nameservers   = var.ipv4_nameservers
-  ipv4_prefix_length  = var.ipv4_prefix_length
+  ipv4_prefix        = var.ipv4_prefix
-  ipv6_gateway        = var.routed == false ? var.ipv6_gateway : null
+  ipv4_prefix_length = var.ipv4_prefix_length
-  ipv6_nameservers    = var.ipv6_nameservers
+
-  ipv6_prefix         = var.ipv6_prefix
+  # IPv6 settings
-  ipv6_prefix_length  = var.ipv6_prefix_length
+  ipv6_gateway       = var.ipv6_gateway
-  labels              = var.labels
+  ipv6_nameservers   = var.ipv6_nameservers
-  no_ipv4_gateway     = var.no_ipv4_gateway
+  ipv6_prefix        = var.ipv6_prefix
-  no_ipv6_gateway     = var.no_ipv6_gateway
+  ipv6_prefix_length = var.ipv6_prefix_length
-  routed              = var.routed
+
+  no_ipv4_gateway = var.no_ipv4_gateway
+  no_ipv6_gateway = var.no_ipv6_gateway
+  routed          = var.routed
 }
 
-resource "stackit_network_interface" "static" {
+resource "stackit_network_interface" "nics" {
-  count = var.nic_ipv4 == null ? 0 : 1
+  for_each = var.nics != null ? var.nics : {}
 
-  network_id = stackit_network.this.network_id
   project_id = var.project_id
+  network_id = stackit_network.this.network_id
 
-  ipv4               = var.nic_ipv4
+  name              = each.value.nic_name
-  labels             = var.nic_labels
+  ipv4              = each.value.nic_ipv4
-  name               = var.nic_name != null ? var.nic_name : "${var.name}-nic"
+  allowed_addresses = each.value.nic_allowed_addresses
-  security           = var.nic_security
+  labels            = each.value.nic_labels
-  security_group_ids = var.nic_security ? var.nic_security_group_ids : null
+  security          = each.value.nic_security
-  allowed_addresses  = var.nic_security ? var.nic_allowed_addresses : null
+  security_group_ids = (
+    each.value.nic_security_group_ids != null ? each.value.nic_security_group_ids :
+    each.value.nic_security_group_names != null ?
+    [for name in each.value.nic_security_group_names : var.security_group_ids_by_name[name]]
+    : []
+  )
+  
+  lifecycle {
+    precondition {
+      condition = alltrue([
+        for sg_name in try(each.value.nic_security_group_names, []) :
+        contains(keys(var.security_group_ids_by_name), sg_name)
+      ])
+      error_message = "NIC '${each.key}' references unknown security group name(s)."
+    }
+  }
 }
+

network/output.tf

@@ -7,12 +7,3 @@ output "network_name" {
   description = "Network name"
   value       = stackit_network.this.name
 }
-
-output "network_interface_id" {
-  description = "NIC ID"
-  value       = try(stackit_network_interface.static[0].network_interface_id, null)
-}
-
-output "nic_ipv4_list" {
-  value = try(stackit_network_interface.static[*].ipv4, null)
-}

network/providers.tf

@@ -6,4 +6,4 @@ terraform {
       version = "0.56.0"
     }
   }
-}
+}

network/variables.tf

@@ -1,98 +1,118 @@
 variable "project_id" {
-  type = string
+  description = "STACKIT project ID"
+  type        = string
 }
 
 variable "name" {
-  type = string
+  description = "Network name"
+  type        = string
 }
 
 variable "ipv4_gateway" {
-  type    = string
+  description = "IPv4 gateway address"
-  default = null
+  type        = string
+  default     = null
 }
 
 variable "ipv4_nameservers" {
-  type    = list(string)
+  description = "IPv4 nameserver list"
-  default = []
+  type        = list(string)
+  default     = []
 }
 
 variable "ipv4_prefix" {
-  type    = string # CIDR, only for NON-routed nets
+  description = "IPv4 prefix CIDR"
-  default = null
+  type        = string
+  default     = null
 }
 
 variable "ipv4_prefix_length" {
-  type    = number # e.g. 24
+  description = "IPv4 prefix length"
-  default = null
+  type        = number
+  default     = null
 }
 
 variable "ipv6_gateway" {
-  type    = string
+  description = "IPv6 gateway address"
-  default = null
+  type        = string
+  default     = null
 }
 
 variable "ipv6_nameservers" {
-  type    = list(string)
+  description = "IPv6 nameserver list"
-  default = []
+  type        = list(string)
+  default     = []
 }
 
 variable "ipv6_prefix" {
-  type    = string
+  description = "IPv6 prefix CIDR"
-  default = null
+  type        = string
+  default     = null
 }
 
 variable "ipv6_prefix_length" {
-  type    = number
+  description = "IPv6 prefix length"
-  default = null
+  type        = number
+  default     = null
+}
+
+variable "nameservers" {
+  description = "Deprecated nameserver list (legacy field)"
+  type        = list(string)
+  default     = []
 }
 
 variable "labels" {
-  type    = map(string)
+  description = "Labels map"
-  default = {}
+  type        = map(string)
+  default     = {}
 }
 
 variable "no_ipv4_gateway" {
-  type    = bool
+  description = "Disable IPv4 gateway"
-  default = false
+  type        = bool
+  default     = false
 }
 
 variable "no_ipv6_gateway" {
-  type    = bool
+  description = "Disable IPv6 gateway"
-  default = false
+  type        = bool
+  default     = false
 }
 
 variable "routed" {
-  type    = bool
+  description = "Mark network routed"
-  default = true
+  type        = bool
+  default     = null
 }
 
-variable "nic_allowed_addresses" {
+variable "region" {
-  type    = list(string)
+  description = "Resource region override (defaults to provider region)"
-  default = []
+  type        = string
+  default     = null
 }
 
-variable "nic_ipv4" {
+variable "routing_table_id" {
-  type    = string
+  description = "Routing table ID"
-  default = null
+  type        = string
+  default     = null
 }
 
-variable "nic_labels" {
+variable "nics" {
-  type    = map(string)
+  description = "Map of NIC configs"
+  type = map(object({
+    nic_ipv4                 = optional(string)
+    nic_name                 = optional(string)
+    nic_allowed_addresses    = optional(list(string))
+    nic_labels               = optional(map(string))
+    nic_security             = optional(bool)
+    nic_security_group_ids   = optional(list(string))
+    nic_security_group_names = optional(list(string))
+  }))
   default = {}
 }
 
-variable "nic_name" {
+variable "security_group_ids_by_name" {
-  type    = string
+  description = "Security group name→ID map"
-  default = null
+  type        = map(string)
-}
-
-variable "nic_security" {
-  type    = bool
-  default = false
-  nullable = false
-}
-
-variable "nic_security_group_ids" {
-  type    = list(string)
-  default = []
 }

observability/main.tf

@@ -0,0 +1,56 @@
+resource "stackit_observability_instance" "this" {
+  project_id = var.project_id
+  name       = var.name
+  plan_name  = var.plan_name
+
+  acl                                    = var.acl
+  metrics_retention_days                 = var.metrics_retention_days
+  metrics_retention_days_5m_downsampling = var.metrics_retention_days_5m_downsampling
+  metrics_retention_days_1h_downsampling = var.metrics_retention_days_1h_downsampling
+  alert_config                           = var.alert_config
+  parameters                             = var.parameters
+}
+
+resource "stackit_observability_credential" "this" {
+  count       = var.create_credentials ? var.credentials_count : 0
+  project_id  = var.project_id
+  instance_id = stackit_observability_instance.this.instance_id
+}
+
+resource "stackit_observability_alertgroup" "this" {
+  for_each    = var.alertgroups
+  project_id  = var.project_id
+  instance_id = stackit_observability_instance.this.instance_id
+
+  name     = each.value.name
+  interval = each.value.interval
+  rules    = each.value.rules
+}
+
+resource "stackit_observability_logalertgroup" "this" {
+  for_each    = var.logalertgroups
+  project_id  = var.project_id
+  instance_id = stackit_observability_instance.this.instance_id
+
+  name     = each.value.name
+  interval = each.value.interval
+  rules    = each.value.rules
+}
+
+resource "stackit_observability_scrapeconfig" "this" {
+  for_each     = var.scrapeconfigs
+  project_id   = var.project_id
+  instance_id  = stackit_observability_instance.this.instance_id
+  name         = each.value.name
+  metrics_path = each.value.metrics_path
+
+  targets = each.value.targets
+
+  basic_auth = each.value.basic_auth
+  saml2      = each.value.saml2
+
+  sample_limit    = each.value.sample_limit
+  scheme          = each.value.scheme
+  scrape_interval = each.value.scrape_interval
+  scrape_timeout  = each.value.scrape_timeout
+}

observability/outputs.tf

@@ -0,0 +1,50 @@
+output "observability_id" {
+  description = "Observability instance ID"
+  value       = stackit_observability_instance.this.instance_id
+}
+
+output "observability_urls" {
+  description = "Key Observability URLs"
+  value = {
+    grafana   = stackit_observability_instance.this.grafana_url
+    dashboard = stackit_observability_instance.this.dashboard_url
+    metrics   = stackit_observability_instance.this.metrics_url
+    logs      = stackit_observability_instance.this.logs_url
+  }
+}
+
+output "observability_credentials" {
+  description = "List of credential objects (username & password)"
+  value = [
+    for cred in stackit_observability_credential.this :
+    {
+      username = cred.username
+      password = cred.password
+    }
+  ]
+  sensitive = true
+}
+
+output "observability_alertgroups" {
+  description = "Map of created alert-group IDs"
+  value = {
+    for key, alertgrp in stackit_observability_alertgroup.this :
+    key => alertgrp.id
+  }
+}
+
+output "observability_logalertgroups" {
+  description = "Map of created log-alert-group IDs"
+  value = {
+    for key, logalertgrp in stackit_observability_logalertgroup.this :
+    key => logalertgrp.id
+  }
+}
+
+output "observability_scrapeconfigs" {
+  description = "Map of created scrape-config IDs"
+  value = {
+    for key, sconfig in stackit_observability_scrapeconfig.this :
+    key => sconfig.id
+  }
+}

observability/providers.tf

@@ -1,10 +1,10 @@
 
 terraform {
+  required_version = ">= 1.9.0"
   required_providers {
     stackit = {
       source  = "stackitcloud/stackit"
-      version = ">= 0.54.0" # Diese Version passt zu Ihrer Anforderung
+      version = "0.56.0"
     }
   }
 }
-

observability/variables.tf

@@ -0,0 +1,118 @@
+variable "project_id" {
+  description = "STACKIT project ID"
+  type        = string
+}
+
+variable "name" {
+  description = "Observability instance name"
+  type        = string
+}
+
+variable "plan_name" {
+  description = "Observability plan name"
+  type        = string
+}
+
+variable "acl" {
+  description = "Allowed CIDR list"
+  type        = list(string)
+  default     = null
+}
+
+variable "metrics_retention_days" {
+  description = "Retention days raw metrics"
+  type        = number
+  default     = null
+}
+
+variable "metrics_retention_days_5m_downsampling" {
+  description = "Retention days 5m downsample"
+  type        = number
+  default     = null
+}
+
+variable "metrics_retention_days_1h_downsampling" {
+  description = "Retention days 1h downsample"
+  type        = number
+  default     = null
+}
+
+variable "alert_config" {
+  description = "Alertmanager config object"
+  type        = any
+  default     = null
+}
+
+variable "parameters" {
+  description = "Extra key/value parameters"
+  type        = map(string)
+  default     = null
+}
+
+variable "create_credentials" {
+  description = "Create credentials"
+  type        = bool
+  default     = true
+}
+
+variable "credentials_count" {
+  description = "Credential count when enabled"
+  type        = number
+  default     = 1
+}
+
+variable "alertgroups" {
+  description = "Map of alert-groups to create"
+  type = map(object({
+    name     = string
+    interval = optional(string)
+    rules = list(object({
+      alert       = string
+      expression  = string
+      for         = optional(string)
+      labels      = optional(map(string))
+      annotations = optional(map(string))
+    }))
+  }))
+  default = {}
+}
+
+variable "logalertgroups" {
+  description = "Map of log-alert-groups to create"
+  type = map(object({
+    name     = string
+    interval = optional(string)
+    rules = list(object({
+      alert       = string
+      expression  = string
+      for         = optional(string)
+      labels      = optional(map(string))
+      annotations = optional(map(string))
+    }))
+  }))
+  default = {}
+}
+
+variable "scrapeconfigs" {
+  description = "Map of scrape-configs to create"
+  type = map(object({
+    name         = string
+    metrics_path = string
+    targets = list(object({
+      urls   = list(string)
+      labels = optional(map(string))
+    }))
+    basic_auth = optional(object({
+      username = string
+      password = string
+    }))
+    saml2 = optional(object({
+      enable_url_parameters = optional(bool)
+    }))
+    sample_limit    = optional(number)
+    scheme          = optional(string)
+    scrape_interval = optional(string)
+    scrape_timeout  = optional(string)
+  }))
+  default = {}
+}

postgres/main.tf

@@ -0,0 +1,33 @@
+locals {
+  user_count = length(var.users)
+  db_count   = length(var.databases)
+}
+
+resource "stackit_postgresflex_instance" "this" {
+  project_id      = var.project_id
+  name            = var.name
+  version         = var.ver
+  flavor          = var.flavor
+  storage         = var.storage
+  replicas        = var.replicas
+  acl             = var.acl
+  backup_schedule = var.backup_schedule
+}
+
+resource "stackit_postgresflex_user" "user" {
+  count = local.user_count
+
+  project_id  = var.project_id
+  instance_id = stackit_postgresflex_instance.this.instance_id
+  username    = var.users[count.index].username
+  roles       = var.users[count.index].roles
+}
+
+resource "stackit_postgresflex_database" "db" {
+  count = local.db_count
+
+  project_id  = var.project_id
+  instance_id = stackit_postgresflex_instance.this.instance_id
+  name        = var.databases[count.index].name
+  owner       = var.databases[count.index].owner
+}

postgres/outputs.tf

@@ -0,0 +1,11 @@
+output "instance_id" {
+  value = stackit_postgresflex_instance.this.instance_id
+}
+
+output "user_ids" {
+  value = stackit_postgresflex_user.user[*].user_id
+}
+
+output "database_ids" {
+  value = stackit_postgresflex_database.db[*].database_id
+}

postgres/providers.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.9.0"
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = "0.56.0"
+    }
+  }
+}

postgres/variables.tf

@@ -0,0 +1,92 @@
+variable "project_id" {
+  description = "STACKIT project ID"
+  type        = string
+}
+
+variable "name" {
+  description = "Instance name (DNS-1035 compliant)"
+  type        = string
+
+  validation {
+    condition     = length(regexall("^[a-z]([-a-z0-9]*[a-z0-9])?$", var.name)) > 0
+    error_message = <<EOT
+      The name must be a valid DNS-1035 label:
+      - only lower-case letters, digits or '-'
+      - must start with a letter
+      - must end with a letter or digit
+      EOT
+  }
+}
+
+variable "ver" {
+  description = "PostgreSQL version"
+  type        = number
+}
+
+variable "flavor" {
+  description = "Compute flavor (cpu, ram GB)"
+  type = object({
+    cpu = number
+    ram = number
+  })
+}
+
+variable "storage" {
+  description = "Storage settings (class, size GB)"
+  type = object({
+    class = string
+    size  = number
+  })
+}
+
+variable "replicas" {
+  description = "Number of instance replicas"
+  type        = number
+}
+
+variable "acl" {
+  description = "Allowed CIDR list for instance access"
+  type        = list(string)
+}
+
+variable "backup_schedule" {
+  description = "Backup schedule string"
+  type        = string
+}
+
+variable "users" {
+  description = "Database users (username, roles)"
+  type = list(object({
+    username = string
+    roles    = set(string)
+  }))
+  default = []
+
+  validation {
+    condition = alltrue([