Merge remote-tracking branch 'intive/main' into fix/idempotent-lifecycle-ops

Author: DominikPildner

.github/workflows/release.yaml

@@ -27,7 +27,7 @@ jobs:
           go-version-file: "go.mod"
           cache: true
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@v7
         id: import_gpg
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}

docs/data-sources/network.md

@@ -47,8 +47,6 @@ data "stackit_network" "example" {
 - `ipv6_prefixes` (List of String) The IPv6 prefixes of the network.
 - `labels` (Map of String) Labels are key-value string pairs which can be attached to a resource container
 - `name` (String) The name of the network.
-- `nameservers` (List of String, Deprecated) The nameservers of the network. This field is deprecated and will be removed soon, use `ipv4_nameservers` to configure the nameservers for IPv4.
-- `prefixes` (List of String, Deprecated) The prefixes of the network. This field is deprecated and will be removed soon, use `ipv4_prefixes` to read the prefixes of the IPv4 networks.
 - `public_ip` (String) The public IP of the network.
 - `routed` (Boolean) Shows if the network is routed and therefore accessible from other networks.
 - `routing_table_id` (String) The ID of the routing table associated with the network.

docs/data-sources/ske_cluster.md

@@ -117,8 +117,17 @@ Read-Only:
 
 Read-Only:
 
+- `control_plane` (Attributes) Control plane for the cluster. (see [below for nested schema](#nestedatt--network--control_plane))
 - `id` (String) ID of the STACKIT Network Area (SNA) network into which the cluster will be deployed.
 
+<a id="nestedatt--network--control_plane"></a>
+### Nested Schema for `network.control_plane`
+
+Read-Only:
+
+- `access_scope` (String) Access scope of the control plane. It defines if the Kubernetes control plane is public or only available inside a STACKIT Network Area.Possible values are: `PUBLIC`, `SNA`. The field is immutable!
+
+
 
 <a id="nestedatt--node_pools"></a>
 ### Nested Schema for `node_pools`

docs/guides/setting_up_encrypted_volumes_for_ske.md

@@ -0,0 +1,187 @@
+---
+page_title: "Setting up Encrypted Volumes for STACKIT Kubernetes Engine (SKE)"
+---
+
+# Setting up Encrypted Volumes for STACKIT Kubernetes Engine (SKE)
+
+~> This guide assumes that your project or organization has been enabled for a preview version of the STACKIT CSI Driver. If you wish to use encrypted volumes, please contact your account manager.
+
+## Overview
+
+This guide demonstrates how to roll out an encrypted storage class for SKE using the STACKIT Key Management Service (KMS). To achieve this, we use a **Service Account Impersonation** (Act-As) pattern. This allows the internal SKE service account to perform encryption and decryption tasks on behalf of a user-managed service account that has been granted access to your KMS keys.
+
+## Steps
+
+### 1. Configure the SKE Cluster
+
+Create a standard SKE cluster. We also generate a kubeconfig dynamically to allow the `kubernetes` provider to interact with the cluster within the same Terraform execution.
+
+```hcl
+resource "stackit_ske_cluster" "default" {
+  project_id             = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name                   = "ske-enc-vol"
+  kubernetes_version_min = "1.33"
+
+  node_pools = [{
+    name               = "standard"
+    machine_type       = "c2i.4"
+    minimum            = 1
+    maximum            = 3
+    availability_zones = ["eu01-1"]
+    os_name            = "flatcar"
+    volume_size        = 32
+  }]
+}
+
+resource "stackit_ske_kubeconfig" "default" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  cluster_name = stackit_ske_cluster.default.name
+  refresh      = true
+}
+```
+
+
+### 2. Identify the Internal SKE Service Account
+
+Each STACKIT project with a SKE Cluster deployed has a dedicated, internal service account used by SKE. We need to look this up to grant it permissions in a later step.
+
+```hcl
+data "stackit_service_accounts" "ske_internal" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  email_suffix = "@ske.sa.stackit.cloud"
+
+  depends_on = [stackit_ske_cluster.default]
+}
+```
+
+### 3. Setup KMS Infrastructure
+
+Define the Keyring and the specific Key that will be used to encrypt the block storage volumes.
+
+```hcl
+resource "stackit_kms_keyring" "encryption" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  display_name = "ske-volume-keyring"
+}
+
+resource "stackit_kms_key" "volume_key" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  keyring_id   = stackit_kms_keyring.encryption.keyring_id
+  display_name = "volume-encryption-key"
+  protection   = "software"
+  algorithm    = "aes_256_gcm"
+  purpose      = "symmetric_encrypt_decrypt"
+}
+```
+
+### 4. Configure Identity and Permissions (Act-As)
+
+This is the most critical part of the setup. We create a **manager** service account that holds the KMS permissions, and then authorize the SKE internal service account to **Act-As** (impersonate) that manager.
+
+```hcl
+# Create the service account that 'owns' the KMS access
+resource "stackit_service_account" "kms_manager" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name       = "volume-encryptor"
+}
+
+# Grant the 'kms.admin' role to the manager service-account
+resource "stackit_authorization_project_role_assignment" "kms_user" {
+  // in this case the STACKIT project_id
+  resource_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  role        = "kms.admin"
+  subject     = stackit_service_account.kms_manager.email
+}
+
+# Authorize the internal SKE account to impersonate the kms manager service-account (Act-As)
+resource "stackit_authorization_service_account_role_assignment" "ske_impersonation" {
+  resource_id = stackit_service_account.kms_manager.service_account_id
+  role        = "user"
+  subject     = data.stackit_service_accounts.ske_internal.items[0].email
+}
+```
+
+### 5. Create the Encrypted Storage Class in Kubernetes
+
+Define the `kubernetes_storage_class`. We pass the IDs of the KMS resources and the email of our manager service account into the parameters.
+
+```hcl
+resource "kubernetes_storage_class_v1" "encrypted_premium" {
+  metadata {
+    name = "stackit-encrypted-premium"
+  }
+
+  storage_provisioner    = "block-storage.csi.stackit.cloud"
+  reclaim_policy         = "Delete"
+  allow_volume_expansion = true
+  volume_binding_mode    = "WaitForFirstConsumer"
+
+  parameters = {
+    type              = "storage_premium_perf6"
+    encrypted         = "true"
+    kmsKeyID          = stackit_kms_key.volume_key.key_id
+    kmsKeyringID      = stackit_kms_keyring.encryption.keyring_id
+    kmsProjectID      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    kmsKeyVersion     = "1"
+    kmsServiceAccount = stackit_service_account.kms_manager.email
+  }
+
+  depends_on = [
+    stackit_authorization_service_account_role_assignment.ske_impersonation,
+    stackit_authorization_project_role_assignment.kms_user
+  ]
+}
+```
+
+### 6. Verify with a Persistent Volume Claim (PVC)
+
+You can now create a PVC using the new storage class. When a pod claims this volume, the STACKIT CSI driver will automatically use the KMS key to provide an encrypted volume.
+
+```hcl
+resource "kubernetes_persistent_volume_claim_v1" "test_pvc" {
+  metadata {
+    name = "test-encryption-pvc"
+  }
+
+  spec {
+    access_modes = ["ReadWriteOnce"]
+
+    resources {
+      requests = {
+        storage = "10Gi"
+      }
+    }
+
+    storage_class_name = kubernetes_storage_class_v1.encrypted_premium.metadata[0].name
+  }
+}
+```
+
+### 7. Create a Pod to Consume the Volume
+
+```hcl
+resource "kubernetes_pod_v1" "test_app" {
+  metadata {
+    name = "encrypted-volume-test"
+  }
+
+  spec {
+    container {
+      image = "nginx:latest"
+      name  = "web-server"
+
+      volume_mount {
+        mount_path = "/usr/share/nginx/html"
+        name       = "data-volume"
+      }
+    }
+
+    volume {
+      name = "data-volume"
+      persistent_volume_claim {
+        claim_name = "test-encryption-pvc"
+      }
+    }
+  }
+}
+```

docs/resources/authorization_folder_role_assignment.md

@@ -41,9 +41,9 @@ import {
 
 ### Required
 
-- `resource_id` (String) folder Resource to assign the role to.
+- `resource_id` (String) Folder Resource to assign the role to.
 - `role` (String) Role to be assigned. Available roles can be queried using stackit-cli: `stackit curl https://authorization.api.stackit.cloud/v2/permissions`
-- `subject` (String) Identifier of user, service account or client. Usually email address or name in case of clients
+- `subject` (String) Identifier of user, service account or client. Usually email address or name in case of clients. All letters must be lowercased.
 
 ### Read-Only
 

docs/resources/authorization_organization_role_assignment.md

@@ -34,9 +34,9 @@ import {
 
 ### Required
 
-- `resource_id` (String) organization Resource to assign the role to.
+- `resource_id` (String) Organization Resource to assign the role to.
 - `role` (String) Role to be assigned. Available roles can be queried using stackit-cli: `stackit curl https://authorization.api.stackit.cloud/v2/permissions`
-- `subject` (String) Identifier of user, service account or client. Usually email address or name in case of clients
+- `subject` (String) Identifier of user, service account or client. Usually email address or name in case of clients. All letters must be lowercased.
 
 ### Read-Only
 

docs/resources/authorization_project_role_assignment.md

@@ -41,9 +41,9 @@ import {
 
 ### Required
 
-- `resource_id` (String) project Resource to assign the role to.
+- `resource_id` (String) Project Resource to assign the role to.
 - `role` (String) Role to be assigned. Available roles can be queried using stackit-cli: `stackit curl https://authorization.api.stackit.cloud/v2/permissions`
-- `subject` (String) Identifier of user, service account or client. Usually email address or name in case of clients
+- `subject` (String) Identifier of user, service account or client. Usually email address or name in case of clients. All letters must be lowercased.
 
 ### Read-Only
 

docs/resources/authorization_service_account_role_assignment.md

@@ -0,0 +1,64 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_authorization_service_account_role_assignment Resource - stackit"
+subcategory: ""
+description: |-
+  Service-account Role Assignment resource schema.
+  ~> Important: Use this resource to grant 'Act-As' permissions. This allows a service-account (the subject) to impersonate the target Service Account. A common example is authorizing the SKE Service Account to act as a project-specific Service Account to access APIs.
+  ~> This resource is part of the iam experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.
+---
+
+# stackit_authorization_service_account_role_assignment (Resource)
+
+Service-account Role Assignment resource schema.
+
+~> **Important:** Use this resource to grant 'Act-As' permissions. This allows a service-account (the `subject`) to impersonate the target Service Account. A common example is authorizing the SKE Service Account to act as a project-specific Service Account to access APIs.
+
+~> This resource is part of the iam experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.
+
+## Example Usage
+
+```terraform
+data "stackit_service_accounts" "ske_sa_suffix" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  email_suffix = "@ske.sa.stackit.cloud"
+}
+
+resource "stackit_service_account" "iam" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name       = "kms"
+}
+
+resource "stackit_authorization_project_role_assignment" "pr_sa" {
+  resource_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  role        = "kms.admin"
+  subject     = stackit_service_account.iam.email
+}
+
+// Assign the Act-As permissions to the previously created ServiceAccount.
+// The SKE ServiceAccount is now authorized to access KMS upon the behalf of stackit_service_account.iam
+resource "stackit_authorization_service_account_role_assignment" "sa" {
+  resource_id = stackit_service_account.iam.service_account_id
+  role        = "user"
+  subject     = data.stackit_service_accounts.ske_sa_suffix.items.0.email
+}
+
+# Only use the import statement, if you want to import an existing service account assignment
+import {
+  to = stackit_authorization_service_account_assignment.sa
+  id = "${var.resource_id},${var.service_account_assignment_role},${var.service_account_assignment_subject}"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `resource_id` (String) Service-account Resource to assign the role to.
+- `role` (String) Role to be assigned. Available roles can be queried using stackit-cli: `stackit curl https://authorization.api.stackit.cloud/v2/permissions`
+- `subject` (String) Identifier of user, service account or client. Usually email address or name in case of clients. All letters must be lowercased.
+
+### Read-Only
+
+- `id` (String) Terraform's internal resource identifier. It is structured as "`resource_id`,`role`,`subject`".

docs/resources/network.md

@@ -4,15 +4,15 @@ page_title: "stackit_network Resource - stackit"
 subcategory: ""
 description: |-
   Network resource schema. Must have a region specified in the provider configuration.
-  ~> Behavior of not configured ipv4_nameservers will change from January 2026. When ipv4_nameservers is not set, it will be set to the network area's default_nameservers.
+  ~> Behavior of not configured ipv4_nameservers has changed. When ipv4_nameservers is not set, it will be set to the network area's default_nameservers.
   To prevent any nameserver configuration, the ipv4_nameservers attribute should be explicitly set to an empty list [].
   In cases where ipv4_nameservers are defined within the resource, the existing behavior will remain unchanged.
 ---
 
 # stackit_network (Resource)
 
 Network resource schema. Must have a `region` specified in the provider configuration.
-~> Behavior of not configured `ipv4_nameservers` will change from January 2026. When `ipv4_nameservers` is not set, it will be set to the network area's `default_nameservers`.
+~> Behavior of not configured `ipv4_nameservers` has changed. When `ipv4_nameservers` is not set, it will be set to the network area's `default_nameservers`.
 To prevent any nameserver configuration, the `ipv4_nameservers` attribute should be explicitly set to an empty list `[]`.
 In cases where `ipv4_nameservers` are defined within the resource, the existing behavior will remain unchanged.
 
@@ -66,15 +66,14 @@ import {
 
 - `dhcp` (Boolean) If the network has DHCP enabled. Default value is `true`.
 - `ipv4_gateway` (String) The IPv4 gateway of a network. If not specified, the first IP of the network will be assigned as the gateway.
-- `ipv4_nameservers` (List of String) The IPv4 nameservers of the network.
+- `ipv4_nameservers` (List of String) The IPv4 nameservers of the network. If not specified on creation, it will be set with the default nameservers from the network area. If not specified on update, it will remain unchanged.
 - `ipv4_prefix` (String) The IPv4 prefix of the network (CIDR).
 - `ipv4_prefix_length` (Number) The IPv4 prefix length of the network.
 - `ipv6_gateway` (String) The IPv6 gateway of a network. If not specified, the first IP of the network will be assigned as the gateway.
 - `ipv6_nameservers` (List of String) The IPv6 nameservers of the network.
 - `ipv6_prefix` (String) The IPv6 prefix of the network (CIDR).
 - `ipv6_prefix_length` (Number) The IPv6 prefix length of the network.
 - `labels` (Map of String) Labels are key-value string pairs which can be attached to a resource container
-- `nameservers` (List of String, Deprecated) The nameservers of the network. This field is deprecated and will be removed in January 2026, use `ipv4_nameservers` to configure the nameservers for IPv4.
 - `no_ipv4_gateway` (Boolean) If set to `true`, the network doesn't have a gateway.
 - `no_ipv6_gateway` (Boolean) If set to `true`, the network doesn't have a gateway.
 - `region` (String) The resource region. If not defined, the provider region is used.
@@ -87,5 +86,4 @@ import {
 - `ipv4_prefixes` (List of String) The IPv4 prefixes of the network.
 - `ipv6_prefixes` (List of String) The IPv6 prefixes of the network.
 - `network_id` (String) The network ID.
-- `prefixes` (List of String, Deprecated) The prefixes of the network. This field is deprecated and will be removed in January 2026, use `ipv4_prefixes` to read the prefixes of the IPv4 networks.
 - `public_ip` (String) The public IP of the network.

docs/resources/ske_cluster.md

@@ -39,6 +39,11 @@ resource "stackit_ske_cluster" "example" {
     start                                = "01:00:00Z"
     end                                  = "02:00:00Z"
   }
+  network = {
+    control_plane = {
+      access_scope = "PUBLIC"
+    }
+  }
 }
 
 # Only use the import statement, if you want to import an existing ske cluster
@@ -204,4 +209,12 @@ Optional:
 
 Optional:
 
+- `control_plane` (Attributes) Control plane for the cluster. (see [below for nested schema](#nestedatt--network--control_plane))
 - `id` (String) ID of the STACKIT Network Area (SNA) network into which the cluster will be deployed.
+
+<a id="nestedatt--network--control_plane"></a>
+### Nested Schema for `network.control_plane`
+
+Optional:
+
+- `access_scope` (String) Access scope of the control plane. It defines if the Kubernetes control plane is public or only available inside a STACKIT Network Area.Possible values are: `PUBLIC`, `SNA`. The field is immutable!