Full Feature Parity in STACKIT Terraform Provider (Eliminate AWS and Hashicorp Vault Provider Dependency for Resource Configuration) #1098
Description
Problem description
I'm frustrated that the stackit Terraform provider does not cover the full lifecycle of resources on STACKIT Cloud. In practice, this leads to situations where we have to mix providers—primarily the stackit provider to create resources and then the aws/hashicorp vault provider to configure essential features that should be first-class on STACKIT. Also for creating and managing secrets we then have to use the Hashicorp Vault provider and can not do this using the stackit terraform provider.
Concrete example:
We can create an Object Storage bucket with the stackit provider, but to enable bucket versioning we must switch to the aws Terraform provider. This is an architectural anti-pattern for several reasons:
Provider split-brain & drift risk: Managing the same resource across two providers introduces state drift risk (e.g., one provider’s schema or lifecycle ignores changes made by the other). It becomes harder to reason about desired vs. actual state, especially during plan/apply and import/export operations.
Undocumented coupling: The dependency and mapping between stackit resources and AWS APIs is implicit and fragile. Changes on either side (API behavior, auth, endpoints, regional mappings) can break deployments without clear contracts in the stackit provider.
Security & compliance concerns: Credentials, endpoints, and policy models differ. Using AWS provider to control a STACKIT resource complicates IAM boundaries, audit trails, and compliance posture (e.g., who granted what, via which control plane).
Operational complexity: Module composition, provider configuration, and lifecycle hooks get more complex (e.g., depends_on across providers). Rollbacks, imports, and refactors are significantly harder.
User experience & portability: Terraform users expect a single provider to encapsulate the cloud’s capabilities. Requiring another provider erodes trust, increases onboarding friction, and blocks clean, portable modules targeting STACKIT.
Proposed solution
Expand the stackit Terraform provider to fully support core operations and configurations for STACKIT Cloud services—specifically, Object Storage bucket versioning (enable/disable, MFA delete where applicable, status queries), lifecycle rules, server-side encryption, access control methods, and relevant metadata/features, without requiring the AWS provider or Hashicorp Vault provider.
This implies:
- Add a versioning block (and related attributes) to the stackit_object_storage_bucket resource (or introduce a dedicated stackit_object_storage_bucket_versioning resource if modeling separation is preferred).
- Ensure read-modify consistency: terraform plan should detect and reconcile versioning state; importing existing buckets should bring their versioning state under stackit control.
- Provide parity with commonly expected Object Storage features (lifecycle, SSE/KMS, public access blocks, policies) within the stackit provider, or document exact coverage and roadmap.
- Align error handling and diagnostics with Terraform UX (clear diffs, actionable messages).
terraform {
required_version = ">= 1.6.0"
required_providers {
stackit = {
source = "stackitcloud/stackit"
version = ">= 0.XX.0"
}
# NOTE: No aws provider required in the proposed solution.
}
}
provider "stackit" {
# Authentication via STACKIT mechanisms (token/credentials)
# Example:
# token = var.stackit_token
# endpoint = var.stackit_api_endpoint
}
# Proposed: versioning supported directly in bucket resource
resource "stackit_object_storage_bucket" "logs" {
name = "my-logs-bucket"
project = var.project_id
region = var.region
versioning {
enabled = true
# If applicable in STACKIT’s model:
# mfa_delete = false
}
# Optional future-parity blocks:
# encryption { kms_key_id = var.kms_key_id }
# lifecycle_rule {
# id = "expire-old-versions"
# status = "Enabled"
# noncurrent_version_expiration {
# days = 90
# }
# }
# public_access_block {
# block_public_acls = true
# block_public_policy = true
# ignore_public_acls = true
# restrict_public_buckets = true
# }
}
output "bucket_name" {
value = stackit_object_storage_bucket.logs.name
}