Skip to content

feat(terraform): support for remote terraform state, introduce managed redis and secrets manager#274

Merged
a-klos merged 1 commit intomainfrom
codex/terraform-playback
Feb 16, 2026
Merged

feat(terraform): support for remote terraform state, introduce managed redis and secrets manager#274
a-klos merged 1 commit intomainfrom
codex/terraform-playback

Conversation

@a-klos
Copy link
Member

@a-klos a-klos commented Feb 16, 2026

This pull request introduces several major improvements and new resources to the Terraform infrastructure codebase, focusing on enhanced state management, expanded cloud resource provisioning, and improved secrets handling. The changes add support for remote Terraform state via S3-compatible object storage, automate backend bootstrapping, and introduce managed Redis and Secrets Manager resources. Additional updates improve cluster configuration and documentation.

Terraform State Management & Automation:

  • Added support for using an S3-compatible backend for Terraform state, including a new tfstate object storage bucket, output wiring, and documentation on state management. A helper script (init-backend.sh) was introduced to automate backend initialization and migration, generating a .backend.hcl file with the necessary credentials and configuration. ([[1]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-40e942f521b179f4b67af29e0186e895becd783b1d994f74afdaa204a4007eafR1-R16), [[2]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-40e942f521b179f4b67af29e0186e895becd783b1d994f74afdaa204a4007eafL33-R44), [[3]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-951d6ab4b0142466865bc9a073ac82641fd19b6fa1267f65e82d5b827922eaecR95-R157), [[4]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-be3ec119082ecec13a5ec2e74162fd5d059cb933742745167663003e8f5ccd55R1-R66), [[5]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-b56e9e8eb752928fb506809cc8881dfda6490b1ea830ac6cc0024e37f543c572R2), [[6]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-2cfe3e1ceb805f812736573a76b766c3cb8da0ea0ac4931d15bb75dc566a846aL4-R5))
  • Updated .gitignore to exclude backend configuration and kubeconfig files from version control. ([infrastructure/.gitignoreL4-R5](https://github.com/stackitcloud/rag-template/pull/274/files#diff-2cfe3e1ceb805f812736573a76b766c3cb8da0ea0ac4931d15bb75dc566a846aL4-R5))

New Cloud Resources:

  • Added managed Redis provisioning, including instance and credential resources, and corresponding input variables for version and plan selection. ([[1]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-f116a20752cd128cc4f5a85ea3b01e4acbf9fabbfdcdd04dfc9901e3def7b326R1-R18), [[2]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-9772d64123f334ac306e54c19018864cc1451e7e4fe5f14658783372750250f1L39-R63))
  • Added support for STACKIT Secrets Manager, provisioning an instance and user, with outputs for integration. ([[1]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-800eb980bf14a2c09d182f500ef8cb884eeb18ebe50eadb0b682463c61ba2f58R1-R24), [[2]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-9772d64123f334ac306e54c19018864cc1451e7e4fe5f14658783372750250f1L39-R63))
  • Added a model serving token resource and output for AI Model Serving API integration. ([infrastructure/terraform/model_serving.tfR1-R12](https://github.com/stackitcloud/rag-template/pull/274/files#diff-12cf4786858eaf9635d3e45f439444fc5e956e3fb7407b09cf512cad83d2bda5R1-R12))

Secrets Management & Seeding:

  • Introduced a new seed-secrets Terraform module with documentation, example variables, and configuration to seed the Secrets Manager with required secrets for External Secrets integration. ([[1]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-b0300cdd94aa57163b0041cb50ea4990acb4bb8a351079693c26ee64d61fcd72R1-R31), [[2]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-cb4b240b14f3d9aa644d4260872c9586f77d824aa8f36b910503942f028c1d88R1-R26), [[3]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-d201981cfa7cef09bee51e1359d030e8fa78f73164e37a306c378c9d6f2d3eb8R1-R29), [[4]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-2bf98bb86073642173af57afd63a434d44fa3ce87d6ef61916be35585a0ab94fR1-R39))

Cluster & Networking Enhancements:

  • Upgraded the Kubernetes cluster minimum version and improved node pool specs (larger machine type and disk). Added automatic kubeconfig generation and output, including writing to kubeconfig.yaml. ([[1]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-60c4ff86f01efedc7e7e4e8c1cee2e772e458b6b71f9980b342196216bbc0a8dL4-R15), [[2]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-60c4ff86f01efedc7e7e4e8c1cee2e772e458b6b71f9980b342196216bbc0a8dR31-R56))
  • Improved DNS zone resource configuration with contact email and explicit type. ([infrastructure/terraform/dns.tfR5-R6](https://github.com/stackitcloud/rag-template/pull/274/files#diff-1c935b36cdab82f9bdd925fecea18d7225ec865f99937585f4897155bd9935f9R5-R6))

Other Improvements:

  • Updated variable descriptions for clarity and adjusted the default deployment timestamp for resource naming. ([[1]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-9772d64123f334ac306e54c19018864cc1451e7e4fe5f14658783372750250f1L7-R7), [[2]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-9772d64123f334ac306e54c19018864cc1451e7e4fe5f14658783372750250f1L39-R63))

Most important changes:

Terraform State Management & Automation

  • Added S3-compatible backend support for Terraform state, including a dedicated tfstate bucket, outputs, and documentation. Introduced the init-backend.sh script for automated backend setup and state migration, generating .backend.hcl for credentials/config. ([[1]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-40e942f521b179f4b67af29e0186e895becd783b1d994f74afdaa204a4007eafR1-R16), [[2]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-40e942f521b179f4b67af29e0186e895becd783b1d994f74afdaa204a4007eafL33-R44), [[3]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-951d6ab4b0142466865bc9a073ac82641fd19b6fa1267f65e82d5b827922eaecR95-R157), [[4]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-be3ec119082ecec13a5ec2e74162fd5d059cb933742745167663003e8f5ccd55R1-R66), [[5]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-b56e9e8eb752928fb506809cc8881dfda6490b1ea830ac6cc0024e37f543c572R2), [[6]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-2cfe3e1ceb805f812736573a76b766c3cb8da0ea0ac4931d15bb75dc566a846aL4-R5))

New Cloud Resources

  • Added managed Redis instance and credential resources, with configurable version and plan variables. ([[1]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-f116a20752cd128cc4f5a85ea3b01e4acbf9fabbfdcdd04dfc9901e3def7b326R1-R18), [[2]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-9772d64123f334ac306e54c19018864cc1451e7e4fe5f14658783372750250f1L39-R63))
  • Added STACKIT Secrets Manager instance and user resources, with outputs for integration. ([[1]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-800eb980bf14a2c09d182f500ef8cb884eeb18ebe50eadb0b682463c61ba2f58R1-R24), [[2]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-9772d64123f334ac306e54c19018864cc1451e7e4fe5f14658783372750250f1L39-R63))
  • Added model serving token resource and output for AI Model Serving API. ([infrastructure/terraform/model_serving.tfR1-R12](https://github.com/stackitcloud/rag-template/pull/274/files#diff-12cf4786858eaf9635d3e45f439444fc5e956e3fb7407b09cf512cad83d2bda5R1-R12))

Secrets Management & Seeding

  • Introduced the seed-secrets module for seeding Secrets Manager with required secrets, including documentation, example variables, and configuration for External Secrets. ([[1]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-b0300cdd94aa57163b0041cb50ea4990acb4bb8a351079693c26ee64d61fcd72R1-R31), [[2]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-cb4b240b14f3d9aa644d4260872c9586f77d824aa8f36b910503942f028c1d88R1-R26), [[3]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-d201981cfa7cef09bee51e1359d030e8fa78f73164e37a306c378c9d6f2d3eb8R1-R29), [[4]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-2bf98bb86073642173af57afd63a434d44fa3ce87d6ef61916be35585a0ab94fR1-R39))

Cluster & Networking Enhancements

  • Upgraded Kubernetes cluster version and node pool specs, and added automated kubeconfig generation/output to kubeconfig.yaml. ([[1]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-60c4ff86f01efedc7e7e4e8c1cee2e772e458b6b71f9980b342196216bbc0a8dL4-R15), [[2]](https://github.com/stackitcloud/rag-template/pull/274/files#diff-60c4ff86f01efedc7e7e4e8c1cee2e772e458b6b71f9980b342196216bbc0a8dR31-R56))
  • Improved DNS zone resource with contact email and explicit type. ([infrastructure/terraform/dns.tfR5-R6](https://github.com/stackitcloud/rag-template/pull/274/files#diff-1c935b36cdab82f9bdd925fecea18d7225ec865f99937585f4897155bd9935f9R5-R6))

@a-klos a-klos added this pull request to the merge queue Feb 16, 2026
Merged via the queue into main with commit 1262308 Feb 16, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robodev-r2d2 robodev-r2d2 robodev-r2d2 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@a-klos @robodev-r2d2

Comments