From 9a1058a920b8bc6bc575709dc9e47fbd46ee6f53 Mon Sep 17 00:00:00 2001
From: Florian Nowarre <fnowarre@meshcloud.io>
Date: Thu, 27 Feb 2025 10:49:19 +0100
Subject: [PATCH] chore: adding stackit to collie-hub

chore: adding stackit to collie-hub

chore: adding stackit to collie-hub

chore: adding stackit to collie-hub
---
 kit/stackit/bootstrap/README.md               |  61 ++++++
 kit/stackit/bootstrap/documentation.tf        |  14 ++
 kit/stackit/bootstrap/main.tf                 |  76 +++++++
 kit/stackit/bootstrap/outputs.tf              |   0
 kit/stackit/bootstrap/variables.tf            |  32 +++
 kit/stackit/bootstrap/versions.tf             |  12 ++
 .../projects/buildingblock/README.md          |  72 +++++++
 .../projects/buildingblock/main.tf            | 191 ++++++++++++++++++
 .../projects/buildingblock/outputs.tf         |   7 +
 .../buildingblock/projects.tftest.hcl         |  43 ++++
 .../projects/buildingblock/variables.tf       |  51 +++++
 .../projects/buildingblock/versions.tf        |  38 ++++
 12 files changed, 597 insertions(+)
 create mode 100644 kit/stackit/bootstrap/README.md
 create mode 100644 kit/stackit/bootstrap/documentation.tf
 create mode 100644 kit/stackit/bootstrap/main.tf
 create mode 100644 kit/stackit/bootstrap/outputs.tf
 create mode 100644 kit/stackit/bootstrap/variables.tf
 create mode 100644 kit/stackit/bootstrap/versions.tf
 create mode 100644 kit/stackit/buildingblocks/projects/buildingblock/README.md
 create mode 100644 kit/stackit/buildingblocks/projects/buildingblock/main.tf
 create mode 100644 kit/stackit/buildingblocks/projects/buildingblock/outputs.tf
 create mode 100644 kit/stackit/buildingblocks/projects/buildingblock/projects.tftest.hcl
 create mode 100644 kit/stackit/buildingblocks/projects/buildingblock/variables.tf
 create mode 100644 kit/stackit/buildingblocks/projects/buildingblock/versions.tf

diff --git a/kit/stackit/bootstrap/README.md b/kit/stackit/bootstrap/README.md
new file mode 100644
index 00000000..64f60603
--- /dev/null
+++ b/kit/stackit/bootstrap/README.md
@@ -0,0 +1,61 @@
+# STACKIT Cloud Custom Platform
+
+## Overview
+This Terraform project enables seamless self-service provisioning and management of STACKIT Projects for development teams. The platform is based on the STACKIT Cloud and is designed to provide a secure and compliant environment for development teams to deploy and manage their applications.
+
+## Documentation
+For more information, check our [Guide for STACKIT](/likvid-cloudfoundation/meshstack/guides/guide_stackit.html).
+
+## Usage
+1. Initialize the Terraform configuration:
+   ```sh
+   terraform init
+   ```
+2. Apply the Terraform configuration:
+   ```sh
+   terraform apply
+   ```
+
+## Requirements
+- Terraform 0.12 or later
+- STACKIT Cloud account
+
+## Providers
+- `stackitcloud/stackit` version `0.37.1`
+- `hashicorp/null` version `3.2.2`
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_null"></a> [null](#requirement\_null) | 3.2.2 |
+| <a name="requirement_stackit"></a> [stackit](#requirement\_stackit) | 0.37.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [null_resource.platform_admin](https://registry.terraform.io/providers/hashicorp/null/3.2.2/docs/resources/resource) | resource |
+| [null_resource.platform_users](https://registry.terraform.io/providers/hashicorp/null/3.2.2/docs/resources/resource) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_api_url"></a> [api\_url](#input\_api\_url) | Base API URL | `string` | `"https://authorization.api.stackit.cloud"` | no |
+| <a name="input_organization_id"></a> [organization\_id](#input\_organization\_id) | Organization ID of your stackit cloud account | `string` | n/a | yes |
+| <a name="input_platform_admins"></a> [platform\_admins](#input\_platform\_admins) | List of members to add with their roles and subjects | <pre>list(object({<br>    role    = string<br>    subject = string<br>  }))</pre> | n/a | yes |
+| <a name="input_platform_users"></a> [platform\_users](#input\_platform\_users) | List of members to add with their roles and subjects | <pre>list(object({<br>    role    = string<br>    subject = string<br>  }))</pre> | n/a | yes |
+| <a name="input_token"></a> [token](#input\_token) | Bearer token for authentication | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_documentation_md"></a> [documentation\_md](#output\_documentation\_md) | n/a |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/kit/stackit/bootstrap/documentation.tf b/kit/stackit/bootstrap/documentation.tf
new file mode 100644
index 00000000..8ca022af
--- /dev/null
+++ b/kit/stackit/bootstrap/documentation.tf
@@ -0,0 +1,14 @@
+output "documentation_md" {
+  value = <<EOF
+
+# STACKIT Cloud Custom Platform
+
+## Self-Service Project Provioning
+
+At Likvid Bank, the Platform Team enables seamless self-service provisioning and management of STACKIT Projects for development teams. The platform is based on the STACKIT Cloud and is designed to i
+provide a secure and compliant environment for development teams to deploy and manage their applications.
+
+for more infos check our [Guide for STACKIT ](/likvid-cloudfoundation/meshstack/guides/guide_stackit.html)
+
+EOF
+}
diff --git a/kit/stackit/bootstrap/main.tf b/kit/stackit/bootstrap/main.tf
new file mode 100644
index 00000000..0d81822f
--- /dev/null
+++ b/kit/stackit/bootstrap/main.tf
@@ -0,0 +1,76 @@
+resource "null_resource" "platform_admin" {
+
+  # Trigger creation and destruction of resources based on the lifecycle
+  triggers = {
+    members         = jsonencode(var.platform_admins)
+    url             = var.api_url
+    token           = var.token
+    organization_id = var.organization_id
+  }
+
+  # Provisioner for the 'create' action
+  provisioner "local-exec" {
+    when    = create
+    command = <<EOT
+curl -X PATCH "${self.triggers.url}/v2/${self.triggers.organization_id}/members" \
+-H "Authorization: Bearer ${self.triggers.token}" \
+-H "Content-Type: application/json" \
+-d '{
+  "members": ${self.triggers.members},
+  "resourceType": "organization"
+}'
+EOT
+  }
+  # Provisioner for the 'destroy' action
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<EOT
+curl -X POST "${self.triggers.url}/v2/${self.triggers.organization_id}/members/remove" \
+-H "Authorization: Bearer ${self.triggers.token}" \
+-H "Content-Type: application/json" \
+-d '{
+ "forceRemove": true,
+  "members": ${self.triggers.members},
+  "resourceType": "organization"
+}'
+EOT
+  }
+}
+
+resource "null_resource" "platform_users" {
+  # Trigger creation and destruction of resources based on the lifecycle
+  triggers = {
+    members         = jsonencode(var.platform_users)
+    url             = var.api_url
+    token           = var.token
+    organization_id = var.organization_id
+  }
+
+  # Provisioner for the 'create' action
+  provisioner "local-exec" {
+    when    = create
+    command = <<EOT
+curl -X PATCH "${self.triggers.url}/v2/${self.triggers.organization_id}/members" \
+-H "Authorization: Bearer ${self.triggers.token}" \
+-H "Content-Type: application/json" \
+-d '{
+  "members": ${self.triggers.members},
+  "resourceType": "organization"
+}'
+EOT
+  }
+  # Provisioner for the 'destroy' action
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<EOT
+curl -X POST "${self.triggers.url}/v2/${self.triggers.organization_id}/members/remove" \
+-H "Authorization: Bearer ${self.triggers.token}" \
+-H "Content-Type: application/json" \
+-d '{
+ "forceRemove": true,
+  "members": ${self.triggers.members},
+  "resourceType": "organization"
+}'
+EOT
+  }
+}
diff --git a/kit/stackit/bootstrap/outputs.tf b/kit/stackit/bootstrap/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/kit/stackit/bootstrap/variables.tf b/kit/stackit/bootstrap/variables.tf
new file mode 100644
index 00000000..7cc62af0
--- /dev/null
+++ b/kit/stackit/bootstrap/variables.tf
@@ -0,0 +1,32 @@
+variable "platform_admins" {
+  description = "List of members to add with their roles and subjects"
+  type = list(object({
+    role    = string
+    subject = string
+  }))
+}
+
+variable "platform_users" {
+  description = "List of members to add with their roles and subjects"
+  type = list(object({
+    role    = string
+    subject = string
+  }))
+}
+
+variable "token" {
+  description = "Bearer token for authentication"
+  type        = string
+  sensitive   = true
+}
+
+variable "api_url" {
+  description = "Base API URL"
+  type        = string
+  default     = "https://authorization.api.stackit.cloud"
+}
+
+variable "organization_id" {
+  description = "Organization ID of your stackit cloud account"
+  type        = string
+}
diff --git a/kit/stackit/bootstrap/versions.tf b/kit/stackit/bootstrap/versions.tf
new file mode 100644
index 00000000..339bb27e
--- /dev/null
+++ b/kit/stackit/bootstrap/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = "0.37.1"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "3.2.2"
+    }
+  }
+}
diff --git a/kit/stackit/buildingblocks/projects/buildingblock/README.md b/kit/stackit/buildingblocks/projects/buildingblock/README.md
new file mode 100644
index 00000000..5a6c6cb4
--- /dev/null
+++ b/kit/stackit/buildingblocks/projects/buildingblock/README.md
@@ -0,0 +1,72 @@
+# Terraform OVH Project
+
+This Terraform project is used to manage resources in the Stackit cloud platform. It provisions projects, manages users, and configures necessary providers.
+
+## Prerequisites
+
+- Terraform v1.0.0 or later
+- AWS credentials configured for the backend
+- Stackit service account token
+
+## Providers
+
+This project uses the following providers:
+
+- `stackit`: Manages resources in the Stackit cloud platform.
+- `aws`: Manages resources in AWS.
+- `null`: Provides null resources for triggering local-exec provisioners.
+
+## Usage
+
+1. Clone the repository.
+2. Initialize Terraform:
+   ```sh
+   terraform init
+   ```
+3. Apply the Terraform configuration:
+   ```sh
+   terraform apply
+   ```
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 5.65.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | 3.2.2 |
+| <a name="requirement_stackit"></a> [stackit](#requirement\_stackit) | 0.37.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [null_resource.create_user](https://registry.terraform.io/providers/hashicorp/null/3.2.2/docs/resources/resource) | resource |
+| [null_resource.project_admin](https://registry.terraform.io/providers/hashicorp/null/3.2.2/docs/resources/resource) | resource |
+| [null_resource.project_editor](https://registry.terraform.io/providers/hashicorp/null/3.2.2/docs/resources/resource) | resource |
+| [null_resource.project_reader](https://registry.terraform.io/providers/hashicorp/null/3.2.2/docs/resources/resource) | resource |
+| [stackit_resourcemanager_project.projects](https://registry.terraform.io/providers/stackitcloud/stackit/0.37.1/docs/resources/resourcemanager_project) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_api_url"></a> [api\_url](#input\_api\_url) | Base API URL | `string` | `"https://authorization.api.stackit.cloud"` | no |
+| <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | this is for the tfstates Backend. in our case AWS. | `string` | n/a | yes |
+| <a name="input_organization_id"></a> [organization\_id](#input\_organization\_id) | id of the organization | `string` | n/a | yes |
+| <a name="input_parent_container_id"></a> [parent\_container\_id](#input\_parent\_container\_id) | The stackit Cloud parent container id for the project | `string` | n/a | yes |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Projects last block in name | `string` | n/a | yes |
+| <a name="input_token"></a> [token](#input\_token) | Bearer token for authentication | `string` | n/a | yes |
+| <a name="input_users"></a> [users](#input\_users) | Users and their roles provided by meshStack (Note that users must exist in stackit) | <pre>list(object(<br>    {<br>      meshIdentifier = string<br>      username       = string<br>      firstName      = string<br>      lastName       = string<br>      email          = string<br>      euid           = string<br>      roles          = list(string)<br>    }<br>  ))</pre> | n/a | yes |
+| <a name="input_workspace_id"></a> [workspace\_id](#input\_workspace\_id) | Projects first block in name | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_stackit_login_link"></a> [stackit\_login\_link](#output\_stackit\_login\_link) | n/a |
+| <a name="output_tenant_id"></a> [tenant\_id](#output\_tenant\_id) | n/a |
+<!-- END_TF_DOCS -->
diff --git a/kit/stackit/buildingblocks/projects/buildingblock/main.tf b/kit/stackit/buildingblocks/projects/buildingblock/main.tf
new file mode 100644
index 00000000..3262f871
--- /dev/null
+++ b/kit/stackit/buildingblocks/projects/buildingblock/main.tf
@@ -0,0 +1,191 @@
+locals {
+  admins      = { for user in var.users : user.username => user if contains(user.roles, "admin") }
+  editors     = { for user in var.users : user.username => user if contains(user.roles, "user") }
+  readers     = { for user in var.users : user.username => user if contains(user.roles, "reader") }
+  owner_email = values(local.admins)[0]["email"]
+  all_users = [for user in concat(values(local.admins), values(local.editors), values(local.readers)) :
+    { subject = user.email }
+  ]
+
+  admin_members  = [for admin in values(local.admins) : { subject = admin["email"], role = "owner" }]
+  editor_members = [for editor in values(local.editors) : { subject = editor["email"], role = "editor" }]
+  reader_members = [for reader in values(local.readers) : { subject = reader["email"], role = "reader" }]
+}
+
+resource "null_resource" "create_user" {
+  # Trigger creation and destruction of resources based on the lifecycle
+  triggers = {
+    members         = jsonencode(local.all_users) # This should be a list of emails
+    url             = var.api_url
+    token           = var.token
+    organization_id = var.organization_id
+  }
+
+  # Provisioner for the 'create' action
+  provisioner "local-exec" {
+    when    = create
+    command = <<EOT
+# Loop through each user email
+for user_email in $(echo '${self.triggers.members}' | jq -r '.[].subject'); do
+  # Retrieve all members of the organization
+  response=$(curl -s -H "Authorization: Bearer ${self.triggers.token}" "${self.triggers.url}/v2/organization/${self.triggers.organization_id}/members")
+
+  # Check if the user already exists in the response
+  user_exists=$(echo "$response" | jq -r ".members[] | select(.subject == \"$user_email\")")
+
+  if [ -z "$user_exists" ]; then
+    echo "User $user_email not found, adding them..."
+    # Send PATCH request to add the user
+    curl -X PATCH "${self.triggers.url}/v2/${self.triggers.organization_id}/members" \
+      -H "Authorization: Bearer ${self.triggers.token}" \
+      -H "Content-Type: application/json" \
+      -d '{
+        "members": [{ "subject": "'"$user_email"'", "role": "organization.auditor" }],
+        "resourceType": "organization"
+      }'
+
+    # Check if the request was successful
+    if [ $? -eq 0 ]; then
+      echo "User $user_email added successfully!"
+    else
+      echo "Error occurred while adding user $user_email!"
+      exit 1
+    fi
+  else
+    echo "User $user_email already exists, skipping..."
+  fi
+done
+EOT
+  }
+}
+
+resource "stackit_resourcemanager_project" "projects" {
+  parent_container_id = var.parent_container_id
+  name                = "${var.workspace_id}-${var.project_id}"
+  # labels = {
+  #   "Label1" = "foo"
+  # }
+  owner_email = local.owner_email
+  depends_on  = [null_resource.create_user]
+}
+
+resource "null_resource" "project_admin" {
+  # Trigger creation and destruction of resources based on the lifecycle
+  triggers = {
+    members    = jsonencode(local.admin_members)
+    url        = var.api_url
+    token      = var.token
+    project_id = stackit_resourcemanager_project.projects.project_id
+  }
+
+  # Provisioner for the 'create' action
+  provisioner "local-exec" {
+    when    = create
+    command = <<EOT
+curl -X PATCH "${self.triggers.url}/v2/${self.triggers.project_id}/members" \
+-H "Authorization: Bearer ${self.triggers.token}" \
+-H "Content-Type: application/json" \
+-d '{
+  "members": ${self.triggers.members},
+  "resourceType": "project"
+}'
+EOT
+  }
+
+  # Provisioner for the 'destroy' action
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<EOT
+curl -X POST "${self.triggers.url}/v2/${self.triggers.project_id}/members/remove" \
+-H "Authorization: Bearer ${self.triggers.token}" \
+-H "Content-Type: application/json" \
+-d '{
+ "forceRemove": true,
+  "members": ${self.triggers.members},
+  "resourceType": "project"
+}'
+EOT
+  }
+  depends_on = [resource.stackit_resourcemanager_project.projects]
+}
+
+resource "null_resource" "project_editor" {
+  # Trigger creation and destruction of resources based on the lifecycle
+  triggers = {
+    members    = jsonencode(local.editor_members)
+    url        = var.api_url
+    token      = var.token
+    project_id = stackit_resourcemanager_project.projects.project_id
+  }
+
+  # Provisioner for the 'create' action
+  provisioner "local-exec" {
+    when    = create
+    command = <<EOT
+curl -X PATCH "${self.triggers.url}/v2/${self.triggers.project_id}/members" \
+-H "Authorization: Bearer ${self.triggers.token}" \
+-H "Content-Type: application/json" \
+-d '{
+  "members": ${self.triggers.members},
+  "resourceType": "project"
+}'
+EOT
+  }
+
+  # Provisioner for the 'destroy' action
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<EOT
+curl -X POST "${self.triggers.url}/v2/${self.triggers.project_id}/members/remove" \
+-H "Authorization: Bearer ${self.triggers.token}" \
+-H "Content-Type: application/json" \
+-d '{
+ "forceRemove": true,
+  "members": ${self.triggers.members},
+  "resourceType": "project"
+}'
+EOT
+  }
+
+  depends_on = [resource.stackit_resourcemanager_project.projects]
+}
+
+resource "null_resource" "project_reader" {
+  # Trigger creation and destruction of resources based on the lifecycle
+  triggers = {
+    members    = jsonencode(local.reader_members)
+    url        = var.api_url
+    token      = var.token
+    project_id = stackit_resourcemanager_project.projects.project_id
+  }
+
+  # Provisioner for the 'create' action
+  provisioner "local-exec" {
+    when    = create
+    command = <<EOT
+curl -X PATCH "${self.triggers.url}/v2/${self.triggers.project_id}/members" \
+-H "Authorization: Bearer ${self.triggers.token}" \
+-H "Content-Type: application/json" \
+-d '{
+  "members": ${self.triggers.members},
+  "resourceType": "project"
+}'
+EOT
+  }
+
+  # Provisioner for the 'destroy' action
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<EOT
+curl -X POST "${self.triggers.url}/v2/${self.triggers.project_id}/members/remove" \
+-H "Authorization: Bearer ${self.triggers.token}" \
+-H "Content-Type: application/json" \
+-d '{
+ "forceRemove": true,
+  "members": ${self.triggers.members},
+  "resourceType": "project"
+}'
+EOT
+  }
+  depends_on = [resource.stackit_resourcemanager_project.projects]
+}
diff --git a/kit/stackit/buildingblocks/projects/buildingblock/outputs.tf b/kit/stackit/buildingblocks/projects/buildingblock/outputs.tf
new file mode 100644
index 00000000..37f30ce7
--- /dev/null
+++ b/kit/stackit/buildingblocks/projects/buildingblock/outputs.tf
@@ -0,0 +1,7 @@
+output "tenant_id" {
+  value = stackit_resourcemanager_project.projects.project_id
+}
+
+output "stackit_login_link" {
+  value = "https://portal.stackit.cloud/projects/${stackit_resourcemanager_project.projects.project_id}/access"
+}
diff --git a/kit/stackit/buildingblocks/projects/buildingblock/projects.tftest.hcl b/kit/stackit/buildingblocks/projects/buildingblock/projects.tftest.hcl
new file mode 100644
index 00000000..b81c66bc
--- /dev/null
+++ b/kit/stackit/buildingblocks/projects/buildingblock/projects.tftest.hcl
@@ -0,0 +1,43 @@
+run "verify" {
+  variables {
+    organization_id     = "05d7eb3f-f875-4bcd-ad0d-a07d62787f21"
+    aws_account_id      = "490004649140"
+    parent_container_id = "0a4006f8-eaf3-417c-b2fa-7e9c08ebffba"
+    workspace_id        = "stackit"
+    project_id          = "test"
+    users = [
+      {
+        meshIdentifier = "identifier0"
+        username       = "likvid-daniela3@meshcloud.io"
+        firstName      = "likvid"
+        lastName       = "daniela"
+        email          = "likvid-daniela3@meshcloud.io"
+        euid           = "likvid-daniela3@meshcloud.io"
+        roles          = ["reader"]
+      },
+      {
+        meshIdentifier = "identifier1"
+        username       = "likvid-tom@meshcloud.io"
+        firstName      = "likvid"
+        lastName       = "tom"
+        email          = "likvid-tom@meshcloud.io"
+        euid           = "likvid-tom@meshcloud.io"
+        roles          = ["user"]
+      },
+      {
+        meshIdentifier = "identifier1"
+        username       = "likvid-ana@meshcloud.io"
+        firstName      = "likvid"
+        lastName       = "ana"
+        email          = "likvid-ana4@meshcloud.io"
+        euid           = "likvid-ana4@meshcloud.io"
+        roles          = ["admin"]
+      }
+    ]
+  }
+
+  assert {
+    condition     = length(var.users) > 0
+    error_message = "No users provided"
+  }
+}
diff --git a/kit/stackit/buildingblocks/projects/buildingblock/variables.tf b/kit/stackit/buildingblocks/projects/buildingblock/variables.tf
new file mode 100644
index 00000000..7faae5dc
--- /dev/null
+++ b/kit/stackit/buildingblocks/projects/buildingblock/variables.tf
@@ -0,0 +1,51 @@
+variable "api_url" {
+  description = "Base API URL"
+  type        = string
+  default     = "https://authorization.api.stackit.cloud"
+}
+
+variable "token" {
+  description = "Bearer token for authentication"
+  type        = string
+  sensitive   = true
+}
+
+variable "workspace_id" {
+  type        = string
+  description = "Projects first block in name"
+}
+
+variable "organization_id" {
+  type        = string
+  description = "id of the organization"
+}
+
+variable "project_id" {
+  type        = string
+  description = "Projects last block in name"
+}
+
+variable "parent_container_id" {
+  type        = string
+  description = "The stackit Cloud parent container id for the project"
+}
+
+variable "aws_account_id" {
+  description = "this is for the tfstates Backend. in our case AWS."
+  type        = string
+}
+
+variable "users" {
+  type = list(object(
+    {
+      meshIdentifier = string
+      username       = string
+      firstName      = string
+      lastName       = string
+      email          = string
+      euid           = string
+      roles          = list(string)
+    }
+  ))
+  description = "Users and their roles provided by meshStack (Note that users must exist in stackit)"
+}
diff --git a/kit/stackit/buildingblocks/projects/buildingblock/versions.tf b/kit/stackit/buildingblocks/projects/buildingblock/versions.tf
new file mode 100644
index 00000000..ddf14847
--- /dev/null
+++ b/kit/stackit/buildingblocks/projects/buildingblock/versions.tf
@@ -0,0 +1,38 @@
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = "0.37.1"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.65.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "3.2.2"
+    }
+  }
+}
+
+provider "stackit" {
+  region                = "eu01"
+  service_account_token = var.token
+}
+
+#TODO: we are using AWS as our Terraform backend. Its up to you where your TF state will hosted.
+terraform {
+  backend "s3" {
+    bucket = "buildingblocks-tfstates-p32kj" # Must match what's configured in automation backend
+    key    = "terraform/stackit-project"
+    region = "eu-central-1"
+  }
+}
+
+provider "aws" {
+  region = "eu-central-1"
+
+  assume_role {
+    role_arn = "arn:aws:iam::${var.aws_account_id}:role/LikvidBuildingBlockServiceRole" # Must match what's configured in automation backend
+  }
+}