From a435ddb7e46c9115e7efe9e8c72bba8fa53f7a0f Mon Sep 17 00:00:00 2001
From: Muhammet Bayram <muhammet.bayram@stackit.cloud>
Date: Thu, 18 Sep 2025 13:16:09 +0200
Subject: [PATCH 1/5] changed ipv4 prefix in resources loadbalancer.md to
 represent a working example

---
 docs/resources/loadbalancer.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/resources/loadbalancer.md b/docs/resources/loadbalancer.md
index cec3b5b4b..87b33562c 100644
--- a/docs/resources/loadbalancer.md
+++ b/docs/resources/loadbalancer.md
@@ -119,14 +119,14 @@ resource "stackit_loadbalancer" "example" {
 resource "stackit_network" "lb_network" {
   project_id       = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   name             = "lb-network-example"
-  ipv4_prefix      = "192.168.1.0/24"
+  ipv4_prefix      = "192.168.10.0/25"
   ipv4_nameservers = ["8.8.8.8"]
 }
 
 resource "stackit_network" "target_network" {
   project_id       = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   name             = "target-network-example"
-  ipv4_prefix      = "192.168.2.0/24"
+  ipv4_prefix      = "192.168.10.0/25"
   ipv4_nameservers = ["8.8.8.8"]
 }
 

From fb20984940bdad6075784dbd95f87f2a99979f15 Mon Sep 17 00:00:00 2001
From: Muhammet Bayram <muhammet.bayram@stackit.cloud>
Date: Fri, 19 Sep 2025 10:04:39 +0200
Subject: [PATCH 2/5] now changed docs at the correct place:
 terraform-provider-stackit/examples/resources/stackit_loadbalancer/resource.tf

---
 examples/resources/stackit_loadbalancer/resource.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/resources/stackit_loadbalancer/resource.tf b/examples/resources/stackit_loadbalancer/resource.tf
index 372c922da..f476e29c0 100644
--- a/examples/resources/stackit_loadbalancer/resource.tf
+++ b/examples/resources/stackit_loadbalancer/resource.tf
@@ -100,14 +100,14 @@ resource "stackit_loadbalancer" "example" {
 resource "stackit_network" "lb_network" {
   project_id       = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   name             = "lb-network-example"
-  ipv4_prefix      = "192.168.1.0/24"
+  ipv4_prefix      = "192.168.10.0/25"
   ipv4_nameservers = ["8.8.8.8"]
 }
 
 resource "stackit_network" "target_network" {
   project_id       = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   name             = "target-network-example"
-  ipv4_prefix      = "192.168.2.0/24"
+  ipv4_prefix      = "192.168.10.0/25"
   ipv4_nameservers = ["8.8.8.8"]
 }
 

From 76b08de7a73087acf942feb35380f9440ef2553a Mon Sep 17 00:00:00 2001
From: Muhammet Bayram <muhammet.bayram@stackit.cloud>
Date: Wed, 24 Sep 2025 17:54:29 +0200
Subject: [PATCH 3/5] added missing loadbalancersecuritygroupid attribute

---
 .../services/loadbalancer/loadbalancer/resource.go         | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/stackit/internal/services/loadbalancer/loadbalancer/resource.go b/stackit/internal/services/loadbalancer/loadbalancer/resource.go
index 698286703..01396ac59 100644
--- a/stackit/internal/services/loadbalancer/loadbalancer/resource.go
+++ b/stackit/internal/services/loadbalancer/loadbalancer/resource.go
@@ -63,6 +63,7 @@ type Model struct {
 	TargetPools                    types.List   `tfsdk:"target_pools"`
 	Region                         types.String `tfsdk:"region"`
 	SecurityGroupId                types.String `tfsdk:"security_group_id"`
+	LoadBalancerSecurityGroupId    types.String `tfsdk:"load_balancer_security_group_id"`
 }
 
 // Struct corresponding to Model.Listeners[i]
@@ -1247,6 +1248,12 @@ func mapFields(ctx context.Context, lb *loadbalancer.LoadBalancer, m *Model, reg
 	m.PrivateAddress = types.StringPointerValue(lb.PrivateAddress)
 	m.DisableSecurityGroupAssignment = types.BoolPointerValue(lb.DisableTargetSecurityGroupAssignment)
 
+	if lb.LoadBalancerSecurityGroup != nil {
+		m.LoadBalancerSecurityGroupId = types.StringPointerValue(lb.LoadBalancerSecurityGroup.Id)
+	} else {
+		m.LoadBalancerSecurityGroupId = types.StringNull()
+	}
+
 	if lb.TargetSecurityGroup != nil {
 		m.SecurityGroupId = types.StringPointerValue(lb.TargetSecurityGroup.Id)
 	} else {

From 3b62a405418893e74edc1974f5b5d806bce62202 Mon Sep 17 00:00:00 2001
From: Muhammet Bayram <muhammet.bayram@stackit.cloud>
Date: Thu, 25 Sep 2025 15:37:25 +0200
Subject: [PATCH 4/5] added missing loadbalancersecuritygroupid attribute and
 fields

---
 docs/resources/loadbalancer.md                         |  3 ++-
 .../services/loadbalancer/loadbalancer/resource.go     | 10 +++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/docs/resources/loadbalancer.md b/docs/resources/loadbalancer.md
index 87b33562c..40fa4e445 100644
--- a/docs/resources/loadbalancer.md
+++ b/docs/resources/loadbalancer.md
@@ -242,8 +242,9 @@ import {
 ### Read-Only
 
 - `id` (String) Terraform's internal resource ID. It is structured as "`project_id`","region","`name`".
+- `load_balancer_security_group_id` (String) The ID of the egress security group assigned to the Load Balancer's internal machines. This ID is essential for allowing traffic from the Load Balancer to targets in different networks or STACKIT network areas (SNA). To enable this, create a security group rule for your target VMs and set the `remote_security_group_id` of that rule to this value. This is typically used when `disable_security_group_assignment` is set to `true`.
 - `private_address` (String) Transient private Load Balancer IP address. It can change any time.
-- `security_group_id` (String) The ID of the egress security group assigned to the Load Balancer's internal machines. This ID is essential for allowing traffic from the Load Balancer to targets in different networks or STACKIT network areas (SNA). To enable this, create a security group rule for your target VMs and set the `remote_security_group_id` of that rule to this value. This is typically used when `disable_security_group_assignment` is set to `true`.
+- `security_group_id` (String) The ID of the backend security group
 
 <a id="nestedatt--listeners"></a>
 ### Nested Schema for `listeners`
diff --git a/stackit/internal/services/loadbalancer/loadbalancer/resource.go b/stackit/internal/services/loadbalancer/loadbalancer/resource.go
index 01396ac59..a4865e9f1 100644
--- a/stackit/internal/services/loadbalancer/loadbalancer/resource.go
+++ b/stackit/internal/services/loadbalancer/loadbalancer/resource.go
@@ -345,7 +345,8 @@ func (r *loadBalancerResource) Schema(_ context.Context, _ resource.SchemaReques
 		"targets.display_name":                  "Target display name",
 		"ip":                                    "Target IP",
 		"region":                                "The resource region. If not defined, the provider region is used.",
-		"security_group_id":                     "The ID of the egress security group assigned to the Load Balancer's internal machines. This ID is essential for allowing traffic from the Load Balancer to targets in different networks or STACKIT network areas (SNA). To enable this, create a security group rule for your target VMs and set the `remote_security_group_id` of that rule to this value. This is typically used when `disable_security_group_assignment` is set to `true`.",
+		"security_group_id":                     "The ID of the backend security group",
+		"load_balancer_security_group_id":       "The ID of the egress security group assigned to the Load Balancer's internal machines. This ID is essential for allowing traffic from the Load Balancer to targets in different networks or STACKIT network areas (SNA). To enable this, create a security group rule for your target VMs and set the `remote_security_group_id` of that rule to this value. This is typically used when `disable_security_group_assignment` is set to `true`.",
 	}
 
 	resp.Schema = schema.Schema{
@@ -693,6 +694,13 @@ The example below creates the supporting infrastructure using the STACKIT Terraf
 					stringplanmodifier.UseStateForUnknown(),
 				},
 			},
+			"load_balancer_security_group_id": schema.StringAttribute{
+				Description: descriptions["load_balancer_security_group_id"],
+				Computed:    true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+				},
+			},
 		},
 	}
 }

From 2ca9b5f58b47e8c179e293c46dc833ee5b434847 Mon Sep 17 00:00:00 2001
From: Muhammet Bayram <muhammet.bayram@stackit.cloud>
Date: Thu, 25 Sep 2025 17:10:02 +0200
Subject: [PATCH 5/5] adjusted docs to the newly corrected
 load_balancer_security_group_id field

---
 docs/resources/loadbalancer.md                      | 13 +++++++++----
 examples/resources/stackit_loadbalancer/resource.tf | 13 +++++++++----
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/docs/resources/loadbalancer.md b/docs/resources/loadbalancer.md
index 40fa4e445..fdf3a1afa 100644
--- a/docs/resources/loadbalancer.md
+++ b/docs/resources/loadbalancer.md
@@ -126,6 +126,7 @@ resource "stackit_network" "lb_network" {
 resource "stackit_network" "target_network" {
   project_id       = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   name             = "target-network-example"
+  routed           = true
   ipv4_prefix      = "192.168.10.0/25"
   ipv4_nameservers = ["8.8.8.8"]
 }
@@ -181,7 +182,7 @@ resource "stackit_security_group_rule" "allow_lb_ingress" {
   }
 
   # This is the crucial link: it allows traffic from the LB's security group.
-  remote_security_group_id = stackit_loadbalancer.example.security_group_id
+  remote_security_group_id = stackit_loadbalancer.example.load_balancer_security_group_id
 
   port_range = {
     min = 80
@@ -201,15 +202,19 @@ resource "stackit_server" "example" {
     size        = 10
   }
 
-  network_interfaces = [
-    stackit_network_interface.nic.network_interface_id
-  ]
+  network_interfaces = [stackit_network_interface.nic.network_interface_id]
+
 }
 
 resource "stackit_network_interface" "nic" {
   project_id         = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   network_id         = stackit_network.target_network.network_id
   security_group_ids = [stackit_security_group.target_sg.security_group_id]
+  lifecycle {
+    ignore_changes = [
+      security_group_ids,
+    ]
+  }
 }
 # End of advanced example
 
diff --git a/examples/resources/stackit_loadbalancer/resource.tf b/examples/resources/stackit_loadbalancer/resource.tf
index f476e29c0..70dbfa4d4 100644
--- a/examples/resources/stackit_loadbalancer/resource.tf
+++ b/examples/resources/stackit_loadbalancer/resource.tf
@@ -107,6 +107,7 @@ resource "stackit_network" "lb_network" {
 resource "stackit_network" "target_network" {
   project_id       = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   name             = "target-network-example"
+  routed           = true
   ipv4_prefix      = "192.168.10.0/25"
   ipv4_nameservers = ["8.8.8.8"]
 }
@@ -162,7 +163,7 @@ resource "stackit_security_group_rule" "allow_lb_ingress" {
   }
 
   # This is the crucial link: it allows traffic from the LB's security group.
-  remote_security_group_id = stackit_loadbalancer.example.security_group_id
+  remote_security_group_id = stackit_loadbalancer.example.load_balancer_security_group_id
 
   port_range = {
     min = 80
@@ -182,15 +183,19 @@ resource "stackit_server" "example" {
     size        = 10
   }
 
-  network_interfaces = [
-    stackit_network_interface.nic.network_interface_id
-  ]
+  network_interfaces = [stackit_network_interface.nic.network_interface_id]
+
 }
 
 resource "stackit_network_interface" "nic" {
   project_id         = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   network_id         = stackit_network.target_network.network_id
   security_group_ids = [stackit_security_group.target_sg.security_group_id]
+  lifecycle {
+    ignore_changes = [
+      security_group_ids,
+    ]
+  }
 }
 # End of advanced example