stackitcloud · c-thiel · Jun 19, 2026
@@ -185,7 +185,7 @@ To enable experiments set the experiments field in the provider definition:
 ```hcl
 provider "stackit" {
   default_region        = "eu01"
-  experiments           = ["iam", "routing-tables", "network"]
+  experiments           = ["iam", "routing-tables", "network", "workflows"]
 }
 ```
 
@@ -211,6 +211,11 @@ Enables the usage and provisioning of STACKIT Dremio resources.
 The STACKIT Dremio API is currently in alpha state.
 The fields of the resources are still subject to change.
 
+#### `workflows`
+
+Enables the STACKIT Workflows resources (`stackit_workflows_instance`, `stackit_workflows_dag_bundle`) and their data sources.
+The underlying API is in alpha and may change; the experiment flag must be set to use these resources.
+
 ## Acceptance Tests
 
 > [!WARNING]

@@ -0,0 +1,86 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_workflows_dag_bundle Data Source - stackit"
+subcategory: ""
+description: |-
+  Workflows DAG bundle data source. Uses the default_region specified in the provider configuration as a fallback in case no region is defined on datasource level.
+  ~> This datasource is part of the workflows experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.
+---
+
+# stackit_workflows_dag_bundle (Data Source)
+
+Workflows DAG bundle data source. Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on datasource level.
+
+~> This datasource is part of the workflows experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.
+
+## Example Usage
+
+```terraform
+data "stackit_workflows_dag_bundle" "bundle" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  region      = "eu01"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  name        = "main-dags"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `instance_id` (String) ID of the Workflows instance this bundle belongs to.
+- `name` (String) Bundle name. Must be a DNS label: lowercase alphanumeric and hyphens, starting with a letter, max 63 characters. Immutable.
+- `project_id` (String) STACKIT project ID associated with the Workflows instance.
+
+### Optional
+
+- `region` (String) STACKIT region name the resource is located in. If not defined, the provider region is used.
+
+### Read-Only
+
+- `git` (Attributes) Git-backed DAG bundle source. Populated when the bundle is git-typed. (see [below for nested schema](#nestedatt--git))
+- `id` (String) Terraform's internal resource identifier. It is structured as "`project_id`,`region`,`instance_id`,`name`".
+- `s3` (Attributes) S3-backed DAG bundle source. Populated when the bundle is s3-typed. (see [below for nested schema](#nestedatt--s3))
+
+<a id="nestedatt--git"></a>
+### Nested Schema for `git`
+
+Read-Only:
+
+- `auth` (Attributes) Authentication for the Git source. (see [below for nested schema](#nestedatt--git--auth))
+- `branch` (String) Branch, tag, or ref to track.
+- `refresh_interval` (Number) How often (in seconds) the bundle is re-scanned for changes.
+- `subdir` (String) Optional subdirectory inside the Git repository that contains the DAGs. Leading/trailing slashes are stripped by both the server and provider.
+- `url` (String) Git repository URL.
+
+<a id="nestedatt--git--auth"></a>
+### Nested Schema for `git.auth`
+
+Read-Only:
+
+- `password` (String, Sensitive) Git password or PAT. Never returned by the API; always null when read.
+- `type` (String) Authentication scheme: `basic` (username + password) or `none` (public repos).
+- `username` (String) Git username. Required when `git.auth.type = basic`.
+
+
+
+<a id="nestedatt--s3"></a>
+### Nested Schema for `s3`
+
+Read-Only:
+
+- `auth` (Attributes) Authentication for the S3 source. (see [below for nested schema](#nestedatt--s3--auth))
+- `bucket_name` (String) S3 bucket name containing the DAGs.
+- `endpoint` (String) S3-compatible endpoint URL. Defaults to STACKIT Object Storage in the region.
+- `prefix` (String) Optional key prefix inside the bucket.
+- `refresh_interval` (Number) How often (in seconds) the bundle is re-scanned for changes.
+
+<a id="nestedatt--s3--auth"></a>
+### Nested Schema for `s3.auth`
+
+Read-Only:
+
+- `access_key_id` (String) S3 access key ID. Required when `s3.auth.type = access_key`.
+- `secret_access_key` (String, Sensitive) S3 secret access key. Never returned by the API; always null when read.
+- `type` (String) Authentication scheme: `access_key` or `none` (public buckets).
@@ -0,0 +1,56 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_workflows_dag_bundles Data Source - stackit"
+subcategory: ""
+description: |-
+  Lists all DAG bundles attached to a Workflows instance. Uses the default_region specified in the provider configuration as a fallback in case no region is defined on datasource level.
+  ~> This datasource is part of the workflows experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.
+---
+
+# stackit_workflows_dag_bundles (Data Source)
+
+Lists all DAG bundles attached to a Workflows instance. Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on datasource level.
+
+~> This datasource is part of the workflows experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.
+
+## Example Usage
+
+```terraform
+data "stackit_workflows_dag_bundles" "all" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  region      = "eu01"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `instance_id` (String) Workflows instance ID.
+- `project_id` (String) STACKIT project ID.
+
+### Optional
+
+- `region` (String) STACKIT region name.
+
+### Read-Only
+
+- `dag_bundles` (Attributes List) DAG bundles attached to the instance. (see [below for nested schema](#nestedatt--dag_bundles))
+- `id` (String) Terraform's internal data-source ID. It is structured as "`project_id`,`region`,`instance_id`".
+
+<a id="nestedatt--dag_bundles"></a>
+### Nested Schema for `dag_bundles`
+
+Read-Only:
+
+- `branch` (String) Git branch (git bundles only).
+- `bucket_name` (String) Bucket name (s3 bundles only).
+- `endpoint` (String) S3 endpoint (s3 bundles only).
+- `name` (String) Bundle name.
+- `prefix` (String) Key prefix (s3 bundles only).
+- `refresh_interval` (Number) Refresh interval (seconds).
+- `subdir` (String) Subdirectory inside the repository (git bundles only).
+- `type` (String) Bundle source type (`git` or `s3`).
+- `url` (String) Git repository URL (git bundles only).
@@ -0,0 +1,101 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_workflows_instance Data Source - stackit"
+subcategory: ""
+description: |-
+  Workflows instance data source schema. Uses the default_region specified in the provider configuration as a fallback in case no region is defined on datasource level.
+  ~> This datasource is part of the workflows experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.
+---
+
+# stackit_workflows_instance (Data Source)
+
+Workflows instance data source schema. Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on datasource level.
+
+~> This datasource is part of the workflows experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.
+
+## Example Usage
+
+```terraform
+data "stackit_workflows_instance" "workflow" {
+  project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  region      = "eu01"
+  instance_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `instance_id` (String) Workflows instance ID.
+- `project_id` (String) STACKIT project ID associated with the Workflows instance.
+
+### Optional
+
+- `region` (String) STACKIT region. If not set, the provider region is used.
+
+### Read-Only
+
+- `created_at` (String) Creation timestamp (RFC 3339).
+- `dag_bundles` (Attributes List) DAG bundles attached to this instance. Manage individual bundles via `stackit_workflows_dag_bundle`. (see [below for nested schema](#nestedatt--dag_bundles))
+- `description` (String) Instance description. Max 256 characters.
+- `display_name` (String) Instance display name. Max 25 characters.
+- `enable_airflow_example_dags` (Boolean) Enable the Airflow built-in example DAGs. Honored on Airflow 3 instances; older versions may reject.
+- `enable_stackit_example_dags` (Boolean) Include the STACKIT sample DAGs. Honored on Airflow 3 instances; older versions may reject.
+- `endpoints` (Attributes) Instance endpoints. Populated by the server. (see [below for nested schema](#nestedatt--endpoints))
+- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`instance_id`".
+- `identity_provider` (Attributes) Identity provider configuration. Only `oauth2` is currently supported. (see [below for nested schema](#nestedatt--identity_provider))
+- `network` (Attributes) Attach the instance to a STACKIT network. Changes force replacement. (see [below for nested schema](#nestedatt--network))
+- `observability_id` (String) STACKIT Observability instance to receive metrics and logs.
+- `status` (String) Lifecycle status of the Workflows instance. Possible values are: `creating`, `active`, `updating`, `deleting`, `failed`.
+- `status_message` (String) Human-readable status detail. Populated by the server when status is `failed` or during convergence; empty otherwise.
+- `version` (String) Workflows version (e.g. `workflows-3.0-airflow-3.1`). Discover valid values via the `stackit_workflows_provider_options` data source.
+
+<a id="nestedatt--dag_bundles"></a>
+### Nested Schema for `dag_bundles`
+
+Read-Only:
+
+- `branch` (String) Git branch (git bundles only).
+- `bucket_name` (String) S3 bucket name (s3 bundles only).
+- `endpoint` (String) S3 endpoint (s3 bundles only).
+- `name` (String) Bundle name.
+- `prefix` (String) S3 key prefix (s3 bundles only).
+- `refresh_interval` (Number) Bundle refresh interval in seconds.
+- `subdir` (String) Subdirectory inside the Git repository (git bundles only).
+- `type` (String) Bundle type: `git` or `s3`.
+- `url` (String) Git repository URL (git bundles only).
+
+
+<a id="nestedatt--endpoints"></a>
+### Nested Schema for `endpoints`
+
+Read-Only:
+
+- `redirect_url` (String) OAuth2 redirect URL configured on the instance.
+- `url` (String) Primary endpoint URL (Airflow UI).
+
+
+<a id="nestedatt--identity_provider"></a>
+### Nested Schema for `identity_provider`
+
+Read-Only:
+
+- `api_audience` (Set of String) Allowed audiences for the ID token.
+- `client_id` (String) OAuth2 client ID.
+- `client_secret` (String, Sensitive) OAuth2 client secret. Never returned by the API; always null when read.
+- `discovery_endpoint` (String) OAuth2 discovery endpoint (`.well-known/openid-configuration`).
+- `name` (String) Display name for the IdP. `azure`, `okta`, `aws_cognito`, `keycloak` enable provider-specific token parsing.
+- `resource` (String) OAuth2 resource indicator.
+- `roles_claim` (String) Name of the claim that carries the user's roles.
+- `scope` (String) OAuth2 scopes (space-separated, e.g. `openid email`).
+- `type` (String) Identity provider type (`oauth2`).
+
+
+<a id="nestedatt--network"></a>
+### Nested Schema for `network`
+
+Read-Only:
+
+- `id` (String) STACKIT network ID.
@@ -0,0 +1,51 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_workflows_instances Data Source - stackit"
+subcategory: ""
+description: |-
+  Lists all Workflows instances in a project. Uses the default_region specified in the provider configuration as a fallback in case no region is defined on datasource level.
+  ~> This datasource is part of the workflows experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.
+---
+
+# stackit_workflows_instances (Data Source)
+
+Lists all Workflows instances in a project. Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on datasource level.
+
+~> This datasource is part of the workflows experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.
+
+## Example Usage
+
+```terraform
+data "stackit_workflows_instances" "all" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  region     = "eu01"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `project_id` (String) STACKIT project ID.
+
+### Optional
+
+- `region` (String) STACKIT region name. If not defined, the provider region is used.
+
+### Read-Only
+
+- `id` (String) Terraform's internal data-source ID. It is structured as "`project_id`,`region`".
+- `instances` (Attributes List) All Workflows instances in this project + region. (see [below for nested schema](#nestedatt--instances))
+
+<a id="nestedatt--instances"></a>
+### Nested Schema for `instances`
+
+Read-Only:
+
+- `created_at` (String) Creation timestamp (RFC 3339).
+- `description` (String) User-provided description.
+- `display_name` (String) Display name of the instance.
+- `instance_id` (String) The Workflows instance ID.
+- `status` (String) Lifecycle status.
+- `version` (String) Workflows version.
@@ -0,0 +1,58 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_workflows_provider_options Data Source - stackit"
+subcategory: ""
+description: |-
+  Lists Workflows versions supported by the Workflows API in a region. Uses the default_region specified in the provider configuration as a fallback in case no region is defined on datasource level.
+  ~> This datasource is part of the workflows experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.
+---
+
+# stackit_workflows_provider_options (Data Source)
+
+Lists Workflows versions supported by the Workflows API in a region. Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on datasource level.
+
+~> This datasource is part of the workflows experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.
+
+## Example Usage
+
+```terraform
+data "stackit_workflows_provider_options" "options" {
+  region = "eu01"
+}
+
+resource "stackit_workflows_instance" "instance" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  region       = "eu01"
+  display_name = "my-instance"
+  version      = data.stackit_workflows_provider_options.options.versions.0.version
+
+  identity_provider = {
+    type               = "oauth2"
+    name               = "azure"
+    client_id          = "xxx"
+    client_secret      = "xxx"
+    scope              = "openid email"
+    discovery_endpoint = "https://login.microsoftonline.com/.../v2.0/.well-known/openid-configuration"
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Optional
+
+- `region` (String) STACKIT region to query. If not defined, the provider region is used.
+
+### Read-Only
+
+- `versions` (Attributes List) Supported Workflows versions. (see [below for nested schema](#nestedatt--versions))
+
+<a id="nestedatt--versions"></a>
+### Nested Schema for `versions`
+
+Read-Only:
+
+- `expiration_date` (String) RFC 3339 timestamp at which the version expires, or null if there is no scheduled expiry.
+- `state` (String) Lifecycle state of the version.
+- `version` (String) Version identifier (e.g. `workflows-3.0-airflow-3.1`).
@@ -173,7 +173,7 @@ Note: AWS specific checks must be skipped as they do not work on STACKIT. For de
 - `dremio_custom_endpoint` (String) Custom endpoint for the Dremio service
 - `edgecloud_custom_endpoint` (String) Custom endpoint for the Edge Cloud service
 - `enable_beta_resources` (Boolean) Enable beta resources. Default is false.
-- `experiments` (List of String) Enables experiments. These are unstable features without official support. More information can be found in the README. Available Experiments: dremio, iam, routing-tables, network
+- `experiments` (List of String) Enables experiments. These are unstable features without official support. More information can be found in the README. Available Experiments: dremio, iam, network, routing-tables, workflows
 - `git_custom_endpoint` (String) Custom endpoint for the Git service
 - `iaas_custom_endpoint` (String) Custom endpoint for the IaaS service
 - `intake_custom_endpoint` (String) Custom endpoint for the Intake service
@@ -216,3 +216,4 @@ Note: AWS specific checks must be skipped as they do not work on STACKIT. For de
 - `token_custom_endpoint` (String) Custom endpoint for the token API, which is used to request access tokens when using the key flow
 - `use_oidc` (Boolean) Enables OIDC for Authentication. This can also be sourced from the `STACKIT_USE_OIDC` Environment Variable. Defaults to `false`.
 - `vpn_custom_endpoint` (String) Custom endpoint for the VPN service
+- `workflows_custom_endpoint` (String) Custom endpoint for the Workflows service