Skip to content

feat(ske): support audit log configuration#1578

Open
tobias-pfaffelmoser-ske wants to merge 6 commits into
stackitcloud:mainfrom
tobias-pfaffelmoser-ske:feat/ske-audit-logs
Open

feat(ske): support audit log configuration#1578
tobias-pfaffelmoser-ske wants to merge 6 commits into
stackitcloud:mainfrom
tobias-pfaffelmoser-ske:feat/ske-audit-logs

Conversation

@tobias-pfaffelmoser-ske

Copy link
Copy Markdown

Description

Adds support for configuring SKE cluster audit log forwarding via a new optional
audit block on the stackit_ske_cluster resource (and as a read-only attribute
on the data source):

resource "stackit_ske_cluster" "example" {
  # ...
  audit = {
    enabled = true
  }
}

The audit.enabled flag is passed through to the SKE API (ske.Audit) on create/update and mapped back into state on read. This feature is in private preview and can only be enabled for accounts/projects that have been enabled for audit log forwarding to a Telemetry Router.

This also bumps the stackit-sdk-go/services/ske dependency to v1.19.0, which introduces the audit field.

Acceptance tests are intentionally omitted: audit log forwarding is a private-preview feature that requires account/project enablement, which might not be available in the standard CI test project. The change is covered by unit tests (toAuditPayload, mapAudit) and both K8s create and update were verified manually against a preview-enabled OnDemand QA project.

Checklist

  • Issue was linked above
  • Code format was applied: make fmt
  • Examples were added / adjusted (see examples/ directory)
  • Docs are up-to-date: make generate-docs (will be checked by CI)
  • Unit tests got implemented or updated
  • Acceptance tests got implemented or updated (see e.g. here)
  • Unit tests are passing: make test (will be checked by CI)
  • No linter issues: make lint (will be checked by CI)

@tobias-pfaffelmoser-ske tobias-pfaffelmoser-ske requested a review from a team as a code owner July 10, 2026 12:41
"access_idp": "Configure IDP",
"access_idp_enabled": "Enable IDP integration for the cluster.",
"access_idp_type": "The IDP type. Possible values: 'stackit'.",
"audit": "Cluster audit log forwarding configuration. This feature is in private preview. Enabling audit logging is only possible for enabled accounts.",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"audit": "Cluster audit log forwarding configuration. This feature is in private preview. Enabling audit logging is only possible for enabled accounts.",
"audit": "Cluster audit log forwarding configuration.",

This can be shortened as it is not part of any public documentation, release notes or similar

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thx! Adapted.

}

// The user explicitly configured `audit = { enabled = false }`. The API does
// not echo a disabled audit config back, so we keep the configured value to

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If nothing is configured for a cluster, then the API always echoes audit = {enabled = false} in regions where the feature is available.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure what this means for the code exactly. But we can probably drop the if below. For regions without the feature, we actually want the Otherwise case below as users there shouldn't enable the feature in terraform anyways.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. Simplified.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants