Merge branch 'master' into instance_server_type_data_source

Author: remyleone

docs/data-sources/instance_servers.md

@@ -46,6 +46,9 @@ In addition to all above arguments, the following attributes are exported:
     - `tags` - The tags associated with the server.
     - `public_ip` - The public IP address of the server.
     - `private_ip` - The Scaleway internal IP address of the server.
+    - `private_ips` - The list of private IPv4 and IPv6 addresses associated with the server.
+        - `id` - The ID of the IP address resource.
+        - `address` - The private IP address.
     - `public_ips` - The list of public IPs of the server
         - `id` - The ID of the IP
         - `address` - The address of the IP

docs/guides/backend_guide.md

@@ -1,10 +1,11 @@
 ---
 page_title: "Using Backend Guide"
 ---
+# Configuring Terraform Backends: PostgreSQL vs Object Storage
 
-# Terraform Backend
+## Configuring a Terraform Backend with PostgreSQL and State Locking
 
-This page describes how to configure a backend by adding the backend block to your configuration with the Terraform Scaleway Provider.
+This guide explains how to configure a remote backend using the Terraform Scaleway Provider with PostgreSQL, enabling remote state management with locking.
 
 Terraform provides the option to set up a [“backend”](https://developer.hashicorp.com/terraform/language/backend) of the `state` data files.
 
@@ -13,7 +14,7 @@ This option allows you to handle the state and the way certain operations are ex
 Backends can store the state remotely and protect it with locks to prevent corruption;
 it makes it possible for a team to work with ease, or, for instance, to run Terraform within a pipeline.
 
-## Create your database
+### Create your database
 
 You can create your database resource using terraform itself .
 
@@ -60,19 +61,19 @@ and deploy it:
 terraform plan -out "planfile" ; terraform apply -input=false -auto-approve "planfile"
 ```
 
-## Configuring the PostgreSQL Connection String
+#### Configuring the PostgreSQL Connection String
 
 We choose to set our environment variable for the connection string for this guide. Please check the [secret section](#secrets) for more details.
 
 ```shell
 export PG_CONN_STR=postgres://<user>:<pass>@localhost:<port>/terraform_backend?sslmode=disable
 ```
 
-## Secrets
+#### Secrets
 
 Hashicorp offers several methods to keep your secrets. Please check the Terraform [partial configuration](https://developer.hashicorp.com/terraform/language/backend#partial-configuration) for this topic.
 
-## Create your infrastructure with the Scaleway provider
+#### Create your infrastructure with the Scaleway provider
 
 ```hcl
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -126,7 +127,7 @@ AND TABLE_NAME = 'states';
     ....
 ```
 
-## Multiple Workplaces
+### Multiple Workplaces
 
 You can configure several `states` on your database using a different `schema_name`.
 
@@ -145,7 +146,7 @@ terraform {
 }
 ```
 
-## Migrating the state
+### Migrating the state
 
 Considering you have already running infrastructure you want to use the `backend` option.
 
@@ -159,15 +160,15 @@ Answer the prompt `yes`, and your state will migrate.
 $ terraform init -backend-config="conn_str=${PG_CONN_STR}" -migrate-state
 ```
 
-## What about locking?
+### What about locking?
 
 Most of the remote [backends](https://developer.hashicorp.com/terraform/language/backend#backend-types) natively support locking. To run terraform apply, Terraform will automatically acquire a lock;
 if someone else is already running apply, they will already have the lock, and you will have to wait.
 You can run apply with the `-lock-timeout=<TIME>` parameter to tell Terraform to wait up to TIME for a lock to be released (e.g., `-lock-timeout=10m` will wait for 10 minutes).
 
 The Lock method prevents opening the state file while already in use.
 
-## Share configuration
+### Share configuration
 
 You can also share the configuration using the different [data sources](https://www.terraform.io/language/state/remote-state-data).
 This is useful when working on the same infrastructure or the same team.
@@ -177,3 +178,68 @@ data "scaleway_rdb_instance" "mybackend" {
   name = "your-database-name"
 }
 ```
+
+## Alternative: Store Terraform State in Scaleway Object Storage (Without Locking)
+
+[Scaleway object storage](https://www.scaleway.com/en/object-storage/) can be used to store your Terraform state.
+However, this backend does not support state locking, which is critical when multiple users or automated processes might access the same state concurrently.
+Configure your backend as:
+
+```
+terraform {
+  backend "s3" {
+    bucket                      = "terraform-state"
+    key                         = "my_state.tfstate"
+    region                      = "fr-par"
+    endpoint                    = "https://s3.fr-par.scw.cloud"
+    access_key                  = "my-access-key"
+    secret_key                  = "my-secret-key"
+    skip_credentials_validation = true
+    force_path_style            = true
+    skip_region_validation = true
+    # Need terraform>=1.6.1
+    skip_requesting_account_id  = true
+  }
+}
+```
+
+Warning: This backend does not offer locking. If you're working in a team or running Terraform in CI/CD pipelines, using object storage without locking can lead to state corruption.
+
+### Securing credentials
+
+To avoid hardcoding secrets in your Terraform configuration, use one of the following secure methods:
+
+#### Environment Variables
+
+Set the credentials in your shell environment using the AWS-compatible variable names:
+
+```shell
+export AWS_ACCESS_KEY_ID=$SCW_ACCESS_KEY
+export AWS_SECRET_ACCESS_KEY=$SCW_SECRET_KEY
+```
+
+This approach is simple and works well for scripts, local development, and CI pipelines.
+
+#### AWS Credentials Files
+
+Store your credentials in:
+
+- `~/.aws/credentials` – for secrets
+- `~/.aws/config` – for configuration like profiles or regions
+
+Example ~/.aws/credentials file:
+
+```
+[default]
+aws_access_key_id = YOUR_SCW_ACCESS_KEY
+aws_secret_access_key = YOUR_SCW_SECRET_KEY
+```
+
+This method is ideal for managing multiple profiles or persisting configuration across sessions.
+
+Both methods are compatible with Terraform’s S3 backend, which also works with Scaleway Object Storage.
+
+For full details, see the official [Terraform S3 backend documentation](https://developer.hashicorp.com/terraform/language/backend/s3#access_key)
+
+For example configuration files, refer to the [Object Storage documentation](https://www.scaleway.com/en/docs/object-storage/api-cli/object-storage-aws-cli/)
+

docs/index.md

@@ -221,38 +221,9 @@ In addition to [generic provider arguments](https://www.terraform.io/docs/config
 | `region`          | `SCW_DEFAULT_REGION`                            | The [region](./guides/regions_and_zones.md#regions)  that will be used as default value for all resources. (`fr-par` if none specified)          |           |
 | `zone`            | `SCW_DEFAULT_ZONE`                              | The [zone](./guides/regions_and_zones.md#zones) that will be used as default value for all resources. (`fr-par-1` if none specified)             |           |
 
-## Store terraform state on Scaleway S3-compatible object storage
+## Store terraform state
 
-[Scaleway object storage](https://www.scaleway.com/en/object-storage/) can be used to store your Terraform state.
-Configure your backend as:
-
-```
-terraform {
-  backend "s3" {
-    bucket                      = "terraform-state"
-    key                         = "my_state.tfstate"
-    region                      = "fr-par"
-    endpoint                    = "https://s3.fr-par.scw.cloud"
-    access_key                  = "my-access-key"
-    secret_key                  = "my-secret-key"
-    skip_credentials_validation = true
-    skip_region_validation      = true
-    # Need terraform>=1.6.1
-    skip_requesting_account_id  = true
-  }
-}
-```
-
-Be careful as no locking mechanism are yet supported.
-Using scaleway object storage as terraform backend is not suitable if you work in a team with a risk of simultaneous access to the same plan.
-
-Note: For security reason it's not recommended to store secrets in terraform files.
-If you want to configure the backend with environment var, you need to use `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` [source](https://www.terraform.io/docs/backends/types/s3.html#access_key).
-
-```bash
-export AWS_ACCESS_KEY_ID=$SCW_ACCESS_KEY
-export AWS_SECRET_ACCESS_KEY=$SCW_SECRET_KEY
-```
+For detailed instructions and best practices, see the full [Backend guide](guides/backend_guide.md)
 
 ## Custom User-Agent Information
 

docs/resources/instance_security_group.md

@@ -21,7 +21,7 @@ resource "scaleway_instance_security_group" "web" {
   inbound_rule {
     action = "accept"
     port   = 22
-    ip     = "212.47.225.64"
+    ip_range     = "212.47.225.64/32"
   }
 
   inbound_rule {
@@ -46,13 +46,13 @@ resource "scaleway_instance_security_group" "web" {
 
   inbound_rule {
     action = "drop"
-    ip     = "1.1.1.1" # Banned IP
+    ip_range     = "1.1.1.1/32" # Banned IP range
   }
 
   inbound_rule {
     action = "accept"
     port   = 22
-    ip     = "212.47.225.64"
+    ip_range     = "212.47.225.64/32"
   }
 
   inbound_rule {
@@ -62,7 +62,7 @@ resource "scaleway_instance_security_group" "web" {
 
   outbound_rule {
     action = "accept"
-    ip     = "8.8.8.8" # Only allow outgoing connection to this IP.
+    ip_range     = "8.8.8.8/32" # Only allow outgoing connection to this IP range.
   }
 }
 ```
@@ -86,7 +86,7 @@ resource "scaleway_instance_security_group" "dummy" {
     content {
       action = "accept"
       port   = 22
-      ip     = inbound_rule.value
+      ip_range     = inbound_rule.value
     }
   }
 }
@@ -132,7 +132,7 @@ The `inbound_rule` and `outbound_rule` block supports:
   If no `port` nor `port_range` are specified, rule will apply to all port.
   Only one of `port` and `port_range` should be specified.
 
-- `ip`- (Optional) The ip this rule apply to. If no `ip` nor `ip_range` are specified, rule will apply to all ip. Only one of `ip` and `ip_range` should be specified.
+- `ip`- (Deprecated) The ip this rule apply to. If no `ip` nor `ip_range` are specified, rule will apply to all ip. Only one of `ip` and `ip_range` should be specified.
 
 - `ip_range`- (Optional) The ip range (e.g `192.168.1.0/24`) this rule applies to. If no `ip` nor `ip_range` are specified, rule will apply to all ip. Only one of `ip` and `ip_range` should be specified.
 

docs/resources/instance_security_group_rules.md

@@ -46,9 +46,9 @@ resource "scaleway_instance_security_group" "main" {
 
 locals {
   trusted = [
-    "1.2.3.4",
-    "4.5.6.7",
-    "7.8.9.10"
+    "1.2.3.4/32",
+    "4.5.6.7/32",
+    "7.8.9.10/24"
   ]
 }
 
@@ -59,7 +59,7 @@ resource "scaleway_instance_security_group_rules" "main" {
     for_each = local.trusted
     content {
       action = "accept"
-      ip     = inbound_rule.value
+      ip_range     = inbound_rule.value
       port   = 80
     }
   }
@@ -79,9 +79,9 @@ resource "scaleway_instance_security_group" "main" {
 
 locals {
   trusted = [
-    { ip = "1.2.3.4", port = "80" },
-    { ip = "5.6.7.8", port = "81" },
-    { ip = "9.10.11.12", port = "81" },
+    { ip_range = "1.2.3.4/32", port = "80" },
+    { ip_range = "5.6.7.8/32", port = "81" },
+    { ip_range = "9.10.11.12/32", port = "81" },
   ]
 }
 
@@ -92,7 +92,7 @@ resource "scaleway_instance_security_group_rules" "main" {
     for_each = local.trusted
     content {
       action = "accept"
-      ip     = inbound_rule.value.ip
+      ip_range     = inbound_rule.value.ip_range
       port   = inbound_rule.value.port
     }
   }
@@ -122,7 +122,7 @@ The `inbound_rule` and `outbound_rule` block supports:
   If no `port` nor `port_range` are specified, rule will apply to all port.
   Only one of `port` and `port_range` should be specified.
 
-- `ip`- (Optional) The ip this rule apply to. If no `ip` nor `ip_range` are specified, rule will apply to all ip. Only one of `ip` and `ip_range` should be specified.
+- `ip`- (Deprecated) The ip this rule apply to. If no `ip` nor `ip_range` are specified, rule will apply to all ip. Only one of `ip` and `ip_range` should be specified.
 
 - `ip_range`- (Optional) The ip range (e.g `192.168.1.0/24`) this rule applies to. If no `ip` nor `ip_range` are specified, rule will apply to all ip. Only one of `ip` and `ip_range` should be specified.
 

docs/resources/instance_snapshot.md

@@ -40,7 +40,6 @@ resource "scaleway_instance_server" "main" {
 
 resource "scaleway_instance_snapshot" "main" {
   volume_id  = scaleway_instance_volume.main.id
-  type       = "unified"
   depends_on = [scaleway_instance_server.main]
 }
 ```
@@ -59,7 +58,6 @@ resource "scaleway_object" "qcow" {
 }
 
 resource "scaleway_instance_snapshot" "snapshot" {
-  type = "unified"
   import {
     bucket = scaleway_object.qcow.bucket
     key    = scaleway_object.qcow.key
@@ -72,11 +70,12 @@ resource "scaleway_instance_snapshot" "snapshot" {
 The following arguments are supported:
 
 - `volume_id` - (Optional) The ID of the volume to take a snapshot from.
-- `type` - (Optional) The snapshot's volume type.  The possible values are: `l_ssd` (Local SSD) and `unified`.
+- `type` - (Default to `l_ssd`) The snapshot's volume type.  The possible values are: `l_ssd` (Local SSD).
 Updates to this field will recreate a new resource.
 
 ~> **Important:** Snapshots of volumes with type `b_ssd` (Block SSD) are deprecated and cannot be managed using the `scaleway_instance_snapshot` resource anymore. Please use the `scaleway_block_snapshot` resource instead.
 If you want to migrate existing snapshots, you can visit [this page](https://www.scaleway.com/en/docs/instances/how-to/migrate-volumes-snapshots-to-sbs/) for more information.
+~> **Important:** Snapshots of volumes with type `unified` (can be used with both Block and Local SSD) are deprecated since the migration to SBS.
 
 - `name` - (Optional) The name of the snapshot. If not provided it will be randomly generated.
 - `zone` - (Defaults to [provider](../index.md#zone) `zone`) The [zone](../guides/regions_and_zones.md#zones) in which
@@ -88,8 +87,6 @@ If you want to migrate existing snapshots, you can visit [this page](https://www
     - `bucket` - Bucket name containing [qcow2](https://en.wikipedia.org/wiki/Qcow) to import
     - `key` - Key of the object to import
 
--> **Note:** The type `unified` could be instantiated on both `l_ssd` and `b_ssd` volumes.
-
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:

internal/services/block/helpers_block.go

@@ -9,7 +9,9 @@ import (
 	block "github.com/scaleway/scaleway-sdk-go/api/block/v1alpha1"
 	"github.com/scaleway/scaleway-sdk-go/api/instance/v1"
 	"github.com/scaleway/scaleway-sdk-go/scw"
+	"github.com/scaleway/terraform-provider-scaleway/v2/internal/dsf"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/httperrors"
+	"github.com/scaleway/terraform-provider-scaleway/v2/internal/locality"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/locality/zonal"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/meta"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/services/instance/instancehelpers"
@@ -56,6 +58,32 @@ func customDiffCannotShrink(key string) schema.CustomizeDiffFunc {
 	})
 }
 
+func customDiffSnapshot(key string) schema.CustomizeDiffFunc {
+	return func(ctx context.Context, diff *schema.ResourceDiff, i any) error {
+		if !diff.HasChange(key) {
+			return nil
+		}
+
+		oldValue, newValue := diff.GetChange(key)
+		if dsf.Locality(key, oldValue.(string), newValue.(string), nil) {
+			return nil
+		}
+
+		blockAPI := block.NewAPI(meta.ExtractScwClient(i))
+		zone, id, _ := locality.ParseLocalizedID(oldValue.(string))
+
+		_, err := blockAPI.GetSnapshot(&block.GetSnapshotRequest{
+			SnapshotID: id,
+			Zone:       scw.Zone(zone),
+		})
+		if (httperrors.Is403(err) || httperrors.Is404(err)) && newValue == "" {
+			return nil
+		}
+
+		return diff.ForceNew(key)
+	}
+}
+
 func migrateInstanceToBlockVolume(ctx context.Context, api *instancehelpers.BlockAndInstanceAPI, zone scw.Zone, volumeID string, timeout time.Duration) (*block.Volume, error) {
 	instanceVolumeResp, err := api.GetVolume(&instance.GetVolumeRequest{
 		Zone:     zone,