diff --git a/.github/actions/upload_terraform_module/action.yml b/.github/actions/upload_terraform_module/action.yml
index e75c0658e2..8d396f76f5 100644
--- a/.github/actions/upload_terraform_module/action.yml
+++ b/.github/actions/upload_terraform_module/action.yml
@@ -19,10 +19,10 @@ runs:
       shell: bash
       run: |
         sed -i "s/@@CONSTELLATION_VERSION@@/${{ inputs.version }}/g" \
-          terraform-module/constellation-cluster/variables.tf \
-          terraform-module/aws-constellation/variables.tf \
-          terraform-module/azure-constellation/variables.tf \
-          terraform-module/gcp-constellation/variables.tf
+          terraform-module/legacy-module/constellation-cluster/variables.tf \
+          terraform-module/legacy-module/aws-constellation/variables.tf \
+          terraform-module/legacy-module/azure-constellation/variables.tf \
+          terraform-module/legacy-module/gcp-constellation/variables.tf
 
     - name: Zip terraform dir
       shell: bash
diff --git a/.github/workflows/e2e-test-tf-module.yml b/.github/workflows/e2e-test-tf-module.yml
index f87efb9c03..4d7de486fe 100644
--- a/.github/workflows/e2e-test-tf-module.yml
+++ b/.github/workflows/e2e-test-tf-module.yml
@@ -91,7 +91,7 @@ jobs:
 
       - name: Create AWS Terraform variable input file
         if: inputs.cloudProvider == 'aws'
-        working-directory: ${{ github.workspace }}/terraform-module/aws-constellation
+        working-directory: ${{ github.workspace }}/terraform-module/legacy-module/aws-constellation
         shell: bash
         run: |
           cat > terraform.tfvars <<EOF
@@ -123,7 +123,7 @@ jobs:
 
       - name: Create Azure Terraform variable input file
         if: inputs.cloudProvider == 'azure'
-        working-directory: ${{ github.workspace }}/terraform-module/azure-constellation
+        working-directory: ${{ github.workspace }}/terraform-module/legacy-module/azure-constellation
         shell: bash
         run: |
           cat > terraform.tfvars <<EOF
@@ -154,7 +154,7 @@ jobs:
 
       - name: Create GCP Terraform variable input file
         if: inputs.cloudProvider == 'gcp'
-        working-directory: ${{ github.workspace }}/terraform-module/gcp-constellation
+        working-directory: ${{ github.workspace }}/terraform-module/legacy-module/gcp-constellation
         shell: bash
         run: |
           cat > terraform.tfvars <<EOF
diff --git a/cli/internal/cloudcmd/BUILD.bazel b/cli/internal/cloudcmd/BUILD.bazel
index 8883e5ced7..83b394338b 100644
--- a/cli/internal/cloudcmd/BUILD.bazel
+++ b/cli/internal/cloudcmd/BUILD.bazel
@@ -27,6 +27,7 @@ go_library(
         "//internal/cloud/openstack",
         "//internal/config",
         "//internal/constants",
+        "//internal/constellation",
         "//internal/constellation/state",
         "//internal/file",
         "//internal/imagefetcher",
diff --git a/cli/internal/cloudcmd/serviceaccount.go b/cli/internal/cloudcmd/serviceaccount.go
index e35711e2a9..994aaa5b05 100644
--- a/cli/internal/cloudcmd/serviceaccount.go
+++ b/cli/internal/cloudcmd/serviceaccount.go
@@ -14,35 +14,31 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/openstack"
 	"github.com/edgelesssys/constellation/v2/internal/config"
+	"github.com/edgelesssys/constellation/v2/internal/constellation"
 	"github.com/edgelesssys/constellation/v2/internal/file"
 )
 
 // GetMarshaledServiceAccountURI returns the service account URI for the given cloud provider.
 func GetMarshaledServiceAccountURI(config *config.Config, fileHandler file.Handler) (string, error) {
+	payload := constellation.ServiceAccountPayload{}
 	switch config.GetProvider() {
 	case cloudprovider.GCP:
 		var key gcpshared.ServiceAccountKey
 		if err := fileHandler.ReadJSON(config.Provider.GCP.ServiceAccountKeyPath, &key); err != nil {
 			return "", fmt.Errorf("reading service account key: %w", err)
 		}
-		return key.ToCloudServiceAccountURI(), nil
-
-	case cloudprovider.AWS:
-		return "", nil // AWS does not need a service account URI
+		payload.GCP = key
 
 	case cloudprovider.Azure:
-		authMethod := azureshared.AuthMethodUserAssignedIdentity
-
-		creds := azureshared.ApplicationCredentials{
+		payload.Azure = azureshared.ApplicationCredentials{
 			TenantID:            config.Provider.Azure.TenantID,
 			Location:            config.Provider.Azure.Location,
-			PreferredAuthMethod: authMethod,
+			PreferredAuthMethod: azureshared.AuthMethodUserAssignedIdentity,
 			UamiResourceID:      config.Provider.Azure.UserAssignedIdentity,
 		}
-		return creds.ToCloudServiceAccountURI(), nil
 
 	case cloudprovider.OpenStack:
-		creds := openstack.AccountKey{
+		payload.OpenStack = openstack.AccountKey{
 			AuthURL:           config.Provider.OpenStack.AuthURL,
 			Username:          config.Provider.OpenStack.Username,
 			Password:          config.Provider.OpenStack.Password,
@@ -52,12 +48,7 @@ func GetMarshaledServiceAccountURI(config *config.Config, fileHandler file.Handl
 			ProjectDomainName: config.Provider.OpenStack.ProjectDomainName,
 			RegionName:        config.Provider.OpenStack.RegionName,
 		}
-		return creds.ToCloudServiceAccountURI(), nil
-
-	case cloudprovider.QEMU:
-		return "", nil // QEMU does not use service account keys
 
-	default:
-		return "", fmt.Errorf("unsupported cloud provider %q", config.GetProvider())
 	}
+	return constellation.MarshalServiceAccountURI(config.GetProvider(), payload)
 }
diff --git a/cli/internal/cmd/BUILD.bazel b/cli/internal/cmd/BUILD.bazel
index 925e021a50..5654b1dee1 100644
--- a/cli/internal/cmd/BUILD.bazel
+++ b/cli/internal/cmd/BUILD.bazel
@@ -50,7 +50,6 @@ go_library(
     importpath = "github.com/edgelesssys/constellation/v2/cli/internal/cmd",
     visibility = ["//cli:__subpackages__"],
     deps = [
-        "//bootstrapper/initproto",
         "//cli/internal/cloudcmd",
         "//cli/internal/cmd/pathprefix",
         "//cli/internal/libvirt",
diff --git a/cli/internal/cmd/apply.go b/cli/internal/cmd/apply.go
index a54efb0720..4b7fb51a28 100644
--- a/cli/internal/cmd/apply.go
+++ b/cli/internal/cmd/apply.go
@@ -19,7 +19,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/edgelesssys/constellation/v2/bootstrapper/initproto"
 	"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
 	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
 	"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
@@ -823,7 +822,7 @@ type applier interface {
 	Init(
 		ctx context.Context, validator atls.Validator, state *state.State,
 		clusterLogWriter io.Writer, payload constellation.InitPayload,
-	) (*initproto.InitSuccessResponse, error)
+	) (constellation.InitOutput, error)
 
 	// methods required to install/upgrade Helm charts
 
diff --git a/cli/internal/cmd/apply_test.go b/cli/internal/cmd/apply_test.go
index 26ba1e376c..dfc0f0344e 100644
--- a/cli/internal/cmd/apply_test.go
+++ b/cli/internal/cmd/apply_test.go
@@ -17,7 +17,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/edgelesssys/constellation/v2/bootstrapper/initproto"
 	"github.com/edgelesssys/constellation/v2/internal/atls"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared"
@@ -502,7 +501,7 @@ type stubConstellApplier struct {
 	generateMasterSecretErr    error
 	generateMeasurementSaltErr error
 	initErr                    error
-	initResponse               *initproto.InitSuccessResponse
+	initOutput                 constellation.InitOutput
 	*stubKubernetesUpgrader
 	helmApplier
 }
@@ -521,8 +520,8 @@ func (s *stubConstellApplier) GenerateMeasurementSalt() ([]byte, error) {
 	return s.measurementSalt, s.generateMeasurementSaltErr
 }
 
-func (s *stubConstellApplier) Init(context.Context, atls.Validator, *state.State, io.Writer, constellation.InitPayload) (*initproto.InitSuccessResponse, error) {
-	return s.initResponse, s.initErr
+func (s *stubConstellApplier) Init(context.Context, atls.Validator, *state.State, io.Writer, constellation.InitPayload) (constellation.InitOutput, error) {
+	return s.initOutput, s.initErr
 }
 
 type helmApplier interface {
diff --git a/cli/internal/cmd/applyinit.go b/cli/internal/cmd/applyinit.go
index bcb8da3dba..90fa77cdc9 100644
--- a/cli/internal/cmd/applyinit.go
+++ b/cli/internal/cmd/applyinit.go
@@ -8,16 +8,12 @@ package cmd
 
 import (
 	"bytes"
-	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
-	"net"
-	"net/url"
 	"path/filepath"
 	"text/tabwriter"
 
-	"github.com/edgelesssys/constellation/v2/bootstrapper/initproto"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
@@ -26,7 +22,6 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/file"
 	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
 	"github.com/spf13/cobra"
-	"k8s.io/client-go/tools/clientcmd"
 )
 
 // runInit runs the init RPC to set up the Kubernetes cluster.
@@ -106,48 +101,24 @@ func (a *applyCmd) generateAndPersistMasterSecret(outWriter io.Writer) (uri.Mast
 // writeInitOutput writes the output of a cluster initialization to the
 // state- / kubeconfig-file and saves it to disk.
 func (a *applyCmd) writeInitOutput(
-	stateFile *state.State, initResp *initproto.InitSuccessResponse,
+	stateFile *state.State, initResp constellation.InitOutput,
 	mergeConfig bool, wr io.Writer, measurementSalt []byte,
 ) error {
 	fmt.Fprint(wr, "Your Constellation cluster was successfully initialized.\n\n")
 
-	ownerID := hex.EncodeToString(initResp.GetOwnerId())
-	clusterID := hex.EncodeToString(initResp.GetClusterId())
-
 	stateFile.SetClusterValues(state.ClusterValues{
 		MeasurementSalt: measurementSalt,
-		OwnerID:         ownerID,
-		ClusterID:       clusterID,
+		OwnerID:         initResp.OwnerID,
+		ClusterID:       initResp.ClusterID,
 	})
 
 	tw := tabwriter.NewWriter(wr, 0, 0, 2, ' ', 0)
-	writeRow(tw, "Constellation cluster identifier", clusterID)
+	writeRow(tw, "Constellation cluster identifier", initResp.ClusterID)
 	writeRow(tw, "Kubernetes configuration", a.flags.pathPrefixer.PrefixPrintablePath(constants.AdminConfFilename))
 	tw.Flush()
 	fmt.Fprintln(wr)
 
-	a.log.Debugf("Rewriting cluster server address in kubeconfig to %s", stateFile.Infrastructure.ClusterEndpoint)
-	kubeconfig, err := clientcmd.Load(initResp.GetKubeconfig())
-	if err != nil {
-		return fmt.Errorf("loading kubeconfig: %w", err)
-	}
-	if len(kubeconfig.Clusters) != 1 {
-		return fmt.Errorf("expected exactly one cluster in kubeconfig, got %d", len(kubeconfig.Clusters))
-	}
-	for _, cluster := range kubeconfig.Clusters {
-		kubeEndpoint, err := url.Parse(cluster.Server)
-		if err != nil {
-			return fmt.Errorf("parsing kubeconfig server URL: %w", err)
-		}
-		kubeEndpoint.Host = net.JoinHostPort(stateFile.Infrastructure.ClusterEndpoint, kubeEndpoint.Port())
-		cluster.Server = kubeEndpoint.String()
-	}
-	kubeconfigBytes, err := clientcmd.Write(*kubeconfig)
-	if err != nil {
-		return fmt.Errorf("marshaling kubeconfig: %w", err)
-	}
-
-	if err := a.fileHandler.Write(constants.AdminConfFilename, kubeconfigBytes, file.OptNone); err != nil {
+	if err := a.fileHandler.Write(constants.AdminConfFilename, initResp.Kubeconfig, file.OptNone); err != nil {
 		return fmt.Errorf("writing kubeconfig: %w", err)
 	}
 	a.log.Debugf("Kubeconfig written to %s", a.flags.pathPrefixer.PrefixPrintablePath(constants.AdminConfFilename))
diff --git a/cli/internal/cmd/init_test.go b/cli/internal/cmd/init_test.go
index 147222e426..169949d1c4 100644
--- a/cli/internal/cmd/init_test.go
+++ b/cli/internal/cmd/init_test.go
@@ -9,7 +9,6 @@ package cmd
 import (
 	"bytes"
 	"context"
-	"encoding/hex"
 	"fmt"
 	"strings"
 	"testing"
@@ -79,10 +78,10 @@ func TestInitialize(t *testing.T) {
 		AuthProviderX509CertURL: "cert",
 		ClientX509CertURL:       "client_cert",
 	}
-	testInitResp := &initproto.InitSuccessResponse{
+	testInitOutput := constellation.InitOutput{
 		Kubeconfig: respKubeconfigBytes,
-		OwnerId:    []byte("ownerID"),
-		ClusterId:  []byte("clusterID"),
+		OwnerID:    "ownerID",
+		ClusterID:  "clusterID",
 	}
 	serviceAccPath := "/test/service-account.json"
 
@@ -91,7 +90,7 @@ func TestInitialize(t *testing.T) {
 		stateFile               *state.State
 		configMutator           func(*config.Config)
 		serviceAccKey           *gcpshared.ServiceAccountKey
-		initResponse            *initproto.InitSuccessResponse
+		initOutput              constellation.InitOutput
 		initErr                 error
 		retriable               bool
 		masterSecretShouldExist bool
@@ -102,17 +101,17 @@ func TestInitialize(t *testing.T) {
 			stateFile:     preInitStateFile(cloudprovider.GCP),
 			configMutator: func(c *config.Config) { c.Provider.GCP.ServiceAccountKeyPath = serviceAccPath },
 			serviceAccKey: gcpServiceAccKey,
-			initResponse:  testInitResp,
+			initOutput:    testInitOutput,
 		},
 		"initialize some azure instances": {
-			provider:     cloudprovider.Azure,
-			stateFile:    preInitStateFile(cloudprovider.Azure),
-			initResponse: testInitResp,
+			provider:   cloudprovider.Azure,
+			stateFile:  preInitStateFile(cloudprovider.Azure),
+			initOutput: testInitOutput,
 		},
 		"initialize some qemu instances": {
-			provider:     cloudprovider.QEMU,
-			stateFile:    preInitStateFile(cloudprovider.QEMU),
-			initResponse: testInitResp,
+			provider:   cloudprovider.QEMU,
+			stateFile:  preInitStateFile(cloudprovider.QEMU),
+			initOutput: testInitOutput,
 		},
 		"non retriable error": {
 			provider:                cloudprovider.QEMU,
@@ -135,7 +134,7 @@ func TestInitialize(t *testing.T) {
 			stateFile:     &state.State{Version: "invalid"},
 			configMutator: func(c *config.Config) { c.Provider.GCP.ServiceAccountKeyPath = serviceAccPath },
 			serviceAccKey: gcpServiceAccKey,
-			initResponse:  testInitResp,
+			initOutput:    testInitOutput,
 			retriable:     true,
 			wantErr:       true,
 		},
@@ -144,7 +143,7 @@ func TestInitialize(t *testing.T) {
 			stateFile:     &state.State{},
 			configMutator: func(c *config.Config) { c.Provider.GCP.ServiceAccountKeyPath = serviceAccPath },
 			serviceAccKey: gcpServiceAccKey,
-			initResponse:  testInitResp,
+			initOutput:    testInitOutput,
 			retriable:     true,
 			wantErr:       true,
 		},
@@ -152,7 +151,7 @@ func TestInitialize(t *testing.T) {
 			provider:      cloudprovider.GCP,
 			configMutator: func(c *config.Config) { c.Provider.GCP.ServiceAccountKeyPath = serviceAccPath },
 			serviceAccKey: gcpServiceAccKey,
-			initResponse:  testInitResp,
+			initOutput:    testInitOutput,
 			retriable:     true,
 			wantErr:       true,
 		},
@@ -167,9 +166,9 @@ func TestInitialize(t *testing.T) {
 			wantErr:                 true,
 		},
 		"k8s version without v works": {
-			provider:     cloudprovider.Azure,
-			stateFile:    preInitStateFile(cloudprovider.Azure),
-			initResponse: testInitResp,
+			provider:   cloudprovider.Azure,
+			stateFile:  preInitStateFile(cloudprovider.Azure),
+			initOutput: testInitOutput,
 			configMutator: func(c *config.Config) {
 				res, err := versions.NewValidK8sVersion(strings.TrimPrefix(string(versions.Default), "v"), true)
 				require.NoError(t, err)
@@ -177,9 +176,9 @@ func TestInitialize(t *testing.T) {
 			},
 		},
 		"outdated k8s patch version doesn't work": {
-			provider:     cloudprovider.Azure,
-			stateFile:    preInitStateFile(cloudprovider.Azure),
-			initResponse: testInitResp,
+			provider:   cloudprovider.Azure,
+			stateFile:  preInitStateFile(cloudprovider.Azure),
+			initOutput: testInitOutput,
 			configMutator: func(c *config.Config) {
 				v, err := semver.New(versions.SupportedK8sVersions()[0])
 				require.NoError(t, err)
@@ -239,7 +238,7 @@ func TestInitialize(t *testing.T) {
 					},
 					measurementSalt: bytes.Repeat([]byte{0x03}, 32),
 					initErr:         tc.initErr,
-					initResponse:    tc.initResponse,
+					initOutput:      tc.initOutput,
 					stubKubernetesUpgrader: &stubKubernetesUpgrader{
 						// On init, no attestation config exists yet
 						getClusterAttestationConfigErr: k8serrors.NewNotFound(schema.GroupResource{}, ""),
@@ -266,7 +265,7 @@ func TestInitialize(t *testing.T) {
 			}
 			require.NoError(err)
 			// assert.Contains(out.String(), base64.StdEncoding.EncodeToString([]byte("ownerID")))
-			assert.Contains(out.String(), hex.EncodeToString([]byte("clusterID")))
+			assert.Contains(out.String(), "clusterID")
 			var secret uri.MasterSecret
 			assert.NoError(fileHandler.ReadJSON(constants.MasterSecretFilename, &secret))
 			assert.NotEmpty(secret.Key)
@@ -317,7 +316,7 @@ func TestWriteOutput(t *testing.T) {
 	respKubeconfig := k8sclientapi.Config{
 		Clusters: map[string]*k8sclientapi.Cluster{
 			"cluster": {
-				Server: "https://192.0.2.1:6443",
+				Server: "https://cluster-endpoint:6443",
 			},
 		},
 	}
@@ -333,9 +332,14 @@ func TestWriteOutput(t *testing.T) {
 			},
 		},
 	}
+	ownerID := string(resp.GetInitSuccess().GetOwnerId())
+	clusterID := string(resp.GetInitSuccess().GetClusterId())
+	initOutput := constellation.InitOutput{
+		OwnerID:    "ownerID",
+		ClusterID:  "clusterID",
+		Kubeconfig: respKubeconfigBytes,
+	}
 
-	ownerID := hex.EncodeToString(resp.GetInitSuccess().GetOwnerId())
-	clusterID := hex.EncodeToString(resp.GetInitSuccess().GetClusterId())
 	measurementSalt := []byte{0x41}
 
 	expectedStateFile := &state.State{
@@ -343,7 +347,7 @@ func TestWriteOutput(t *testing.T) {
 		ClusterValues: state.ClusterValues{
 			ClusterID:       clusterID,
 			OwnerID:         ownerID,
-			MeasurementSalt: []byte{0x41},
+			MeasurementSalt: measurementSalt,
 		},
 		Infrastructure: state.Infrastructure{
 			APIServerCertSANs: []string{},
@@ -365,8 +369,9 @@ func TestWriteOutput(t *testing.T) {
 		spinner:     &nopSpinner{},
 		merger:      &stubMerger{},
 		log:         logger.NewTest(t),
+		applier:     constellation.NewApplier(logger.NewTest(t), &nopSpinner{}, nil),
 	}
-	err = i.writeInitOutput(stateFile, resp.GetInitSuccess(), false, &out, measurementSalt)
+	err = i.writeInitOutput(stateFile, initOutput, false, &out, measurementSalt)
 	require.NoError(err)
 	assert.Contains(out.String(), clusterID)
 	assert.Contains(out.String(), constants.AdminConfFilename)
@@ -386,7 +391,7 @@ func TestWriteOutput(t *testing.T) {
 
 	// test custom workspace
 	i.flags.pathPrefixer = pathprefix.New("/some/path")
-	err = i.writeInitOutput(stateFile, resp.GetInitSuccess(), true, &out, measurementSalt)
+	err = i.writeInitOutput(stateFile, initOutput, true, &out, measurementSalt)
 	require.NoError(err)
 	assert.Contains(out.String(), clusterID)
 	assert.Contains(out.String(), i.flags.pathPrefixer.PrefixPrintablePath(constants.AdminConfFilename))
@@ -396,7 +401,7 @@ func TestWriteOutput(t *testing.T) {
 	i.flags.pathPrefixer = pathprefix.PathPrefixer{}
 
 	// test config merging
-	err = i.writeInitOutput(stateFile, resp.GetInitSuccess(), true, &out, measurementSalt)
+	err = i.writeInitOutput(stateFile, initOutput, true, &out, measurementSalt)
 	require.NoError(err)
 	assert.Contains(out.String(), clusterID)
 	assert.Contains(out.String(), constants.AdminConfFilename)
@@ -407,7 +412,7 @@ func TestWriteOutput(t *testing.T) {
 
 	// test config merging with env vars set
 	i.merger = &stubMerger{envVar: "/some/path/to/kubeconfig"}
-	err = i.writeInitOutput(stateFile, resp.GetInitSuccess(), true, &out, measurementSalt)
+	err = i.writeInitOutput(stateFile, initOutput, true, &out, measurementSalt)
 	require.NoError(err)
 	assert.Contains(out.String(), clusterID)
 	assert.Contains(out.String(), constants.AdminConfFilename)
diff --git a/docs/docs/workflows/terraform-module.md b/docs/docs/workflows/terraform-module.md
index e0534b9f51..2f1b16ad21 100644
--- a/docs/docs/workflows/terraform-module.md
+++ b/docs/docs/workflows/terraform-module.md
@@ -31,7 +31,7 @@ The files are deleted on `terraform destroy`.
 
   ```
   module "azure-constellation" {
-    source = "https://github.com/edgelesssys/constellation/releases/download/<version>/terraform-module.zip//terraform-module/azure-constellation" // replace <version> with a Constellation version, e.g., v2.13.0
+    source = "https://github.com/edgelesssys/constellation/releases/download/<version>/terraform-module.zip//terraform-module/legacy-module/azure-constellation" // replace <version> with a Constellation version, e.g., v2.13.0
     name = "constell"
     location = "northeurope"
     service_principal_name = "az-sp"
@@ -61,7 +61,7 @@ The files are deleted on `terraform destroy`.
 
   ```
   module "aws-constellation" {
-    source = "https://github.com/edgelesssys/constellation/releases/download/<version>/terraform-module.zip//terraform-module/aws-constellation" // replace <version> with a Constellation version, e.g., v2.13.0
+    source = "https://github.com/edgelesssys/constellation/releases/download/<version>/terraform-module.zip//terraform-module/legacy-module/aws-constellation" // replace <version> with a Constellation version, e.g., v2.13.0
     name        = "constell"
     zone        = "us-east-2c"
     name_prefix = "example"
@@ -92,7 +92,7 @@ The files are deleted on `terraform destroy`.
 
   ```
   module "gcp-constellation" {
-    source = "https://github.com/edgelesssys/constellation/releases/download/<version>/terraform-module.zip//terraform-module/gcp-constellation" // replace <version> with a Constellation version, e.g., v2.13.0
+    source = "https://github.com/edgelesssys/constellation/releases/download/<version>/terraform-module.zip//terraform-module/legacy-module/gcp-constellation" // replace <version> with a Constellation version, e.g., v2.13.0
     name    = "constell"
     project = "constell-proj" // replace with your project id
     service_account_id = "constid"
diff --git a/internal/constellation/BUILD.bazel b/internal/constellation/BUILD.bazel
index c1fdd64dd2..58bd5d235f 100644
--- a/internal/constellation/BUILD.bazel
+++ b/internal/constellation/BUILD.bazel
@@ -9,6 +9,7 @@ go_library(
         "constellation.go",
         "helm.go",
         "kubernetes.go",
+        "serviceaccount.go",
     ],
     importpath = "github.com/edgelesssys/constellation/v2/internal/constellation",
     visibility = ["//:__subpackages__"],
@@ -16,7 +17,10 @@ go_library(
         "//bootstrapper/initproto",
         "//internal/atls",
         "//internal/attestation/variant",
+        "//internal/cloud/azureshared",
         "//internal/cloud/cloudprovider",
+        "//internal/cloud/gcpshared",
+        "//internal/cloud/openstack",
         "//internal/config",
         "//internal/constants",
         "//internal/constellation/helm",
@@ -33,6 +37,7 @@ go_library(
         "//internal/semver",
         "//internal/versions",
         "@io_k8s_apiextensions_apiserver//pkg/apis/apiextensions/v1:apiextensions",
+        "@io_k8s_client_go//tools/clientcmd",
         "@org_golang_google_grpc//:go_default_library",
     ],
 )
@@ -62,6 +67,8 @@ go_test(
         "//internal/logger",
         "@com_github_stretchr_testify//assert",
         "@com_github_stretchr_testify//require",
+        "@io_k8s_client_go//tools/clientcmd",
+        "@io_k8s_client_go//tools/clientcmd/api",
         "@org_golang_google_grpc//:go_default_library",
     ],
 )
diff --git a/internal/constellation/applyinit.go b/internal/constellation/applyinit.go
index adccab89f2..9b73a5f5ad 100644
--- a/internal/constellation/applyinit.go
+++ b/internal/constellation/applyinit.go
@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"net/url"
 	"strconv"
 	"sync"
 	"time"
@@ -26,6 +27,7 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/retry"
 	"github.com/edgelesssys/constellation/v2/internal/versions"
 	"google.golang.org/grpc"
+	"k8s.io/client-go/tools/clientcmd"
 )
 
 // InitPayload contains the configurable data for the init RPC.
@@ -50,7 +52,7 @@ func (a *Applier) Init(
 	clusterLogWriter io.Writer,
 	payload InitPayload,
 ) (
-	*initproto.InitSuccessResponse,
+	InitOutput,
 	error,
 ) {
 	// Prepare the Request
@@ -91,12 +93,48 @@ func (a *Applier) Init(
 	a.spinner.Start("Connecting ", false)
 	retrier := retry.NewIntervalRetrier(doer, 30*time.Second, serviceIsUnavailable)
 	if err := retrier.Do(ctx); err != nil {
-		return nil, fmt.Errorf("doing init call: %w", err)
+		return InitOutput{}, fmt.Errorf("doing init call: %w", err)
 	}
 	a.spinner.Stop()
 	a.log.Debugf("Initialization request finished")
 
-	return doer.resp, nil
+	a.log.Debugf("Rewriting cluster server address in kubeconfig to %s", state.Infrastructure.ClusterEndpoint)
+	kubeconfig, err := clientcmd.Load(doer.resp.Kubeconfig)
+	if err != nil {
+		return InitOutput{}, fmt.Errorf("loading kubeconfig: %w", err)
+	}
+	if len(kubeconfig.Clusters) != 1 {
+		return InitOutput{}, fmt.Errorf("expected exactly one cluster in kubeconfig, got %d", len(kubeconfig.Clusters))
+	}
+	for _, cluster := range kubeconfig.Clusters {
+		kubeEndpoint, err := url.Parse(cluster.Server)
+		if err != nil {
+			return InitOutput{}, fmt.Errorf("parsing kubeconfig server URL: %w", err)
+		}
+		kubeEndpoint.Host = net.JoinHostPort(state.Infrastructure.ClusterEndpoint, kubeEndpoint.Port())
+		cluster.Server = kubeEndpoint.String()
+	}
+
+	kubeconfigBytes, err := clientcmd.Write(*kubeconfig)
+	if err != nil {
+		return InitOutput{}, fmt.Errorf("writing kubeconfig: %w", err)
+	}
+
+	return InitOutput{
+		ClusterID:  string(doer.resp.OwnerId),
+		OwnerID:    string(doer.resp.ClusterId),
+		Kubeconfig: kubeconfigBytes,
+	}, nil
+}
+
+// InitOutput contains the output of the init RPC.
+type InitOutput struct {
+	// ClusterID is the ID of the cluster.
+	ClusterID string
+	// OwnerID is the ID of the owner of the cluster.
+	OwnerID string
+	// Kubeconfig is the kubeconfig for the cluster.
+	Kubeconfig []byte
 }
 
 // the initDoer performs the actual init RPC with retry logic.
diff --git a/internal/constellation/applyinit_test.go b/internal/constellation/applyinit_test.go
index ecb5f1458f..7d16d5fe74 100644
--- a/internal/constellation/applyinit_test.go
+++ b/internal/constellation/applyinit_test.go
@@ -32,9 +32,21 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
+	"k8s.io/client-go/tools/clientcmd"
+	k8sclientapi "k8s.io/client-go/tools/clientcmd/api"
 )
 
 func TestInit(t *testing.T) {
+	respKubeconfig := k8sclientapi.Config{
+		Clusters: map[string]*k8sclientapi.Cluster{
+			"cluster": {
+				Server: "https://192.0.2.1:6443",
+			},
+		},
+	}
+	respKubeconfigBytes, err := clientcmd.Write(respKubeconfig)
+	require.NoError(t, err)
+
 	clusterEndpoint := "192.0.2.1"
 	newState := func(endpoint string) *state.State {
 		return &state.State{
@@ -58,6 +70,20 @@ func TestInit(t *testing.T) {
 		wantErr            bool
 	}{
 		"success": {
+			server: newInitServer(nil,
+				&initproto.InitResponse{
+					Kind: &initproto.InitResponse_InitSuccess{
+						InitSuccess: &initproto.InitSuccessResponse{
+							Kubeconfig: respKubeconfigBytes,
+							OwnerId:    []byte{},
+							ClusterId:  []byte{},
+						},
+					},
+				}),
+			state:              newState(clusterEndpoint),
+			initServerEndpoint: clusterEndpoint,
+		},
+		"kubeconfig without clusters": {
 			server: newInitServer(nil,
 				&initproto.InitResponse{
 					Kind: &initproto.InitResponse_InitSuccess{
@@ -70,6 +96,7 @@ func TestInit(t *testing.T) {
 				}),
 			state:              newState(clusterEndpoint),
 			initServerEndpoint: clusterEndpoint,
+			wantErr:            true,
 		},
 		"no response": {
 			server:             newInitServer(nil),
@@ -135,7 +162,7 @@ func TestInit(t *testing.T) {
 				&initproto.InitResponse{
 					Kind: &initproto.InitResponse_InitSuccess{
 						InitSuccess: &initproto.InitSuccessResponse{
-							Kubeconfig: []byte{},
+							Kubeconfig: respKubeconfigBytes,
 							OwnerId:    []byte{},
 							ClusterId:  []byte{},
 						},
diff --git a/internal/constellation/serviceaccount.go b/internal/constellation/serviceaccount.go
new file mode 100644
index 0000000000..c88d92a19f
--- /dev/null
+++ b/internal/constellation/serviceaccount.go
@@ -0,0 +1,47 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package constellation
+
+import (
+	"fmt"
+
+	"github.com/edgelesssys/constellation/v2/internal/cloud/azureshared"
+	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
+	"github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared"
+	"github.com/edgelesssys/constellation/v2/internal/cloud/openstack"
+)
+
+// MarshalServiceAccountURI returns the service account URI for the given cloud provider.
+func MarshalServiceAccountURI(provider cloudprovider.Provider, payload ServiceAccountPayload) (string, error) {
+	switch provider {
+	case cloudprovider.GCP:
+		return payload.GCP.ToCloudServiceAccountURI(), nil
+
+	case cloudprovider.AWS:
+		return "", nil // AWS does not need a service account URI
+
+	case cloudprovider.Azure:
+		return payload.Azure.ToCloudServiceAccountURI(), nil
+
+	case cloudprovider.OpenStack:
+		return payload.OpenStack.ToCloudServiceAccountURI(), nil
+
+	case cloudprovider.QEMU:
+		return "", nil // QEMU does not use service account keys
+
+	default:
+		return "", fmt.Errorf("unsupported cloud provider %q", provider)
+	}
+}
+
+// ServiceAccountPayload is data a service account URI can be built
+// from for a given cloud provider.
+type ServiceAccountPayload struct {
+	GCP       gcpshared.ServiceAccountKey
+	Azure     azureshared.ApplicationCredentials
+	OpenStack openstack.AccountKey
+}
diff --git a/terraform-provider-constellation/docs/resources/cluster.md b/terraform-provider-constellation/docs/resources/cluster.md
index 53246c8d60..f37848e5d3 100644
--- a/terraform-provider-constellation/docs/resources/cluster.md
+++ b/terraform-provider-constellation/docs/resources/cluster.md
@@ -10,7 +10,32 @@ description: |-
 
 Resource for a Constellation cluster.
 
-
+## Example Usage
+
+```terraform
+// Not up-to-date
+
+data "constellation_attestation" "foo" {} # Fill accordingly for the CSP and attestation variant
+
+data "constellation_image" "bar" {} # Fill accordingly for the CSP
+
+resource "constellation_cluster" "aws_example" {
+  csp                                = "aws"
+  name                               = "constell"
+  uid                                = "deadbeef"
+  constellation_microservice_version = "vx.y.z"
+  image                              = data.constellation_image.bar.image
+  attestation                        = data.constellation_attestation.foo.attestation
+  init_secret                        = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
+  master_secret                      = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
+  master_secret_salt                 = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
+  out_of_cluster_endpoint            = "123.123.123.123"
+  network_config = {
+    ip_cidr_node    = "192.168.176.0/20"
+    ip_cidr_service = "10.96.0.0/12"
+  }
+}
+```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
@@ -18,19 +43,27 @@ Resource for a Constellation cluster.
 ### Required
 
 - `attestation` (Attributes) Attestation comprises the measurements and SEV-SNP specific parameters. (see [below for nested schema](#nestedatt--attestation))
-- `init_secret` (String) The init secret to use for the cluster.
-- `master_secret` (String) The master secret to use for the cluster.
+- `csp` (String) The Cloud Service Provider (CSP) the cluster should run on.
+- `image_reference` (String) Constellation OS image reference to use in the CSP specific reference format. Use the [`constellation_image`](../data-sources/image.md) data source to find the correct image reference for your CSP.
+- `image_version` (String) Constellation OS image version to use in the CSP specific reference format. Use the [`constellation_image`](../data-sources/image.md) data source to find the correct image version for your CSP.
+- `init_secret` (String) Secret used for initialization of the cluster.
+- `master_secret` (String) Hex-encoded 32-byte master secret for the cluster.
+- `master_secret_salt` (String) Hex-encoded 32-byte master secret salt for the cluster.
+- `measurement_salt` (String) Hex-encoded 32-byte measurement salt for the cluster.
+- `name` (String) Name used in the cluster's named resources / cluster name.
+- `network_config` (Attributes) Configuration for the cluster's network. (see [below for nested schema](#nestedatt--network_config))
+- `out_of_cluster_endpoint` (String) The endpoint of the cluster. Typically, this is the public IP of a loadbalancer.
 - `uid` (String) The UID of the cluster.
 
 ### Optional
 
-- `constellation_microservices_version` (String) The Constellation microservices version to use for the cluster.
+- `azure` (Attributes) Azure-specific configuration. (see [below for nested schema](#nestedatt--azure))
+- `constellation_microservice_version` (String) The version of Constellation's microservices used within the cluster. When not set, the provider default version is used.
+- `extra_api_server_cert_sans` (List of String) List of additional Subject Alternative Names (SANs) for the API server certificate.
 - `extra_microservices` (Attributes) Extra microservice settings. (see [below for nested schema](#nestedatt--extra_microservices))
-- `image` (String) The Constellation OS image to use in the CSP specific reference format. Use the `constellation_image` data source to find the correct image for your CSP.
-- `init_endpoint` (String) The endpoint to use for cluster initialization. This is the endpoint of the node running the bootstrapper.
-- `kubernetes_api_endpoint` (String) The endpoint to use for the Kubernetes API.
-- `kubernetes_version` (String) The Kubernetes version to use for the cluster. When not set, the latest default version ("v1.27.8") will be used. The supported versions are [v1.26.11 v1.27.8 v1.28.4].
-- `name` (String) Name used in the cluster's named resources / cluster name.
+- `gcp` (Attributes) GCP-specific configuration. (see [below for nested schema](#nestedatt--gcp))
+- `in_cluster_endpoint` (String) The endpoint of the cluster. When not set, the out-of-cluster endpoint is used.
+- `kubernetes_version` (String) The Kubernetes version to use for the cluster. When not set, version v1.27.8 is used. The supported versions are [v1.26.11 v1.27.8 v1.28.4].
 
 ### Read-Only
 
@@ -79,9 +112,46 @@ Optional:
 
 
 
+<a id="nestedatt--network_config"></a>
+### Nested Schema for `network_config`
+
+Required:
+
+- `ip_cidr_node` (String) CIDR range of the cluster's node network.
+- `ip_cidr_service` (String) CIDR range of the cluster's service network.
+
+Optional:
+
+- `ip_cidr_pod` (String) CIDR range of the cluster's pod network. Only required for clusters running on GCP.
+
+
+<a id="nestedatt--azure"></a>
+### Nested Schema for `azure`
+
+Required:
+
+- `load_balancer_name` (String) Name of the Azure load balancer used by the cluster.
+- `location` (String) Azure Location of the cluster.
+- `network_security_group_name` (String) Name of the Azure network security group used for the cluster.
+- `resource_group` (String) Name of the Azure resource group the cluster resides in.
+- `subscription_id` (String) ID of the Azure subscription the cluster resides in.
+- `tenant_id` (String) Tenant ID of the Azure account.
+- `uami_client_id` (String) Client ID of the User assigned managed identity (UAMI) used within the cluster.
+- `uami_resource_id` (String) Resource ID of the User assigned managed identity (UAMI) used within the cluster.
+
+
 <a id="nestedatt--extra_microservices"></a>
 ### Nested Schema for `extra_microservices`
 
-Optional:
+Required:
+
+- `csi_driver` (Boolean) Enable Constellation's [encrypted CSI driver](https://docs.edgeless.systems/constellation/workflows/storage).
+
+
+<a id="nestedatt--gcp"></a>
+### Nested Schema for `gcp`
+
+Required:
 
-- `csi_driver` (Boolean) Enable the CSI driver microservice.
+- `project_id` (String) ID of the GCP project the cluster resides in.
+- `service_account_key` (String) Base64-encoded private key JSON object of the service account used within the cluster.
diff --git a/terraform-provider-constellation/examples/resources/constellation_cluster/resource.tf b/terraform-provider-constellation/examples/resources/constellation_cluster/resource.tf
new file mode 100644
index 0000000000..35d9029e08
--- /dev/null
+++ b/terraform-provider-constellation/examples/resources/constellation_cluster/resource.tf
@@ -0,0 +1,22 @@
+// Not up-to-date
+
+data "constellation_attestation" "foo" {} # Fill accordingly for the CSP and attestation variant
+
+data "constellation_image" "bar" {} # Fill accordingly for the CSP
+
+resource "constellation_cluster" "aws_example" {
+  csp                                = "aws"
+  name                               = "constell"
+  uid                                = "deadbeef"
+  constellation_microservice_version = "vx.y.z"
+  image                              = data.constellation_image.bar.image
+  attestation                        = data.constellation_attestation.foo.attestation
+  init_secret                        = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
+  master_secret                      = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
+  master_secret_salt                 = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
+  out_of_cluster_endpoint            = "123.123.123.123"
+  network_config = {
+    ip_cidr_node    = "192.168.176.0/20"
+    ip_cidr_service = "10.96.0.0/12"
+  }
+}
diff --git a/terraform-provider-constellation/examples/resources/scaffolding_example/resource.tf b/terraform-provider-constellation/examples/resources/scaffolding_example/resource.tf
deleted file mode 100644
index 9ae3f579fa..0000000000
--- a/terraform-provider-constellation/examples/resources/scaffolding_example/resource.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-resource "scaffolding_example" "example" {
-  configurable_attribute = "some-value"
-}
diff --git a/terraform-provider-constellation/go.mod b/terraform-provider-constellation/go.mod
index 117b735c4d..6e9b844a34 100644
--- a/terraform-provider-constellation/go.mod
+++ b/terraform-provider-constellation/go.mod
@@ -4,7 +4,10 @@ go 1.21
 
 toolchain go1.21.5
 
-replace github.com/edgelesssys/constellation/v2 => ./..
+replace (
+	github.com/edgelesssys/constellation/v2 => ./..
+	github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/v2/api => ./../operators/constellation-node-operator/api
+)
 
 require (
 	github.com/bazelbuild/rules_go v0.43.0
@@ -21,13 +24,23 @@ require (
 	cloud.google.com/go/compute v1.23.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	code.cloudfoundry.org/clock v0.0.0-20180518195852-02e53af36e6c // indirect
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/applicationinsights/armapplicationinsights v1.1.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.1.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v4 v4.0.0 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect
+	github.com/BurntSushi/toml v1.3.2 // indirect
+	github.com/MakeNowJust/heredoc v1.0.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.2.1 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
+	github.com/Masterminds/squirrel v1.5.4 // indirect
+	github.com/Microsoft/hcsshim v0.11.0 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
 	github.com/agext/levenshtein v1.2.2 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
@@ -54,15 +67,34 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.12 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.19.2 // indirect
 	github.com/aws/smithy-go v1.13.5 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/chai2010/gettext-go v1.0.2 // indirect
 	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/containerd/containerd v1.7.6 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/docker/cli v24.0.6+incompatible // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/docker/docker v24.0.6+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-metrics v0.0.1 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/v2/api v0.0.0 // indirect
 	github.com/edgelesssys/go-azguestattestation v0.0.0-20230707101700-a683be600fcf // indirect
 	github.com/edgelesssys/go-tdx-qpl v0.0.0-20230530085549-fd2878a4dead // indirect
+	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
+	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
+	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/fatih/color v1.15.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
+	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -79,11 +111,15 @@ require (
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.14.1 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gofrs/uuid v4.2.0+incompatible // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/btree v1.1.2 // indirect
 	github.com/google/certificate-transparency-go v1.1.4 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-attestation v0.5.0 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/go-containerregistry v0.15.2 // indirect
@@ -92,11 +128,18 @@ require (
 	github.com/google/go-tpm v0.9.0 // indirect
 	github.com/google/go-tpm-tools v0.4.2 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/logger v1.1.1 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.4.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.1 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
+	github.com/gophercloud/gophercloud v1.5.0 // indirect
+	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/gosuri/uitable v0.0.4 // indirect
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-checkpoint v0.5.0 // indirect
@@ -117,40 +160,70 @@ require (
 	github.com/hashicorp/terraform-registry-address v0.2.3 // indirect
 	github.com/hashicorp/terraform-svchost v0.1.1 // indirect
 	github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect
+	github.com/huandu/xstrings v1.4.0 // indirect
+	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jmoiron/sqlx v1.3.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.16.5 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
+	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/leodido/go-urn v1.2.4 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
+	github.com/lib/pq v1.10.9 // indirect
+	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/microsoft/ApplicationInsights-Go v0.4.4 // indirect
 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/locker v1.0.1 // indirect
+	github.com/moby/spdystream v0.2.0 // indirect
+	github.com/moby/term v0.5.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pborman/uuid v1.2.1 // indirect
+	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_golang v1.16.0 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
+	github.com/prometheus/procfs v0.10.1 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/rubenv/sql-migrate v1.5.2 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/schollz/progressbar/v3 v3.13.1 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.6.0 // indirect
+	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/siderolabs/talos/pkg/machinery v1.4.6 // indirect
 	github.com/sigstore/rekor v1.2.2 // indirect
 	github.com/sigstore/sigstore v1.7.1 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/afero v1.10.0 // indirect
+	github.com/spf13/cast v1.5.1 // indirect
 	github.com/spf13/cobra v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/theupdateframework/go-tuf v0.5.2 // indirect
@@ -160,11 +233,16 @@ require (
 	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/vtolstov/go-ioctl v0.0.0-20151206205506-6be9cced4810 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
 	github.com/zclconf/go-cty v1.14.1 // indirect
 	go.mongodb.org/mongo-driver v1.11.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/otel v1.14.0 // indirect
 	go.opentelemetry.io/otel/trace v1.14.0 // indirect
+	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/crypto v0.14.0 // indirect
@@ -172,9 +250,11 @@ require (
 	golang.org/x/mod v0.13.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.13.0 // indirect
+	golang.org/x/sync v0.4.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/api v0.148.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 // indirect
@@ -182,11 +262,30 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a // indirect
 	google.golang.org/grpc v1.59.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	helm.sh/helm v2.17.0+incompatible // indirect
+	helm.sh/helm/v3 v3.13.1 // indirect
+	k8s.io/api v0.28.2 // indirect
+	k8s.io/apiextensions-apiserver v0.28.2 // indirect
 	k8s.io/apimachinery v0.28.2 // indirect
+	k8s.io/apiserver v0.28.2 // indirect
+	k8s.io/cli-runtime v0.28.2 // indirect
+	k8s.io/client-go v0.28.2 // indirect
+	k8s.io/cluster-bootstrap v0.27.3 // indirect
+	k8s.io/component-base v0.28.2 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
+	k8s.io/kubectl v0.28.2 // indirect
 	k8s.io/kubernetes v1.27.8 // indirect
 	k8s.io/utils v0.0.0-20230505201702-9f6742963106 // indirect
+	oras.land/oras-go v1.2.4 // indirect
+	sigs.k8s.io/controller-runtime v0.15.0 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
 )
diff --git a/terraform-provider-constellation/go.sum b/terraform-provider-constellation/go.sum
index 9422236e88..1c1d5dc4b3 100644
--- a/terraform-provider-constellation/go.sum
+++ b/terraform-provider-constellation/go.sum
@@ -67,6 +67,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v4 v4.0
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v4 v4.0.0/go.mod h1:bCUhQ1sbQHAG4nm1SqWwLlnKnRVT2e6Lu0cij7OzliM=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1 h1:7CBQ+Ei8SP2c6ydQTGCCrS35bDxgTMfoP2miAwK++OU=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1/go.mod h1:c/wcGeGx5FUPbM/JltUYHZcKmigwyVLJlDq+4HdtXaw=
+github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
+github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
 github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw=
@@ -75,22 +77,45 @@ github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcP
 github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
+github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
+github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
+github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
+github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
+github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
+github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
+github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
+github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
+github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
+github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM=
+github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/Microsoft/hcsshim v0.11.0 h1:7EFNIY4igHEXUdj1zXgAyU3fLc7QfOKHbkldRVTBdiM=
+github.com/Microsoft/hcsshim v0.11.0/go.mod h1:OEthFdQv/AD2RAdzR6Mm1N1KPCztGKDurW1Z8b8VGMM=
 github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
 github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs=
+github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
 github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ=
 github.com/acomagu/bufpipe v1.0.4/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
 github.com/agext/levenshtein v1.2.2 h1:0S/Yg6LYmFJ5stwQeRp6EeOcCbj7xiqQSdNelsXvaqE=
 github.com/agext/levenshtein v1.2.2/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
 github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
 github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec=
 github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
 github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
@@ -140,16 +165,30 @@ github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8=
 github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/bazelbuild/rules_go v0.43.0 h1:Q+vDhH4yzafZ0xHBT0JEVawb+1nDHUXhjvWTqSGCCyU=
 github.com/bazelbuild/rules_go v0.43.0/go.mod h1:TFLfii8e49kTgn329knh1lsJFKdxyp/hKlWObY66xwY=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
+github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
+github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
+github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70=
+github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
 github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA=
 github.com/bufbuild/protocompile v0.4.0/go.mod h1:3v93+mbWn/v3xzN+31nwkJfrEpAUwp+BagBSZWx+TP8=
+github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd h1:rFt+Y/IK1aEZkEHchZRSq9OQbsSzIT/OrI8YFFmRIng=
+github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8=
+github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b h1:otBG+dV+YK+Soembjv71DPz3uX/V/6MMlSyD9JBQ6kQ=
+github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50=
+github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o=
+github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
 github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk=
+github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@@ -159,8 +198,16 @@ github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUK
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
+github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw=
+github.com/containerd/containerd v1.7.6 h1:oNAVsnhPoy4BTPQivLgTzI9Oleml9l/+eYIDYXRCYo8=
+github.com/containerd/containerd v1.7.6/go.mod h1:SY6lrkkuJT40BVNO37tlYTSnKJnP5AXBc0fhx0q+TJ4=
+github.com/containerd/continuity v0.4.2 h1:v3y/4Yz5jwnvqPKJJ+7Wf93fyWoCB3F5EclWG023MDM=
+github.com/containerd/continuity v0.4.2/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
+github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 h1:vU+EP9ZuFUCYE0NYLwTSob+3LNEJATzNfP/DC7SWGWI=
 github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
 github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
@@ -170,12 +217,34 @@ github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnG
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aBfCb7iqHmDEIp6fBvC/hQUddQfg+3qdYjwzaiP9Hnc=
+github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI=
 github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
+github.com/docker/cli v24.0.6+incompatible h1:fF+XCQCgJjjQNIMjzaSmiKJSCcfcXb3TWTcc7GAneOY=
+github.com/docker/cli v24.0.6+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
+github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v24.0.6+incompatible h1:hceabKCtUgDqPu+qm0NgsaXf28Ljf4/pWFL7xjWWDgE=
+github.com/docker/docker v24.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
+github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
+github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
+github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8=
+github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
+github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
+github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1 h1:ZClxb8laGDf5arXfYcAtECDFgAgHklGI8CxgjHnXKJ4=
+github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/edgelesssys/go-azguestattestation v0.0.0-20230707101700-a683be600fcf h1:1iKB7b+i7svWC0aKXwggi+kHf0K57g8r9hN4VOpJYYg=
 github.com/edgelesssys/go-azguestattestation v0.0.0-20230707101700-a683be600fcf/go.mod h1:T8Rv3qrCpUJZbKq49OA9tcC1ZbRkGtDxiafsj++LYIE=
 github.com/edgelesssys/go-tdx-qpl v0.0.0-20230530085549-fd2878a4dead h1:Q2TI34V/NCLGQQkdc0/KmPx/7ix9YnGDUQDT+gqvDw0=
 github.com/edgelesssys/go-tdx-qpl v0.0.0-20230530085549-fd2878a4dead/go.mod h1:IC72qyykUIWl0ZmSk53L4xbLCFDBEGZVaujUmPQOEyw=
+github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ=
+github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -184,6 +253,10 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
+github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d h1:105gxyaGwCFad8crR9dcMQWvV9Hvulu6hwUh4tWPJnM=
+github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4=
 github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a h1:yDWHCSQ40h88yih2JAcL6Ls/kVkSE8GFACTGVnMPruw=
 github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a/go.mod h1:7Ga40egUymuWXxAe151lTNnCv97MddSOVsjpPPkityA=
 github.com/facebookgo/limitgroup v0.0.0-20150612190941-6abd8d71ec01 h1:IeaD1VDVBPlx3viJT9Md8if8IxxJnO+x0JCGb054heg=
@@ -193,11 +266,19 @@ github.com/facebookgo/muster v0.0.0-20150708232844-fd3d7953fd52/go.mod h1:yIquW8
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
 github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
+github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
+github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI=
+github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4=
+github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY=
+github.com/frankban/quicktest v1.14.4/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU=
 github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA=
 github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec=
 github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
+github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
+github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
 github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
@@ -207,8 +288,13 @@ github.com/go-git/go-git/v5 v5.9.0/go.mod h1:RKIqga24sWdMGZF+1Ekv9kylsDz6LzdTSI2
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
+github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw=
 github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
 github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
@@ -261,7 +347,12 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.14.1 h1:9c50NUPC30zyuKprjL3vNZ0m5oG+jU0zvx4AqHGnv4k=
 github.com/go-playground/validator/v10 v10.14.1/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU=
+github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
+github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI=
+github.com/go-sql-driver/mysql v1.7.1/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
 github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0=
@@ -281,18 +372,29 @@ github.com/gobuffalo/gogen v0.0.0-20190315121717-8f38393713f5/go.mod h1:V9QVDIxs
 github.com/gobuffalo/gogen v0.1.0/go.mod h1:8NTelM5qd8RZ15VjQTFkAW6qOMx5wBbW4dSCS3BY8gg=
 github.com/gobuffalo/gogen v0.1.1/go.mod h1:y8iBtmHmGc4qa3urIyo1shvOD8JftTtfcKi+71xfDNE=
 github.com/gobuffalo/logger v0.0.0-20190315122211-86e12af44bc2/go.mod h1:QdxcLw541hSGtBnhUc4gaNIXRjiDppFGaDqzbrBd3v8=
+github.com/gobuffalo/logger v1.0.6 h1:nnZNpxYo0zx+Aj9RfMPBm+x9zAU2OayFh/xrAWi34HU=
+github.com/gobuffalo/logger v1.0.6/go.mod h1:J31TBEHR1QLV2683OXTAItYIg8pv2JMHnF/quuAbMjs=
 github.com/gobuffalo/mapi v1.0.1/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc=
 github.com/gobuffalo/mapi v1.0.2/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc=
 github.com/gobuffalo/packd v0.0.0-20190315124812-a385830c7fc0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4=
 github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4=
+github.com/gobuffalo/packd v1.0.1 h1:U2wXfRr4E9DH8IdsDLlRFwTZTK7hLfq9qT/QHXGVe/0=
+github.com/gobuffalo/packd v1.0.1/go.mod h1:PP2POP3p3RXGz7Jh6eYEf93S7vA2za6xM7QT85L4+VY=
 github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ=
 github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0=
+github.com/gobuffalo/packr/v2 v2.8.3 h1:xE1yzvnO56cUC0sTpKR3DIbxZgB54AftTFMhB2XEWlY=
+github.com/gobuffalo/packr/v2 v2.8.3/go.mod h1:0SahksCVcx4IMnigTjiFuyldmTrdTctXsOdiU5KwbKc=
 github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid v4.2.0+incompatible h1:yyYWMnhkhrKwwr8gAOcOCYxOOscHgDS9yZgBrnJfGa0=
 github.com/gofrs/uuid v4.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -327,11 +429,17 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/gomodule/redigo v1.8.2 h1:H5XSIre1MB5NbPYFp+i1NBbb5qN1W8Y8YAQoAYbkm8k=
+github.com/gomodule/redigo v1.8.2/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
+github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
 github.com/google/certificate-transparency-go v1.1.4 h1:hCyXHDbtqlr/lMXU0D4WgbalXL0Zk4dSWWMbPV8VrqY=
 github.com/google/certificate-transparency-go v1.1.4/go.mod h1:D6lvbfwckhNrbM9WVl1EVeMOyzC19mpIjMOI4nxBHtQ=
+github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-attestation v0.5.0 h1:jXtAWT2sw2Yu8mYU0BC7FDidR+ngxFPSE+pl6IUu3/0=
 github.com/google/go-attestation v0.5.0/go.mod h1:0Tik9y3rzV649Jcr7evbljQHQAsIlJucyqQjYDBqktU=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -360,6 +468,7 @@ github.com/google/go-tpm-tools v0.4.2 h1:iyaCPKt2N5Rd0yz0G8ANa022SgCNZkMpp+db6QE
 github.com/google/go-tpm-tools v0.4.2/go.mod h1:fGUDZu4tw3V4hUVuFHmiYgRd0c58/IXivn9v3Ea/ck4=
 github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus=
 github.com/google/go-tspi v0.3.0/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ=
@@ -377,9 +486,13 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20221103000818-d260c55eee4c h1:lvddKcYTQ545ADhBujtIJmqQrZBDsGo7XIMbAQe/sNY=
+github.com/google/pprof v0.0.0-20221103000818-d260c55eee4c/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -392,6 +505,20 @@ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5m
 github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
 github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
+github.com/gophercloud/gophercloud v1.3.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM=
+github.com/gophercloud/gophercloud v1.5.0 h1:cDN6XFCLKiiqvYpjQLq9AiM7RDRbIC9450WpPH+yvXo=
+github.com/gophercloud/gophercloud v1.5.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM=
+github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 h1:sH7xkTfYzxIEgzq1tDHIMKRh1vThOEOGNsettdEeLbE=
+github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56/go.mod h1:VSalo4adEk+3sNkmVJLnhHoOyOYYS8sTWLG4mv5BKto=
+github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
+github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
+github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
+github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY=
+github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo=
+github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
+github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.0 h1:2cz5kSrxzMYHiWOBbKj8itQm+nRykkB8aMv4ThcHYHA=
 github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.0/go.mod h1:w9Y7gY31krpLmrVU5ZPG9H7l9fZuRu5/3R3S3FMtVQ4=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -420,6 +547,8 @@ github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mO
 github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
+github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hc-install v0.6.1 h1:IGxShH7AVhPaSuSJpKtVi/EFORNjO+OYVJJrAtGG2mY=
 github.com/hashicorp/hc-install v0.6.1/go.mod h1:0fW3jpg+wraYSnFDJ6Rlie3RvLf1bIqVIkzoon4KoVE=
 github.com/hashicorp/hcl/v2 v2.19.1 h1://i05Jqznmb2EXqa39Nsvyan2o5XyMowW5fnCKW5RPI=
@@ -455,8 +584,14 @@ github.com/honeycombio/libhoney-go v1.16.0/go.mod h1:izP4fbREuZ3vqC4HlCAmPrcPT9g
 github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb28sjiS3i7tcKCkflWFEkHfuAgM=
 github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU=
+github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
+github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM=
+github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
@@ -472,16 +607,26 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548 h1:dYTbLf4m0a5u0KLmPfB6mgxbcV7588bOCx79hxa5Sr4=
 github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548/go.mod h1:hGT6jSUVzF6no3QaDSMLGLEHtHSBSefs+MgcDWnmhmo=
+github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g=
+github.com/jmoiron/sqlx v1.3.5/go.mod h1:nRVWtLre0KfCLJvgxzCsLVMogSvQ1zNJtpYr2Ccp0mQ=
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213/go.mod h1:vNUNkEQ1e29fT/6vq2aBdFsgNPmy8qMdSay1npru+Sw=
 github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4=
 github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA=
+github.com/karrick/godirwalk v1.17.0 h1:b4kY7nqDdioR/6qnbHQyDvmA17u5G1cZ6J+CZXwSWoI=
+github.com/karrick/godirwalk v1.17.0/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI=
@@ -489,6 +634,7 @@ github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQs
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -499,10 +645,19 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw=
+github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o=
+github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk=
+github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw=
 github.com/leodido/go-urn v1.2.4 h1:XlAE/cm/ms7TE/VMVoduSpNBoyc2dOxHs5MZSwAN63Q=
 github.com/leodido/go-urn v1.2.4/go.mod h1:7ZrI8mTSeBSHl/UaRyKQW1qZeMgak41ANeCNaVckg+4=
 github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf h1:ndns1qx/5dL43g16EQkPV/i8+b3l5bYQwLeoSBe7tS8=
 github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf/go.mod h1:aGkAgvWY/IUcVFfuly53REpfv5edu25oij+qHRFaraA=
+github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
+github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/lithammer/dedent v1.1.0 h1:VNzHMVCBNG1j0fh3OrsFRkVUwStdDArbgBWoPAffktY=
 github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@@ -510,7 +665,12 @@ github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN
 github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/markbates/errx v1.1.0 h1:QDFeR+UP95dO12JgW+tgi2UVfo0V8YBHiUIOaeBPiEI=
+github.com/markbates/errx v1.1.0/go.mod h1:PLa46Oex9KNbVDZhKel8v1OT7hD5JZ2eI7AHhA0wswc=
 github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE=
+github.com/markbates/oncer v1.0.0 h1:E83IaVAHygyndzPimgUYJjbshhDTALZyXxvk9FOlQRY=
+github.com/markbates/oncer v1.0.0/go.mod h1:Z59JA581E9GP6w96jai+TGqafHPW+cPfRxz2aSZ0mcI=
+github.com/markbates/safe v1.0.1 h1:yjZkbvRM6IzKj9tlu/zMJLS0n/V351OZWRnF3QfaUxI=
 github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
@@ -524,14 +684,23 @@ github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APP
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU=
 github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
+github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI=
+github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/microsoft/ApplicationInsights-Go v0.4.4 h1:G4+H9WNs6ygSCe6sUyxRc2U81TI5Es90b2t/MwX5KqY=
 github.com/microsoft/ApplicationInsights-Go v0.4.4/go.mod h1:fKRUseBqkw6bDiXTs3ESTiU/4YTIHsQS4W3fP2ieF4U=
+github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
+github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
 github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db h1:62I3jR2EmQ4l5rM/4FEfDWcRD+abF5XlKShorW5LRoQ=
 github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db/go.mod h1:l0dey0ia/Uv7NcFFVbCLtqEBQbrT4OCwCSKTEv6enCw=
+github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
 github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
@@ -540,24 +709,58 @@ github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR
 github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
+github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
+github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
+github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8=
+github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
+github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78=
+github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
+github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
+github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0=
+github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
 github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
+github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
+github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
 github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.8.0 h1:VkHVNpR4iVnU8XQR6DBm8BqYjN7CRzw+xKUbVVbbW9w=
 github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
+github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU=
+github.com/onsi/gomega v1.27.7/go.mod h1:1p8OOlwo2iUUDsHnOrjE5UKYJ+e3W8eQ3qSlRahPmr4=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI=
+github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
 github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
+github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
+github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
+github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI=
+github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
 github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
 github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
@@ -569,13 +772,25 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY=
+github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
+github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
 github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8=
 github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
 github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
+github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
 github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
 github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
 github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg=
 github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
@@ -586,6 +801,9 @@ github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
+github.com/rubenv/sql-migrate v1.5.2 h1:bMDqOnrJVV/6JQgQ/MxOpU+AdO8uzYYA/TxFUBzFtS0=
+github.com/rubenv/sql-migrate v1.5.2/go.mod h1:H38GW8Vqf8F0Su5XignRyaRcbXbJunSWxs+kmzlg0Is=
+github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A=
 github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk=
@@ -597,19 +815,28 @@ github.com/secure-systems-lab/go-securesystemslib v0.6.0 h1:T65atpAVCJQK14UA57LM
 github.com/secure-systems-lab/go-securesystemslib v0.6.0/go.mod h1:8Mtpo9JKks/qhPG4HGZ2LGMvrPbzuxwfz/f/zLfEWkk=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
+github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
+github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/siderolabs/talos/pkg/machinery v1.4.6 h1:SX7Q6FxTDyX2hxugMgIqyivXWzemgMhHj3AlDbxjuFw=
 github.com/siderolabs/talos/pkg/machinery v1.4.6/go.mod h1:l+3Akw0tz/k/IMbqQS+cdQaqVSitIIJf04+N9ahGn+E=
 github.com/sigstore/rekor v1.2.2 h1:5JK/zKZvcQpL/jBmHvmFj3YbpDMBQnJQ6ygp8xdF3bY=
 github.com/sigstore/rekor v1.2.2/go.mod h1:FGnWBGWzeNceJnp0x9eDFd41mI8aQqCjj+Zp0IEs0Qg=
 github.com/sigstore/sigstore v1.7.1 h1:fCATemikcBK0cG4+NcM940MfoIgmioY1vC6E66hXxks=
 github.com/sigstore/sigstore v1.7.1/go.mod h1:0PmMzfJP2Y9+lugD0wer4e7TihR5tM7NcIs3bQNk5xg=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/skeema/knownhosts v1.2.0 h1:h9r9cf0+u7wSE+M183ZtMGgOJKiL96brpaz5ekfJCpM=
 github.com/skeema/knownhosts v1.2.0/go.mod h1:g4fPeYpque7P0xefxtGzV81ihjC8sX2IqpAoNkjxbMo=
 github.com/spf13/afero v1.10.0 h1:EaGW2JJh15aKOejeuJ+wpFSHnbd7GE6Wvp3TsNhb6LY=
 github.com/spf13/afero v1.10.0/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
+github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA=
+github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
 github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
@@ -619,6 +846,7 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
@@ -659,12 +887,27 @@ github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+
 github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g=
 github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM=
 github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
+github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
+github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
 github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTNSBd8DVTNGHx7o/IKu9HYDvLMffDhbyLccI=
+github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs=
+github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE=
+github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA=
+github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY=
+github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg=
 github.com/zalando/go-keyring v0.2.2 h1:f0xmpYiSrHtSNAVgwip93Cg8tuF45HJM6rHq/A5RI/4=
 github.com/zalando/go-keyring v0.2.2/go.mod h1:sI3evg9Wvpw3+n4SqplGSJUMwtDeROfD4nsFz4z9PG0=
 github.com/zclconf/go-cty v1.14.1 h1:t9fyA35fwjjUMcmL5hLER+e/rEPqrbCK1/OSE4SI9KA=
@@ -688,6 +931,8 @@ go.opentelemetry.io/otel/sdk v1.14.0 h1:PDCppFRDq8A1jL9v6KMI6dYesaq+DFcDZvjsoGvx
 go.opentelemetry.io/otel/sdk v1.14.0/go.mod h1:bwIC5TjrNG6QDCHNWvW4HLHtUQ4I+VQDsnjhvyZCALM=
 go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyKcFq/M=
 go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8=
+go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY=
+go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -707,6 +952,8 @@ golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
@@ -753,6 +1000,7 @@ golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -760,6 +1008,7 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -822,6 +1071,7 @@ golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -834,6 +1084,7 @@ golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -864,10 +1115,12 @@ golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -879,6 +1132,7 @@ golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -902,6 +1156,8 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -943,6 +1199,7 @@ golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
@@ -951,6 +1208,7 @@ golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
@@ -1064,6 +1322,7 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/alexcesaro/statsd.v2 v2.0.0 h1:FXkZSCZIH17vLCO5sO2UucTHsH9pc+17F6pl3JVCwMc=
 gopkg.in/alexcesaro/statsd.v2 v2.0.0/go.mod h1:i0ubccKGzBVNBpdGV5MocxyA/XlLUJzA7SLonnE4drU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -1073,6 +1332,8 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
@@ -1081,6 +1342,7 @@ gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRN
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -1089,6 +1351,12 @@ gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
+gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
+helm.sh/helm v2.17.0+incompatible h1:cSe3FaQOpRWLDXvTObQNj0P7WI98IG5yloU6tQVls2k=
+helm.sh/helm v2.17.0+incompatible/go.mod h1:0Xbc6ErzwWH9qC55X1+hE3ZwhM3atbhCm/NbFZw5i+4=
+helm.sh/helm/v3 v3.13.1 h1:DG+XLGzBJeZvMLlMbm6bPDLV1dGaVW9eZsDoUd1/LM0=
+helm.sh/helm/v3 v3.13.1/go.mod h1:TdQRMiq46CSWcc68Hb0uVhvAWusaN90YwAV54cz6JzU=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -1096,16 +1364,48 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+k8s.io/api v0.28.2 h1:9mpl5mOb6vXZvqbQmankOfPIGiudghwCoLl1EYfUZbw=
+k8s.io/api v0.28.2/go.mod h1:RVnJBsjU8tcMq7C3iaRSGMeaKt2TWEUXcpIt/90fjEg=
+k8s.io/apiextensions-apiserver v0.28.2 h1:J6/QRWIKV2/HwBhHRVITMLYoypCoPY1ftigDM0Kn+QU=
+k8s.io/apiextensions-apiserver v0.28.2/go.mod h1:5tnkxLGa9nefefYzWuAlWZ7RZYuN/765Au8cWLA6SRg=
 k8s.io/apimachinery v0.28.2 h1:KCOJLrc6gu+wV1BYgwik4AF4vXOlVJPdiqn0yAWWwXQ=
 k8s.io/apimachinery v0.28.2/go.mod h1:RdzF87y/ngqk9H4z3EL2Rppv5jj95vGS/HaFXrLDApU=
+k8s.io/apiserver v0.28.2 h1:rBeYkLvF94Nku9XfXyUIirsVzCzJBs6jMn3NWeHieyI=
+k8s.io/apiserver v0.28.2/go.mod h1:f7D5e8wH8MWcKD7azq6Csw9UN+CjdtXIVQUyUhrtb+E=
+k8s.io/cli-runtime v0.28.2 h1:64meB2fDj10/ThIMEJLO29a1oujSm0GQmKzh1RtA/uk=
+k8s.io/cli-runtime v0.28.2/go.mod h1:bTpGOvpdsPtDKoyfG4EG041WIyFZLV9qq4rPlkyYfDA=
+k8s.io/client-go v0.28.2 h1:DNoYI1vGq0slMBN/SWKMZMw0Rq+0EQW6/AK4v9+3VeY=
+k8s.io/client-go v0.28.2/go.mod h1:sMkApowspLuc7omj1FOSUxSoqjr+d5Q0Yc0LOFnYFJY=
+k8s.io/cluster-bootstrap v0.27.3 h1:yk1XIWt/mbMgNHFdxd0HyVPq/rnJK7BS3oXj24gHClU=
+k8s.io/cluster-bootstrap v0.27.3/go.mod h1:4/bxgDkpV7XPapJS1585P/nvy3FdBIoFssK4Z5oztrc=
+k8s.io/component-base v0.28.2 h1:Yc1yU+6AQSlpJZyvehm/NkJBII72rzlEsd6MkBQ+G0E=
+k8s.io/component-base v0.28.2/go.mod h1:4IuQPQviQCg3du4si8GpMrhAIegxpsgPngPRR/zWpzc=
 k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
 k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/kubernetes v1.27.8 h1:K848lTo/D0jvrxUlTvw4nNADixbhXLHgKNDP/KlFGy8=
 k8s.io/kubernetes v1.27.8/go.mod h1:PUXXrx0IhAi+kI9BMDqNJHUnLndVv9W0DkriqyjuJOs=
+k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ=
+k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
+k8s.io/kubectl v0.28.2 h1:fOWOtU6S0smdNjG1PB9WFbqEIMlkzU5ahyHkc7ESHgM=
+k8s.io/kubectl v0.28.2/go.mod h1:6EQWTPySF1fn7yKoQZHYf9TPwIl2AygHEcJoxFekr64=
 k8s.io/utils v0.0.0-20230505201702-9f6742963106 h1:EObNQ3TW2D+WptiYXlApGNLVy0zm/JIBVY9i+M4wpAU=
 k8s.io/utils v0.0.0-20230505201702-9f6742963106/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+oras.land/oras-go v1.2.4 h1:djpBY2/2Cs1PV87GSJlxv4voajVOMZxqqtq9AB8YNvY=
+oras.land/oras-go v1.2.4/go.mod h1:DYcGfb3YF1nKjcezfX2SNlDAeQFKSXmf+qrFmrh4324=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU=
+sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKUdc5jW3t5jwY7Bo7dcRm+tFxT+NfgY0=
+sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3/go.mod h1:9n16EZKMhXBNSiUC5kSdFQJkdH3zbxS/JoO619G1VAY=
+sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 h1:W6cLQc5pnqM7vh3b7HvGNfXrJ/xL6BDMS0v1V/HHg5U=
+sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3/go.mod h1:JWP1Fj0VWGHyw3YUPjXSQnRnrwezrZSrApfX5S0nIag=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
 software.sslmate.com/src/go-pkcs12 v0.2.0 h1:nlFkj7bTysH6VkC4fGphtjXRbezREPgrHuJG20hBGPE=
 software.sslmate.com/src/go-pkcs12 v0.2.0/go.mod h1:23rNcYsMabIc1otwLpTkCCPwUq6kQsTyowttG/as0kQ=
diff --git a/terraform-provider-constellation/internal/provider/BUILD.bazel b/terraform-provider-constellation/internal/provider/BUILD.bazel
index 42e04708a9..a73f918faf 100644
--- a/terraform-provider-constellation/internal/provider/BUILD.bazel
+++ b/terraform-provider-constellation/internal/provider/BUILD.bazel
@@ -15,13 +15,21 @@ go_library(
     visibility = ["//terraform-provider-constellation:__subpackages__"],
     deps = [
         "//internal/api/attestationconfigapi",
+        "//internal/atls",
         "//internal/attestation/choose",
         "//internal/attestation/idkeydigest",
         "//internal/attestation/measurements",
         "//internal/attestation/variant",
+        "//internal/cloud/azureshared",
         "//internal/cloud/cloudprovider",
         "//internal/config",
+        "//internal/constellation",
+        "//internal/constellation/helm",
+        "//internal/constellation/state",
+        "//internal/grpc/dialer",
         "//internal/imagefetcher",
+        "//internal/kms/uri",
+        "//internal/semver",
         "//internal/sigstore",
         "//internal/versions",
         "//terraform-provider-constellation/internal/data",
@@ -45,7 +53,6 @@ go_test(
     name = "provider_test",
     srcs = [
         "attestation_data_source_test.go",
-        "cluster_resource_test.go",
         "convert_test.go",
         "image_data_source_test.go",
         "provider_test.go",
diff --git a/terraform-provider-constellation/internal/provider/cluster_resource.go b/terraform-provider-constellation/internal/provider/cluster_resource.go
index dbf3916920..f8e811d84f 100644
--- a/terraform-provider-constellation/internal/provider/cluster_resource.go
+++ b/terraform-provider-constellation/internal/provider/cluster_resource.go
@@ -7,11 +7,29 @@ SPDX-License-Identifier: AGPL-3.0-only
 package provider
 
 import (
+	"bytes"
 	"context"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
 	"fmt"
+	"io"
+	"net"
+	"time"
 
+	"github.com/edgelesssys/constellation/v2/internal/atls"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
+	"github.com/edgelesssys/constellation/v2/internal/cloud/azureshared"
+	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
+	"github.com/edgelesssys/constellation/v2/internal/config"
+	"github.com/edgelesssys/constellation/v2/internal/constellation"
+	"github.com/edgelesssys/constellation/v2/internal/constellation/helm"
+	"github.com/edgelesssys/constellation/v2/internal/constellation/state"
+	"github.com/edgelesssys/constellation/v2/internal/grpc/dialer"
+	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
+	"github.com/edgelesssys/constellation/v2/internal/semver"
 	"github.com/edgelesssys/constellation/v2/internal/versions"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/path"
@@ -34,25 +52,58 @@ func NewClusterResource() resource.Resource {
 }
 
 // ClusterResource defines the resource implementation.
-type ClusterResource struct{}
+type ClusterResource struct {
+	newApplier func(ctx context.Context, validator atls.Validator) *constellation.Applier
+}
 
 // ClusterResourceModel describes the resource data model.
 type ClusterResourceModel struct {
-	UID                   types.String `tfsdk:"uid"`
-	Name                  types.String `tfsdk:"name"`
-	Image                 types.String `tfsdk:"image"`
-	KubernetesVersion     types.String `tfsdk:"kubernetes_version"`
-	InitEndpoint          types.String `tfsdk:"init_endpoint"`
-	KubernetesAPIEndpoint types.String `tfsdk:"kubernetes_api_endpoint"`
-	MicroserviceVersion   types.String `tfsdk:"constellation_microservices_version"`
-	ExtraMicroservices    types.Object `tfsdk:"extra_microservices"`
-	MasterSecret          types.String `tfsdk:"master_secret"`
-	InitSecret            types.String `tfsdk:"init_secret"`
-	Attestation           types.Object `tfsdk:"attestation"`
-	OwnerID               types.String `tfsdk:"owner_id"`
-	ClusterID             types.String `tfsdk:"cluster_id"`
-	Kubeconfig            types.String `tfsdk:"kubeconfig"`
-	// NetworkConfig 			 types.Object `tfsdk:"network_config"` // TODO(elchead): do when clear what is needed
+	Name                   types.String `tfsdk:"name"`
+	CSP                    types.String `tfsdk:"csp"`
+	UID                    types.String `tfsdk:"uid"`
+	ImageVersion           types.String `tfsdk:"image_version"`
+	ImageReference         types.String `tfsdk:"image_reference"`
+	KubernetesVersion      types.String `tfsdk:"kubernetes_version"`
+	MicroserviceVersion    types.String `tfsdk:"constellation_microservice_version"`
+	OutOfClusterEndpoint   types.String `tfsdk:"out_of_cluster_endpoint"`
+	InClusterEndpoint      types.String `tfsdk:"in_cluster_endpoint"`
+	ExtraMicroservices     types.Object `tfsdk:"extra_microservices"`
+	ExtraAPIServerCertSANs types.List   `tfsdk:"extra_api_server_cert_sans"`
+	NetworkConfig          types.Object `tfsdk:"network_config"`
+	MasterSecret           types.String `tfsdk:"master_secret"`
+	MasterSecretSalt       types.String `tfsdk:"master_secret_salt"`
+	MeasurementSalt        types.String `tfsdk:"measurement_salt"`
+	InitSecret             types.String `tfsdk:"init_secret"`
+	Attestation            types.Object `tfsdk:"attestation"`
+	GCP                    types.Object `tfsdk:"gcp"`
+	Azure                  types.Object `tfsdk:"azure"`
+
+	OwnerID    types.String `tfsdk:"owner_id"`
+	ClusterID  types.String `tfsdk:"cluster_id"`
+	KubeConfig types.String `tfsdk:"kubeconfig"`
+}
+
+type networkConfig struct {
+	IPCidrNode    string `tfsdk:"ip_cidr_node"`
+	IPCidrPod     string `tfsdk:"ip_cidr_pod"`
+	IPCidrService string `tfsdk:"ip_cidr_service"`
+}
+
+type gcp struct {
+	// ServiceAccountKey is the private key of the service account used within the cluster.
+	ServiceAccountKey string `tfsdk:"service_account_key"`
+	ProjectID         string `tfsdk:"project_id"`
+}
+
+type azure struct {
+	TenantID                 string `tfsdk:"tenant_id"`
+	Location                 string `tfsdk:"location"`
+	UamiClientID             string `tfsdk:"uami_client_id"`
+	UamiResourceID           string `tfsdk:"uami_resource_id"`
+	ResourceGroup            string `tfsdk:"resource_group"`
+	SubscriptionID           string `tfsdk:"subscription_id"`
+	NetworkSecurityGroupName string `tfsdk:"network_security_group_name"`
+	LoadBalancerName         string `tfsdk:"load_balancer_name"`
 }
 
 // Metadata returns the metadata of the resource.
@@ -67,39 +118,50 @@ func (r *ClusterResource) Schema(_ context.Context, _ resource.SchemaRequest, re
 		Description:         "Resource for a Constellation cluster.",
 
 		Attributes: map[string]schema.Attribute{
+			// Input attributes
+			"name": schema.StringAttribute{
+				MarkdownDescription: "Name used in the cluster's named resources / cluster name.",
+				Description:         "Name used in the cluster's named resources / cluster name.",
+				Required:            true, // TODO: Make optional and default to Constell.
+			},
+			"csp": schema.StringAttribute{
+				MarkdownDescription: "The Cloud Service Provider (CSP) the cluster should run on.",
+				Description:         "The Cloud Service Provider (CSP) the cluster should run on.",
+				Required:            true,
+			},
 			"uid": schema.StringAttribute{
 				MarkdownDescription: "The UID of the cluster.",
 				Description:         "The UID of the cluster.",
 				Required:            true,
 			},
-			"name": schema.StringAttribute{
-				MarkdownDescription: "Name used in the cluster's named resources / cluster name.",
-				Description:         "Name used in the cluster's named resources / cluster name.",
-				Optional:            true, // TODO(elchead): use "constell" as default
+			"image_version": schema.StringAttribute{
+				MarkdownDescription: "Constellation OS image version to use in the CSP specific reference format. Use the [`constellation_image`](../data-sources/image.md) data source to find the correct image version for your CSP.",
+				Description:         "Constellation OS image version to use in the CSP specific reference format. Use the `constellation_image` data source to find the correct image version for your CSP.",
+				Required:            true,
 			},
-			"image": schema.StringAttribute{
-				MarkdownDescription: "The Constellation OS image to use in the CSP specific reference format. Use the `constellation_image` data source to find the correct image for your CSP.",
-				Description:         "The Constellation OS image to use in the CSP specific reference format. Use the `constellation_image` data source to find the correct image for your CSP. When not set, the latest default version will be used.",
-				Optional:            true,
+			"image_reference": schema.StringAttribute{
+				MarkdownDescription: "Constellation OS image reference to use in the CSP specific reference format. Use the [`constellation_image`](../data-sources/image.md) data source to find the correct image reference for your CSP.",
+				Description:         "Constellation OS image reference to use in the CSP specific reference format. Use the `constellation_image` data source to find the correct image reference for your CSP.",
+				Required:            true,
 			},
 			"kubernetes_version": schema.StringAttribute{
-				MarkdownDescription: fmt.Sprintf("The Kubernetes version to use for the cluster. When not set, the latest default version (%q) will be used. The supported versions are %s.", versions.Default, versions.SupportedK8sVersions()),
-				Description:         fmt.Sprintf("The Kubernetes version to use for the cluster. When not set, the latest default version (%q) will be used. The supported versions are %s.", versions.Default, versions.SupportedK8sVersions()),
+				MarkdownDescription: fmt.Sprintf("The Kubernetes version to use for the cluster. When not set, version %s is used. The supported versions are %s.", versions.Default, versions.SupportedK8sVersions()),
+				Description:         fmt.Sprintf("The Kubernetes version to use for the cluster. When not set, version %s is used. The supported versions are %s.", versions.Default, versions.SupportedK8sVersions()),
 				Optional:            true,
 			},
-			"constellation_microservices_version": schema.StringAttribute{
-				MarkdownDescription: "The Constellation microservices version to use for the cluster.",
-				Description:         "The Constellation microservices version to use for the cluster. When not set, the latest default version will be used.",
+			"constellation_microservice_version": schema.StringAttribute{
+				MarkdownDescription: "The version of Constellation's microservices used within the cluster. When not set, the provider default version is used.",
+				Description:         "The version of Constellation's microservices used within the cluster. When not set, the provider default version is used.",
 				Optional:            true,
 			},
-			"init_endpoint": schema.StringAttribute{
-				MarkdownDescription: "The endpoint to use for cluster initialization. This is the endpoint of the node running the bootstrapper.",
-				Description:         "The endpoint to use for cluster initialization.",
-				Optional:            true,
+			"out_of_cluster_endpoint": schema.StringAttribute{
+				MarkdownDescription: "The endpoint of the cluster. Typically, this is the public IP of a loadbalancer.",
+				Description:         "The endpoint of the cluster. Typically, this is the public IP of a loadbalancer.",
+				Required:            true,
 			},
-			"kubernetes_api_endpoint": schema.StringAttribute{
-				MarkdownDescription: "The endpoint to use for the Kubernetes API.",
-				Description:         "The endpoint to use for the Kubernetes API. When not set, the default endpoint will be used.",
+			"in_cluster_endpoint": schema.StringAttribute{
+				MarkdownDescription: "The endpoint of the cluster. When not set, the out-of-cluster endpoint is used.",
+				Description:         "The endpoint of the cluster. When not set, the out-of-cluster endpoint is used.",
 				Optional:            true,
 			},
 			"extra_microservices": schema.SingleNestedAttribute{
@@ -108,23 +170,127 @@ func (r *ClusterResource) Schema(_ context.Context, _ resource.SchemaRequest, re
 				Optional:            true,
 				Attributes: map[string]schema.Attribute{
 					"csi_driver": schema.BoolAttribute{
+						MarkdownDescription: "Enable Constellation's [encrypted CSI driver](https://docs.edgeless.systems/constellation/workflows/storage).",
+						Description:         "Enable Constellation's encrypted CSI driver.",
+						Required:            true,
+					},
+				},
+			},
+			"extra_api_server_cert_sans": schema.ListAttribute{
+				MarkdownDescription: "List of additional Subject Alternative Names (SANs) for the API server certificate.",
+				Description:         "List of additional Subject Alternative Names (SANs) for the API server certificate.",
+				ElementType:         types.StringType,
+				Optional:            true,
+			},
+			"network_config": schema.SingleNestedAttribute{
+				MarkdownDescription: "Configuration for the cluster's network.",
+				Description:         "Configuration for the cluster's network.",
+				Required:            true,
+				Attributes: map[string]schema.Attribute{
+					"ip_cidr_node": schema.StringAttribute{
+						MarkdownDescription: "CIDR range of the cluster's node network.",
+						Description:         "CIDR range of the cluster's node network.",
+						Required:            true,
+					},
+					"ip_cidr_pod": schema.StringAttribute{
+						MarkdownDescription: "CIDR range of the cluster's pod network. Only required for clusters running on GCP.",
+						Description:         "CIDR range of the cluster's pod network. Only required for clusters running on GCP.",
 						Optional:            true,
-						MarkdownDescription: "Enable the CSI driver microservice.",
-						Description:         "Enable the CSI driver microservice.",
+					},
+					"ip_cidr_service": schema.StringAttribute{
+						MarkdownDescription: "CIDR range of the cluster's service network.",
+						Description:         "CIDR range of the cluster's service network.",
+						Required:            true,
 					},
 				},
 			},
 			"master_secret": schema.StringAttribute{
-				MarkdownDescription: "The master secret to use for the cluster.",
-				Description:         "The master secret to use for the cluster.",
+				MarkdownDescription: "Hex-encoded 32-byte master secret for the cluster.",
+				Description:         "Hex-encoded 32-byte master secret for the cluster.",
+				Required:            true,
+			},
+			"master_secret_salt": schema.StringAttribute{
+				MarkdownDescription: "Hex-encoded 32-byte master secret salt for the cluster.",
+				Description:         "Hex-encoded 32-byte master secret salt for the cluster.",
+				Required:            true,
+			},
+			"measurement_salt": schema.StringAttribute{
+				MarkdownDescription: "Hex-encoded 32-byte measurement salt for the cluster.",
+				Description:         "Hex-encoded 32-byte measurement salt for the cluster.",
 				Required:            true,
 			},
 			"init_secret": schema.StringAttribute{
-				MarkdownDescription: "The init secret to use for the cluster.",
-				Description:         "The init secret to use for the cluster.",
+				MarkdownDescription: "Secret used for initialization of the cluster.",
+				Description:         "Secret used for initialization of the cluster.",
 				Required:            true,
 			},
 			"attestation": newAttestationConfigAttribute(attributeInput),
+			"gcp": schema.SingleNestedAttribute{
+				MarkdownDescription: "GCP-specific configuration.",
+				Description:         "GCP-specific configuration.",
+				Optional:            true,
+				Attributes: map[string]schema.Attribute{
+					"service_account_key": schema.StringAttribute{
+						MarkdownDescription: "Base64-encoded private key JSON object of the service account used within the cluster.",
+						Description:         "Base64-encoded private key JSON object of the service account used within the cluster.",
+						Required:            true,
+					},
+					"project_id": schema.StringAttribute{
+						MarkdownDescription: "ID of the GCP project the cluster resides in.",
+						Description:         "ID of the GCP project the cluster resides in.",
+						Required:            true,
+					},
+				},
+			},
+			"azure": schema.SingleNestedAttribute{
+				MarkdownDescription: "Azure-specific configuration.",
+				Description:         "Azure-specific configuration.",
+				Optional:            true,
+				Attributes: map[string]schema.Attribute{
+					"tenant_id": schema.StringAttribute{
+						MarkdownDescription: "Tenant ID of the Azure account.",
+						Description:         "Tenant ID of the Azure account.",
+						Required:            true,
+					},
+					"location": schema.StringAttribute{
+						MarkdownDescription: "Azure Location of the cluster.",
+						Description:         "Azure Location of the cluster.",
+						Required:            true,
+					},
+					"uami_client_id": schema.StringAttribute{
+						MarkdownDescription: "Client ID of the User assigned managed identity (UAMI) used within the cluster.",
+						Description:         "Client ID of the User assigned managed identity (UAMI) used within the cluster.",
+						Required:            true,
+					},
+					"uami_resource_id": schema.StringAttribute{
+						MarkdownDescription: "Resource ID of the User assigned managed identity (UAMI) used within the cluster.",
+						Description:         "Resource ID of the User assigned managed identity (UAMI) used within the cluster.",
+						Required:            true,
+					},
+					"resource_group": schema.StringAttribute{
+						MarkdownDescription: "Name of the Azure resource group the cluster resides in.",
+						Description:         "Name of the Azure resource group the cluster resides in.",
+						Required:            true,
+					},
+					"subscription_id": schema.StringAttribute{
+						MarkdownDescription: "ID of the Azure subscription the cluster resides in.",
+						Description:         "ID of the Azure subscription the cluster resides in.",
+						Required:            true,
+					},
+					"network_security_group_name": schema.StringAttribute{
+						MarkdownDescription: "Name of the Azure network security group used for the cluster.",
+						Description:         "Name of the Azure network security group used for the cluster.",
+						Required:            true,
+					},
+					"load_balancer_name": schema.StringAttribute{
+						MarkdownDescription: "Name of the Azure load balancer used by the cluster.",
+						Description:         "Name of the Azure load balancer used by the cluster.",
+						Required:            true,
+					},
+				},
+			},
+
+			// Computed (output) attributes
 			"owner_id": schema.StringAttribute{
 				MarkdownDescription: "The owner ID of the cluster.",
 				Description:         "The owner ID of the cluster.",
@@ -151,69 +317,30 @@ func (r *ClusterResource) Configure(_ context.Context, req resource.ConfigureReq
 		return
 	}
 
-	// client, ok := req.ProviderData.(*http.Client)
-
-	// if !ok {
-	//	resp.Diagnostics.AddError(
-	//		"Unexpected Resource Configure Type",
-	//		fmt.Sprintf("Expected *http.Client, got: %T. Please report this issue to the provider developers.", req.ProviderData),
-	//	)
+	newDialer := func(validator atls.Validator) *dialer.Dialer {
+		return dialer.New(nil, validator, &net.Dialer{})
+	}
 
-	//	return
-	//}
+	r.newApplier = func(ctx context.Context, validator atls.Validator) *constellation.Applier {
+		return constellation.NewApplier(&tfContextLogger{ctx: ctx}, &nopSpinner{}, newDialer)
+	}
 }
 
 // Create is called when the resource is created.
 func (r *ClusterResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	// Read data supplied by Terraform runtime into the model
 	var data ClusterResourceModel
-	// Read Terraform plan data into the model
 	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
-
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	var tfAttestation attestation
-	diags := data.Attestation.As(ctx, &tfAttestation, basetypes.ObjectAsOptions{})
-	resp.Diagnostics.Append(diags...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
-	attestationVariant, err := variant.FromString(tfAttestation.Variant)
-	if err != nil {
-		resp.Diagnostics.AddAttributeError(
-			path.Root("attestation_variant"),
-			"Invalid Attestation Variant",
-			fmt.Sprintf("Invalid attestation variant: %s", tfAttestation.Variant))
-		return
-	}
-	attestationCfg, err := convertFromTfAttestationCfg(tfAttestation, attestationVariant)
-	if err != nil {
-		resp.Diagnostics.AddError("Parsing attestation config", err.Error())
-		return
-	}
-
-	var extraMicroservices extraMicroservices
-	diags = data.ExtraMicroservices.As(ctx, &extraMicroservices, basetypes.ObjectAsOptions{})
+	// Apply changes to the cluster, including the init RPC and skipping the node upgrade.
+	diags := r.apply(ctx, &data, false, true)
 	resp.Diagnostics.Append(diags...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
-	// TODO(elchead): implement in follow up PR
-	data.OwnerID = types.StringValue("owner_id")
-	data.ClusterID = types.StringValue("cluster_id")
-	data.Kubeconfig = types.StringValue("kubeconfig")
-	// applier := constellation.NewApplier(log)
-	_, err = choose.Validator(attestationCfg, &tfLogger{dg: &resp.Diagnostics})
-	if err != nil {
-		resp.Diagnostics.AddError("Choosing validator", err.Error())
-		return
-	}
-
-	// Write logs using the tflog package
-	// Documentation: https://terraform.io/plugin/log
-	tflog.Trace(ctx, "created a resource")
 
 	// Save data into Terraform state
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
@@ -221,22 +348,22 @@ func (r *ClusterResource) Create(ctx context.Context, req resource.CreateRequest
 
 // Read is called when the resource is read or refreshed.
 func (r *ClusterResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
-	var data ClusterResourceModel
-
 	// Read Terraform prior state data into the model
+	var data ClusterResourceModel
 	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
-
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
-	// If applicable, this is a great opportunity to initialize any necessary
-	// provider client data and make a call using it.
-	// httpResp, err := r.client.Do(httpReq)
-	// if err != nil {
-	//     resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to read example, got error: %s", err))
-	//     return
-	// }
+	// All Calls to the Constellation API are idempotent, thus we don't need to implement reading.
+
+	// Alternatively, we could:
+
+	// Retrieve more up-to-date data from the cluster. e.g.:
+	// - CSI Driver enabled?
+	// - Kubernetes version?
+	// - Microservice version?
+	// - Attestation Config?
 
 	// Save updated data into Terraform state
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
@@ -244,22 +371,19 @@ func (r *ClusterResource) Read(ctx context.Context, req resource.ReadRequest, re
 
 // Update is called when the resource is updated.
 func (r *ClusterResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
-	var data ClusterResourceModel
-
 	// Read Terraform plan data into the model
+	var data ClusterResourceModel
 	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
-
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
-	// If applicable, this is a great opportunity to initialize any necessary
-	// provider client data and make a call using it.
-	// httpResp, err := r.client.Do(httpReq)
-	// if err != nil {
-	//     resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to update example, got error: %s", err))
-	//     return
-	// }
+	// Apply changes to the cluster, skipping the init RPC.
+	diags := r.apply(ctx, &data, true, false)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
 
 	// Save updated data into Terraform state
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
@@ -267,37 +391,502 @@ func (r *ClusterResource) Update(ctx context.Context, req resource.UpdateRequest
 
 // Delete is called when the resource is destroyed.
 func (r *ClusterResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
-	var data ClusterResourceModel
-
 	// Read Terraform prior state data into the model
+	var data ClusterResourceModel
 	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
-
 	if resp.Diagnostics.HasError() {
 		return
 	}
-
-	// If applicable, this is a great opportunity to initialize any necessary
-	// provider client data and make a call using it.
-	// httpResp, err := r.client.Do(httpReq)
-	// if err != nil {
-	//     resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to delete example, got error: %s", err))
-	//     return
-	// }
 }
 
 // ImportState imports to the resource.
-func (r *ClusterResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
-	resource.ImportStatePassthroughID(ctx, path.Root("id"), req, resp)
+func (r *ClusterResource) ImportState(_ context.Context, _ resource.ImportStateRequest, _ *resource.ImportStateResponse) {
+	// TODO: Implement
+
+	// Take Kubeconfig, Cluster Endpoint and Master Secret and save to state
+}
+
+// apply applies changes to a cluster. It can be used for both creating and updating a cluster.
+// This implements the core part of the Create and Update methods.
+func (r *ClusterResource) apply(ctx context.Context, data *ClusterResourceModel, skipInitRPC, skipNodeUpgrade bool) diag.Diagnostics {
+	diags := diag.Diagnostics{}
+
+	// Parse and convert values from the Terraform state
+	// to formats the Constellation library can work with.
+
+	csp := cloudprovider.FromString(data.CSP.ValueString())
+
+	// parse attestation config
+	att, convertDiags := r.convertAttestationConfig(ctx, *data)
+	diags.Append(convertDiags...)
+	if diags.HasError() {
+		return diags
+	}
+
+	// parse secrets (i.e. measurement salt, master secret, etc.)
+	secrets, convertDiags := r.convertSecrets(*data)
+	diags.Append(convertDiags...)
+	if diags.HasError() {
+		return diags
+	}
+
+	// parse API server certificate SANs
+	apiServerCertSANs := make([]string, 0, len(data.ExtraAPIServerCertSANs.Elements()))
+	for _, san := range data.ExtraAPIServerCertSANs.Elements() {
+		apiServerCertSANs = append(apiServerCertSANs, san.String())
+	}
+
+	// parse network config
+	var networkCfg networkConfig
+	convertDiags = data.NetworkConfig.As(ctx, &networkCfg, basetypes.ObjectAsOptions{
+		UnhandledNullAsEmpty: true, // we want to allow null values, as some of the field's subfields are optional.
+	})
+	diags.Append(convertDiags...)
+	if diags.HasError() {
+		return diags
+	}
+
+	// parse Constellation microservice config
+	var microserviceCfg extraMicroservices
+	convertDiags = data.ExtraMicroservices.As(ctx, &microserviceCfg, basetypes.ObjectAsOptions{
+		UnhandledNullAsEmpty: true, // we want to allow null values, as the CSIDriver field is optional
+	})
+	diags.Append(convertDiags...)
+	if diags.HasError() {
+		return diags
+	}
+
+	// parse Constellation microservice version
+	microserviceVersion, err := semver.New(data.MicroserviceVersion.ValueString())
+	if err != nil {
+		diags.AddAttributeError(
+			path.Root("constellation_microservice_version"),
+			"Invalid microservice version",
+			fmt.Sprintf("Parsing microservice version: %s", err))
+		return diags
+	}
+
+	// parse Kubernetes version
+	k8sVersion, getDiags := r.getK8sVersion(ctx, data)
+	diags.Append(getDiags...)
+	if diags.HasError() {
+		return diags
+	}
+
+	// parse OS image version
+	imageVersion, err := semver.New(data.ImageVersion.ValueString())
+	if err != nil {
+		diags.AddAttributeError(
+			path.Root("image_version"),
+			"Invalid image version",
+			fmt.Sprintf("Parsing image version: %s", err))
+		return diags
+	}
+
+	// Parse in-cluster service account info.
+	serviceAccPayload := constellation.ServiceAccountPayload{}
+	var gcpConfig gcp
+	var azureConfig azure
+	switch csp {
+	case cloudprovider.GCP:
+		convertDiags = data.GCP.As(ctx, &gcpConfig, basetypes.ObjectAsOptions{})
+		diags.Append(convertDiags...)
+		if diags.HasError() {
+			return diags
+		}
+
+		decodedSaKey, err := base64.StdEncoding.DecodeString(gcpConfig.ServiceAccountKey)
+		if err != nil {
+			diags.AddAttributeError(
+				path.Root("gcp").AtName("service_account_key"),
+				"Decoding service account key",
+				fmt.Sprintf("Decoding base64-encoded service account key: %s", err))
+			return diags
+		}
+
+		if err := json.Unmarshal(decodedSaKey, &serviceAccPayload.GCP); err != nil {
+			diags.AddAttributeError(
+				path.Root("gcp").AtName("service_account_key"),
+				"Unmarshalling service account key",
+				fmt.Sprintf("Unmarshalling service account key: %s", err))
+			return diags
+		}
+	case cloudprovider.Azure:
+		convertDiags = data.Azure.As(ctx, &azureConfig, basetypes.ObjectAsOptions{})
+		diags.Append(convertDiags...)
+		if diags.HasError() {
+			return diags
+		}
+		serviceAccPayload.Azure = azureshared.ApplicationCredentials{
+			TenantID:            azureConfig.TenantID,
+			Location:            azureConfig.Location,
+			PreferredAuthMethod: azureshared.AuthMethodUserAssignedIdentity,
+			UamiResourceID:      azureConfig.UamiResourceID,
+		}
+	}
+	serviceAccURI, err := constellation.MarshalServiceAccountURI(csp, serviceAccPayload)
+	if err != nil {
+		diags.AddError("Marshalling service account URI", err.Error())
+		return diags
+	}
+
+	// we want to fall back to outOfClusterEndpoint if inClusterEndpoint is not set.
+	inClusterEndpoint := data.InClusterEndpoint.ValueString()
+	if inClusterEndpoint == "" {
+		inClusterEndpoint = data.OutOfClusterEndpoint.ValueString()
+	}
+
+	// setup clients
+	validator, err := choose.Validator(att.config, &tfContextLogger{ctx: ctx})
+	if err != nil {
+		diags.AddError("Choosing validator", err.Error())
+		return diags
+	}
+	applier := r.newApplier(ctx, validator)
+
+	// Construct in-memory state file
+	stateFile := state.New().SetInfrastructure(state.Infrastructure{
+		UID:               data.UID.ValueString(),
+		ClusterEndpoint:   data.OutOfClusterEndpoint.ValueString(),
+		InClusterEndpoint: inClusterEndpoint,
+		InitSecret:        []byte(data.InitSecret.ValueString()),
+		APIServerCertSANs: apiServerCertSANs,
+		Name:              data.Name.ValueString(),
+		IPCidrNode:        networkCfg.IPCidrNode,
+	})
+	switch csp {
+	case cloudprovider.Azure:
+		stateFile.Infrastructure.Azure = &state.Azure{
+			ResourceGroup:            azureConfig.ResourceGroup,
+			SubscriptionID:           azureConfig.SubscriptionID,
+			NetworkSecurityGroupName: azureConfig.NetworkSecurityGroupName,
+			LoadBalancerName:         azureConfig.LoadBalancerName,
+			UserAssignedIdentity:     azureConfig.UamiClientID,
+			AttestationURL:           att.maaURL,
+		}
+	case cloudprovider.GCP:
+		stateFile.Infrastructure.GCP = &state.GCP{
+			ProjectID: gcpConfig.ProjectID,
+			IPCidrPod: networkCfg.IPCidrPod,
+		}
+	}
+
+	// Now, we perform the actual applying.
+
+	// Run init RPC
+	var initDiags diag.Diagnostics
+	if !skipInitRPC {
+		// run the init RPC and retrieve the post-init state
+		initRPCPayload := initRPCPayload{
+			csp:               csp,
+			masterSecret:      secrets.masterSecret,
+			measurementSalt:   secrets.measurementSalt,
+			apiServerCertSANs: apiServerCertSANs,
+			azureCfg:          azureConfig,
+			gcpCfg:            gcpConfig,
+			networkCfg:        networkCfg,
+			maaURL:            att.maaURL,
+			k8sVersion:        k8sVersion,
+			inClusterEndpoint: inClusterEndpoint,
+		}
+		initDiags = r.runInitRPC(ctx, applier, initRPCPayload, data, validator, stateFile)
+		diags.Append(initDiags...)
+		if diags.HasError() {
+			return diags
+		}
+	}
+
+	// Here, we either have the post-init values from the actual init RPC
+	// or, if performing an upgrade and skipping the init RPC, we have the
+	// values from the Terraform state.
+	stateFile.SetClusterValues(state.ClusterValues{
+		ClusterID:       data.ClusterID.ValueString(),
+		OwnerID:         data.OwnerID.ValueString(),
+		MeasurementSalt: secrets.measurementSalt,
+	})
+
+	// Kubeconfig is in the state by now. Either through the init RPC or through
+	// already being in the state.
+	if err := applier.SetKubeConfig([]byte(data.KubeConfig.ValueString())); err != nil {
+		diags.AddError("Setting kubeconfig", err.Error())
+		return diags
+	}
+
+	// Apply attestation config
+	if err := applier.ApplyJoinConfig(ctx, att.config, secrets.measurementSalt); err != nil {
+		diags.AddError("Applying attestation config", err.Error())
+		return diags
+	}
+
+	// Extend API Server Certificate SANs
+	if err := applier.ExtendClusterConfigCertSANs(ctx, data.OutOfClusterEndpoint.ValueString(),
+		"", apiServerCertSANs); err != nil {
+		diags.AddError("Extending API server certificate SANs", err.Error())
+		return diags
+	}
+
+	// Apply Helm Charts
+	payload := applyHelmChartsPayload{
+		csp:                 cloudprovider.FromString(data.CSP.ValueString()),
+		attestationVariant:  att.variant,
+		k8sVersion:          k8sVersion,
+		microserviceVersion: microserviceVersion,
+		DeployCSIDriver:     microserviceCfg.CSIDriver,
+		masterSecret:        secrets.masterSecret,
+		serviceAccURI:       serviceAccURI,
+	}
+	helmDiags := r.applyHelmCharts(ctx, applier, payload, stateFile)
+	diags.Append(helmDiags...)
+	if diags.HasError() {
+		return diags
+	}
+
+	if !skipNodeUpgrade {
+		// Upgrade node image
+		err = applier.UpgradeNodeImage(ctx,
+			imageVersion,
+			data.ImageReference.ValueString(),
+			false)
+		if err != nil {
+			diags.AddError("Upgrading node OS image", err.Error())
+			return diags
+		}
+
+		// Upgrade Kubernetes version
+		if err := applier.UpgradeKubernetesVersion(ctx, k8sVersion, false); err != nil {
+			diags.AddError("Upgrading Kubernetes version", err.Error())
+			return diags
+		}
+	}
+
+	return diags
 }
 
-type tfLogger struct {
-	dg *diag.Diagnostics
+// initRPCPayload groups the data required to run the init RPC.
+type initRPCPayload struct {
+	csp               cloudprovider.Provider   // cloud service provider the cluster runs on.
+	masterSecret      uri.MasterSecret         // master secret of the cluster.
+	measurementSalt   []byte                   // measurement salt of the cluster.
+	apiServerCertSANs []string                 // additional SANs to add to the API server certificate.
+	azureCfg          azure                    // Azure-specific configuration.
+	gcpCfg            gcp                      // GCP-specific configuration.
+	networkCfg        networkConfig            // network configuration of the cluster.
+	maaURL            string                   // URL of the MAA service. Only used for Azure clusters.
+	k8sVersion        versions.ValidK8sVersion // Kubernetes version of the cluster.
+	// Internal Endpoint of the cluster.
+	// If no internal LB is used, this should be the same as the out-of-cluster endpoint.
+	inClusterEndpoint string
 }
 
-func (l *tfLogger) Infof(format string, args ...any) {
-	tflog.Info(context.Background(), fmt.Sprintf(format, args...))
+// runInitRPC runs the init RPC on the cluster.
+func (r *ClusterResource) runInitRPC(ctx context.Context, applier *constellation.Applier, payload initRPCPayload,
+	data *ClusterResourceModel, validator atls.Validator, stateFile *state.State,
+) diag.Diagnostics {
+	diags := diag.Diagnostics{}
+	clusterLogs := &bytes.Buffer{}
+	initOutput, err := applier.Init(
+		ctx, validator, stateFile, clusterLogs,
+		constellation.InitPayload{
+			MasterSecret:    payload.masterSecret,
+			MeasurementSalt: payload.measurementSalt,
+			K8sVersion:      payload.k8sVersion,
+			ConformanceMode: false, // Conformance mode does't need to be configurable through the TF provider for now.
+			ServiceCIDR:     payload.networkCfg.IPCidrService,
+		})
+	if err != nil {
+		var nonRetriable *constellation.NonRetriableInitError
+		if errors.As(err, &nonRetriable) {
+			diags.AddError("Cluster initialization failed.",
+				fmt.Sprintf("This error is not recoverable. Clean up the cluster's infrastructure resources and try again.\nError: %s", err))
+			if nonRetriable.LogCollectionErr != nil {
+				diags.AddError("Bootstrapper log collection failed.",
+					fmt.Sprintf("Failed to collect logs from bootstrapper: %s\n", nonRetriable.LogCollectionErr))
+			} else {
+				diags.AddWarning("Cluster log collection succeeded.", clusterLogs.String())
+			}
+		} else {
+			diags.AddError("Cluster initialization failed.", fmt.Sprintf("You might try to apply the resource again.\nError: %s", err))
+		}
+		return diags
+	}
+
+	// Save data from init response into the Terraform state
+	data.KubeConfig = types.StringValue(string(initOutput.Kubeconfig))
+	data.ClusterID = types.StringValue(initOutput.ClusterID)
+	data.OwnerID = types.StringValue(initOutput.OwnerID)
+
+	return diags
 }
 
-func (l *tfLogger) Warnf(format string, args ...any) {
-	l.dg.AddWarning(fmt.Sprintf(format, args...), "")
+// applyHelmChartsPayload groups the data required to apply the Helm charts.
+type applyHelmChartsPayload struct {
+	csp                 cloudprovider.Provider   // cloud service provider the cluster runs on.
+	attestationVariant  variant.Variant          // attestation variant used on the cluster's nodes.
+	k8sVersion          versions.ValidK8sVersion // Kubernetes version of the cluster.
+	microserviceVersion semver.Semver            // version of the Constellation microservices used on the cluster.
+	DeployCSIDriver     bool                     // Whether to deploy the CSI driver.
+	masterSecret        uri.MasterSecret         // master secret of the cluster.
+	serviceAccURI       string                   // URI of the service account used within the cluster.
 }
+
+// applyHelmCharts applies the Helm charts to the cluster.
+func (r *ClusterResource) applyHelmCharts(ctx context.Context, applier *constellation.Applier,
+	payload applyHelmChartsPayload, state *state.State,
+) diag.Diagnostics {
+	diags := diag.Diagnostics{}
+	options := helm.Options{
+		CSP:                 payload.csp,
+		AttestationVariant:  payload.attestationVariant,
+		K8sVersion:          payload.k8sVersion,
+		MicroserviceVersion: payload.microserviceVersion,
+		DeployCSIDriver:     payload.DeployCSIDriver,
+		Force:               false,
+		Conformance:         false, // Conformance mode does't need to be configurable through the TF provider for now.
+		HelmWaitMode:        helm.WaitModeAtomic,
+		ApplyTimeout:        10 * time.Minute,
+		AllowDestructive:    helm.DenyDestructive,
+	}
+
+	executor, _, err := applier.PrepareHelmCharts(options, state,
+		payload.serviceAccURI, payload.masterSecret, nil)
+	if err != nil {
+		diags.AddError("Preparing Helm charts", err.Error())
+		return diags
+	}
+
+	if err := executor.Apply(ctx); err != nil {
+		diags.AddError("Applying Helm charts", err.Error())
+		return diags
+	}
+	return diags
+}
+
+// attestationInput groups the attestation values in a state consumable by the Constellation library.
+type attestationInput struct {
+	variant variant.Variant
+	maaURL  string
+	config  config.AttestationCfg
+}
+
+// convertAttestationConfig converts the attestation config from the Terraform state to the format
+// used by the Constellation library.
+func (r *ClusterResource) convertAttestationConfig(ctx context.Context, data ClusterResourceModel) (attestationInput, diag.Diagnostics) {
+	diags := diag.Diagnostics{}
+	var tfAttestation attestation
+	castDiags := data.Attestation.As(ctx, &tfAttestation, basetypes.ObjectAsOptions{})
+	diags.Append(castDiags...)
+	if diags.HasError() {
+		return attestationInput{}, diags
+	}
+
+	attestationVariant, err := variant.FromString(tfAttestation.Variant)
+	if err != nil {
+		diags.AddAttributeError(
+			path.Root("attestation_variant"),
+			"Invalid Attestation Variant",
+			fmt.Sprintf("Invalid attestation variant: %s", tfAttestation.Variant))
+		return attestationInput{}, diags
+	}
+
+	attestationCfg, err := convertFromTfAttestationCfg(tfAttestation, attestationVariant)
+	if err != nil {
+		diags.AddAttributeError(
+			path.Root("attestation"),
+			"Invalid Attestation Config",
+			fmt.Sprintf("Parsing attestation config: %s", err))
+		return attestationInput{}, diags
+	}
+
+	return attestationInput{attestationVariant, tfAttestation.AzureSNPFirmwareSignerConfig.MAAURL, attestationCfg}, diags
+}
+
+// secretInput groups the secrets and salts in a state consumable by the Constellation library.
+type secretInput struct {
+	masterSecret    uri.MasterSecret
+	initSecret      []byte
+	measurementSalt []byte
+}
+
+// convertFromTfAttestationCfg converts the secrets and salts from the Terraform state to the format
+// used by the Constellation library.
+func (r *ClusterResource) convertSecrets(data ClusterResourceModel) (secretInput, diag.Diagnostics) {
+	diags := diag.Diagnostics{}
+	masterSecret, err := hex.DecodeString(data.MasterSecret.ValueString())
+	if err != nil {
+		diags.AddAttributeError(
+			path.Root("master_secret"),
+			"Unmarshalling master secret",
+			fmt.Sprintf("Unmarshalling hex-encoded master secret: %s", err))
+		return secretInput{}, diags
+	}
+
+	masterSecretSalt, err := hex.DecodeString(data.MasterSecretSalt.ValueString())
+	if err != nil {
+		diags.AddAttributeError(
+			path.Root("master_secret_salt"),
+			"Unmarshalling master secret salt",
+			fmt.Sprintf("Unmarshalling hex-encoded master secret salt: %s", err))
+		return secretInput{}, diags
+	}
+
+	measurementSalt, err := hex.DecodeString(data.MeasurementSalt.ValueString())
+	if err != nil {
+		diags.AddAttributeError(
+			path.Root("measurement_salt"),
+			"Unmarshalling measurement salt",
+			fmt.Sprintf("Unmarshalling hex-encoded measurement salt: %s", err))
+		return secretInput{}, diags
+	}
+
+	return secretInput{
+		masterSecret:    uri.MasterSecret{Key: masterSecret, Salt: masterSecretSalt},
+		initSecret:      []byte(data.InitSecret.ValueString()),
+		measurementSalt: measurementSalt,
+	}, diags
+}
+
+// getK8sVersion returns the Kubernetes version from the Terraform state if set, and the default
+// version otherwise.
+func (r *ClusterResource) getK8sVersion(ctx context.Context, data *ClusterResourceModel) (versions.ValidK8sVersion, diag.Diagnostics) {
+	diags := diag.Diagnostics{}
+	var k8sVersion versions.ValidK8sVersion
+	var err error
+	if data.KubernetesVersion.ValueString() != "" {
+		k8sVersion, err = versions.NewValidK8sVersion(data.KubernetesVersion.ValueString(), true)
+		if err != nil {
+			diags.AddAttributeError(
+				path.Root("kubernetes_vesion"),
+				"Invalid Kubernetes version",
+				fmt.Sprintf("Parsing Kubernetes version: %s", err))
+			return "", diags
+		}
+	} else {
+		tflog.Info(ctx, fmt.Sprintf("No Kubernetes version specified. Using default version %s.", versions.Default))
+		k8sVersion = versions.Default
+	}
+	return k8sVersion, diags
+}
+
+// tfContextLogger is a logging adapter between the tflog package and
+// Constellation's logger.
+type tfContextLogger struct {
+	ctx context.Context // bind context to struct to satisfy interface
+}
+
+func (l *tfContextLogger) Debugf(format string, args ...any) {
+	tflog.Debug(l.ctx, fmt.Sprintf(format, args...))
+}
+
+func (l *tfContextLogger) Infof(format string, args ...any) {
+	tflog.Info(l.ctx, fmt.Sprintf(format, args...))
+}
+
+func (l *tfContextLogger) Warnf(format string, args ...any) {
+	tflog.Warn(l.ctx, fmt.Sprintf(format, args...))
+}
+
+type nopSpinner struct{ io.Writer }
+
+func (s *nopSpinner) Start(string, bool)              {}
+func (s *nopSpinner) Stop()                           {}
+func (s *nopSpinner) Write([]byte) (n int, err error) { return 1, nil }
diff --git a/terraform-provider-constellation/internal/provider/cluster_resource_test.go b/terraform-provider-constellation/internal/provider/cluster_resource_test.go
deleted file mode 100644
index 03db18962c..0000000000
--- a/terraform-provider-constellation/internal/provider/cluster_resource_test.go
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
-Copyright (c) Edgeless Systems GmbH
-
-SPDX-License-Identifier: AGPL-3.0-only
-*/
-
-package provider
-
-import (
-	"testing"
-
-	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
-)
-
-func TestAccClusterResource(t *testing.T) {
-	// Set the path to the Terraform binary for acceptance testing when running under Bazel.
-	bazelPreCheck := func() { bazelSetTerraformBinaryPath(t) }
-
-	testCases := map[string]resource.TestCase{
-		"azure sev-snp success": {
-			ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
-			PreCheck:                 bazelPreCheck,
-			Steps: []resource.TestStep{
-				{
-					Config: testingConfig + `
-					data "constellation_attestation" "att" {
-						csp = "azure"
-						attestation_variant = "azure-sev-snp"
-						image_version = "v2.13.0"
-					}
-
-					resource "constellation_cluster" "test" {
-						uid = "test"
-						master_secret = "secret"
-						init_secret = "secret"
-						attestation = data.constellation_attestation.att.attestation
-						extra_microservices = {
-							csi_driver = true
-						}
-					}
-					`,
-					Check: resource.ComposeAggregateTestCheckFunc(
-						resource.TestCheckResourceAttr("constellation_cluster.test", "attestation.bootloader_version", "3"),
-						// TODO(elchead): check output in follow up PR
-					),
-				},
-			},
-		},
-	}
-
-	for name, tc := range testCases {
-		t.Run(name, func(t *testing.T) {
-			resource.Test(t, tc)
-		})
-	}
-}
diff --git a/terraform-provider-constellation/internal/provider/convert.go b/terraform-provider-constellation/internal/provider/convert.go
index c375c1347b..1704007190 100644
--- a/terraform-provider-constellation/internal/provider/convert.go
+++ b/terraform-provider-constellation/internal/provider/convert.go
@@ -57,6 +57,7 @@ func convertFromTfAttestationCfg(tfAttestation attestation, attestationVariant v
 		if err != nil {
 			return nil, fmt.Errorf("converting firmware signer config: %w", err)
 		}
+
 		var rootKey config.Certificate
 		if err := json.Unmarshal([]byte(tfAttestation.AMDRootKey), &rootKey); err != nil {
 			return nil, fmt.Errorf("unmarshalling root key: %w", err)
@@ -71,32 +72,50 @@ func convertFromTfAttestationCfg(tfAttestation attestation, attestationVariant v
 			FirmwareSignerConfig: firmwareCfg,
 			AMDRootKey:           rootKey,
 		}
+	case variant.AWSSEVSNP{}:
+		var rootKey config.Certificate
+		if err := json.Unmarshal([]byte(tfAttestation.AMDRootKey), &rootKey); err != nil {
+			return nil, fmt.Errorf("unmarshalling root key: %w", err)
+		}
+
+		attestationConfig = &config.AWSSEVSNP{
+			Measurements:      c11nMeasurements,
+			BootloaderVersion: newVersion(tfAttestation.BootloaderVersion),
+			TEEVersion:        newVersion(tfAttestation.TEEVersion),
+			SNPVersion:        newVersion(tfAttestation.SNPVersion),
+			MicrocodeVersion:  newVersion(tfAttestation.MicrocodeVersion),
+			AMDRootKey:        rootKey,
+		}
+	case variant.GCPSEVES{}:
+		attestationConfig = &config.GCPSEVES{
+			Measurements: c11nMeasurements,
+		}
+	default:
+		return nil, fmt.Errorf("unknown attestation variant: %s", attestationVariant)
 	}
 	return attestationConfig, nil
 }
 
 // convertToTfAttestationCfg converts the constellation attestation config to the related terraform structs.
-func convertToTfAttestation(attestationVariant variant.Variant,
-	snpVersions attestationconfigapi.SEVSNPVersionAPI,
-) (tfAttestation attestation, err error) {
-	// set fields that apply to all variants
+func convertToTfAttestation(attVar variant.Variant, snpVersions attestationconfigapi.SEVSNPVersionAPI) (tfAttestation attestation, err error) {
 	tfAttestation = attestation{
-		Variant:           attestationVariant.String(),
+		Variant:           attVar.String(),
 		BootloaderVersion: snpVersions.Bootloader,
 		TEEVersion:        snpVersions.TEE,
 		SNPVersion:        snpVersions.SNP,
 		MicrocodeVersion:  snpVersions.Microcode,
 	}
-	switch attestationVariant.(type) {
-	case variant.AWSSEVSNP:
+
+	switch attVar {
+	case variant.AWSSEVSNP{}:
 		certStr, err := certAsString(config.DefaultForAWSSEVSNP().AMDRootKey)
 		if err != nil {
 			return tfAttestation, err
 		}
 		tfAttestation.AMDRootKey = certStr
 
-	case variant.AzureSEVSNP:
-		certStr, err := certAsString(config.DefaultForAWSSEVSNP().AMDRootKey)
+	case variant.AzureSEVSNP{}:
+		certStr, err := certAsString(config.DefaultForAzureSEVSNP().AMDRootKey)
 		if err != nil {
 			return tfAttestation, err
 		}
@@ -108,6 +127,10 @@ func convertToTfAttestation(attestationVariant variant.Variant,
 			return tfAttestation, err
 		}
 		tfAttestation.AzureSNPFirmwareSignerConfig = tfFirmwareCfg
+	case variant.GCPSEVES{}:
+		// no additional fields
+	default:
+		return tfAttestation, fmt.Errorf("unknown attestation variant: %s", attVar)
 	}
 	return tfAttestation, nil
 }
diff --git a/terraform-provider-constellation/internal/provider/image_data_source.go b/terraform-provider-constellation/internal/provider/image_data_source.go
index cad183d5d4..000d4b883c 100644
--- a/terraform-provider-constellation/internal/provider/image_data_source.go
+++ b/terraform-provider-constellation/internal/provider/image_data_source.go
@@ -9,6 +9,7 @@ package provider
 import (
 	"context"
 	"fmt"
+	"regexp"
 
 	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
@@ -19,8 +20,13 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/types"
 )
 
-// Ensure provider defined types fully satisfy framework interfaces.
-var _ datasource.DataSource = &ImageDataSource{}
+var (
+	// Ensure provider defined types fully satisfy framework interfaces.
+	_                                       datasource.DataSource = &ImageDataSource{}
+	caseInsensitiveCommunityGalleriesRegexp                       = regexp.MustCompile(`(?i)\/communitygalleries\/`)
+	caseInsensitiveImagesRegExp                                   = regexp.MustCompile(`(?i)\/images\/`)
+	caseInsensitiveVersionsRegExp                                 = regexp.MustCompile(`(?i)\/versions\/`)
+)
 
 // NewImageDataSource creates a new data source for fetching Constellation OS images
 // from the Versions-API.
@@ -140,6 +146,13 @@ func (d *ImageDataSource) Read(ctx context.Context, req datasource.ReadRequest,
 		return
 	}
 
+	// Do adjustments for Azure casing
+	if csp == cloudprovider.Azure {
+		imageRef = caseInsensitiveCommunityGalleriesRegexp.ReplaceAllString(imageRef, "/communityGalleries/")
+		imageRef = caseInsensitiveImagesRegExp.ReplaceAllString(imageRef, "/images/")
+		imageRef = caseInsensitiveVersionsRegExp.ReplaceAllString(imageRef, "/versions/")
+	}
+
 	// Save data into Terraform state
 	data.Reference = types.StringValue(imageRef)
 
diff --git a/terraform-provider-constellation/internal/provider/image_data_source_test.go b/terraform-provider-constellation/internal/provider/image_data_source_test.go
index a9f911d17f..71ff564b28 100644
--- a/terraform-provider-constellation/internal/provider/image_data_source_test.go
+++ b/terraform-provider-constellation/internal/provider/image_data_source_test.go
@@ -50,7 +50,7 @@ func TestAccImageDataSource(t *testing.T) {
 						csp                 = "azure"
 					}
 				`,
-					Check: resource.TestCheckResourceAttr("data.constellation_image.test", "reference", "/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/2.13.0"), // should be immutable
+					Check: resource.TestCheckResourceAttr("data.constellation_image.test", "reference", "/communityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/2.13.0"), // should be immutable
 
 				},
 			},
diff --git a/terraform/aws-constellation/main.tf b/terraform/legacy-module/aws-constellation/main.tf
similarity index 95%
rename from terraform/aws-constellation/main.tf
rename to terraform/legacy-module/aws-constellation/main.tf
index de6935de38..bc6aa2a9c1 100644
--- a/terraform/aws-constellation/main.tf
+++ b/terraform/legacy-module/aws-constellation/main.tf
@@ -3,12 +3,11 @@ locals {
 }
 
 module "aws_iam" {
-  source      = "../infrastructure/iam/aws"
+  source      = "../../infrastructure/iam/aws"
   name_prefix = var.name_prefix
   region      = local.region
 }
 
-
 resource "null_resource" "ensure_yq" {
   provisioner "local-exec" {
     command = <<EOT
@@ -29,9 +28,8 @@ module "fetch_image" {
   depends_on          = [module.aws_iam, null_resource.ensure_yq]
 }
 
-
 module "aws" {
-  source                             = "../infrastructure/aws"
+  source                             = "../../infrastructure/aws"
   name                               = var.name
   node_groups                        = var.node_groups
   iam_instance_profile_worker_nodes  = module.aws_iam.worker_nodes_instance_profile
diff --git a/terraform/aws-constellation/variables.tf b/terraform/legacy-module/aws-constellation/variables.tf
similarity index 100%
rename from terraform/aws-constellation/variables.tf
rename to terraform/legacy-module/aws-constellation/variables.tf
diff --git a/terraform/azure-constellation/main.tf b/terraform/legacy-module/azure-constellation/main.tf
similarity index 95%
rename from terraform/azure-constellation/main.tf
rename to terraform/legacy-module/azure-constellation/main.tf
index 9fbea0d62d..5bfb743860 100644
--- a/terraform/azure-constellation/main.tf
+++ b/terraform/legacy-module/azure-constellation/main.tf
@@ -18,14 +18,14 @@ module "fetch_image" {
 }
 
 module "azure_iam" {
-  source                 = "../infrastructure/iam/azure"
+  source                 = "../../infrastructure/iam/azure"
   region                 = var.location
   service_principal_name = var.service_principal_name
   resource_group_name    = var.resource_group_name
 }
 
 module "azure" {
-  source                 = "../infrastructure/azure"
+  source                 = "../../infrastructure/azure"
   name                   = var.name
   user_assigned_identity = module.azure_iam.uami_id
   node_groups            = var.node_groups
diff --git a/terraform/azure-constellation/variables.tf b/terraform/legacy-module/azure-constellation/variables.tf
similarity index 100%
rename from terraform/azure-constellation/variables.tf
rename to terraform/legacy-module/azure-constellation/variables.tf
diff --git a/terraform/common/fetch-image/.terraform.lock.hcl b/terraform/legacy-module/common/fetch-image/.terraform.lock.hcl
similarity index 100%
rename from terraform/common/fetch-image/.terraform.lock.hcl
rename to terraform/legacy-module/common/fetch-image/.terraform.lock.hcl
diff --git a/terraform/common/fetch-image/main.tf b/terraform/legacy-module/common/fetch-image/main.tf
similarity index 100%
rename from terraform/common/fetch-image/main.tf
rename to terraform/legacy-module/common/fetch-image/main.tf
diff --git a/terraform/common/fetch-image/output.tf b/terraform/legacy-module/common/fetch-image/output.tf
similarity index 100%
rename from terraform/common/fetch-image/output.tf
rename to terraform/legacy-module/common/fetch-image/output.tf
diff --git a/terraform/common/fetch-image/variables.tf b/terraform/legacy-module/common/fetch-image/variables.tf
similarity index 100%
rename from terraform/common/fetch-image/variables.tf
rename to terraform/legacy-module/common/fetch-image/variables.tf
diff --git a/terraform/common/install-yq.sh b/terraform/legacy-module/common/install-yq.sh
similarity index 100%
rename from terraform/common/install-yq.sh
rename to terraform/legacy-module/common/install-yq.sh
diff --git a/terraform/constellation-cluster/.terraform.lock.hcl b/terraform/legacy-module/constellation-cluster/.terraform.lock.hcl
similarity index 100%
rename from terraform/constellation-cluster/.terraform.lock.hcl
rename to terraform/legacy-module/constellation-cluster/.terraform.lock.hcl
diff --git a/terraform/constellation-cluster/install-constellation.sh b/terraform/legacy-module/constellation-cluster/install-constellation.sh
similarity index 100%
rename from terraform/constellation-cluster/install-constellation.sh
rename to terraform/legacy-module/constellation-cluster/install-constellation.sh
diff --git a/terraform/constellation-cluster/main.tf b/terraform/legacy-module/constellation-cluster/main.tf
similarity index 100%
rename from terraform/constellation-cluster/main.tf
rename to terraform/legacy-module/constellation-cluster/main.tf
diff --git a/terraform/constellation-cluster/variables.tf b/terraform/legacy-module/constellation-cluster/variables.tf
similarity index 100%
rename from terraform/constellation-cluster/variables.tf
rename to terraform/legacy-module/constellation-cluster/variables.tf
diff --git a/terraform/gcp-constellation/main.tf b/terraform/legacy-module/gcp-constellation/main.tf
similarity index 94%
rename from terraform/gcp-constellation/main.tf
rename to terraform/legacy-module/gcp-constellation/main.tf
index cd4887ea1f..c359bdbb36 100644
--- a/terraform/gcp-constellation/main.tf
+++ b/terraform/legacy-module/gcp-constellation/main.tf
@@ -3,7 +3,7 @@ locals {
 }
 
 module "gcp_iam" {
-  source             = "../infrastructure/iam/gcp"
+  source             = "../../infrastructure/iam/gcp"
   project_id         = var.project
   service_account_id = var.service_account_id
   region             = local.region
@@ -32,7 +32,7 @@ module "fetch_image" {
 
 
 module "gcp" {
-  source          = "../infrastructure/gcp"
+  source          = "../../infrastructure/gcp"
   project         = var.project
   image_id        = module.fetch_image.image
   name            = var.name
diff --git a/terraform/gcp-constellation/variables.tf b/terraform/legacy-module/gcp-constellation/variables.tf
similarity index 100%
rename from terraform/gcp-constellation/variables.tf
rename to terraform/legacy-module/gcp-constellation/variables.tf