https://habibiops.com/categories/openstack/Recent content in Openstack on HabibiOpsHugo -- gohugo.ioen-usSun, 08 Mar 2026 00:00:00 +0000https://habibiops.com/p/provisioning-openstack-project-with-terraform/Sun, 08 Mar 2026 00:00:00 +0000https://habibiops.com/p/provisioning-openstack-project-with-terraform/<img src="https://habibiops.com/p/provisioning-openstack-project-with-terraform/assets/cover.png" alt="Featured image of post Provisioning OpenStack Project with Terraform" /><h2 id="introduction">Introduction </h2><p><a class="link" href="https://www.openstack.org/" target="_blank" rel="noopener" >OpenStack</a> is a mature, open-source platform for building private and public clouds. In this post, we’ll take our first deep dive into provisioning OpenStack resources using <strong>Terraform</strong>.OpenStack automation resources are surprisingly scarce, especially in the context of modern DevOps workflows. This guide aims to fill that gap by walking through a practical hands-on example. We’ll cover several OpenStack components and their interactions. Specifically, you’ll learn how to:</p> <ul> <li>Configure and authenticate Terraform with the OpenStack provider.</li> <li>Create a compute instance and manage associated resources.</li> <li>Understand the relationship between OpenStack services and Terraform.</li> </ul> <h2 id="what-we-will-build">What We Will Build </h2><p>By the end of this guide, Terraform will provision:</p> <ul> <li>a compute instance</li> <li>a security group allowing SSH access</li> <li>an SSH keypair reference</li> <li>a block storage volume attached to the instance</li> </ul> <p>The infrastructure will be organized using three Terraform modules:</p> <ul> <li>security</li> <li>compute</li> <li>storage</li> </ul> <h2 id="setup">Setup </h2><p>You can follow along on your local machine or any virtual machine. The only prerequisites are:</p> <ol> <li>An existing OpenStack deployment.</li> <li><a class="link" href="https://developer.hashicorp.com/terraform/install" target="_blank" rel="noopener" >Terraform</a> installed on your system.</li> </ol> <p>Once installed, you’re ready to start building your infrastructure as code.</p> <h2 id="configuring-terraform-for-openstack">Configuring Terraform for OpenStack </h2><p>The first step in our project is creating a <code>provider.tf</code> file, which sets up the OpenStack provider and handles authentication with your private cloud. At a high level, there are two key components:</p> <ol> <li><strong>Terraform block</strong> – defines required providers and versions.</li> <li><strong>OpenStack provider block</strong> – handles authentication.</li> </ol> <h3 id="terraform-block">Terraform Block </h3><p>Add the following to your <code>provider.tf</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="nx">terraform</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">required_providers</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">openstack</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">source</span> <span class="o">=</span> <span class="s2">&#34;terraform-provider-openstack/openstack&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nx">version</span> <span class="o">=</span> <span class="s2">&#34;&gt;= 3.4.0&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>This ensures Terraform installs the OpenStack provider when you run terraform init. At the time of writing, version <code>3.4.0</code> is the latest stable release.</p> <p>Initialize your project with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">terraform init </span></span></code></pre></td></tr></table> </div> </div><p>You should see output similar to:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">Initializing the backend </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Terraform has been successfully initialized! </span></span></code></pre></td></tr></table> </div> </div><h3 id="authentication">Authentication </h3><p>Next, add the OpenStack provider block in <code>provider.tf</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">provider <span class="s2">&#34;openstack&#34;</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">tenant_name</span> <span class="o">=</span> <span class="s2">&#34;&lt;project-name&gt;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nv">auth_url</span> <span class="o">=</span> <span class="s2">&#34;&lt;auth-url&gt;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nv">region</span> <span class="o">=</span> <span class="s2">&#34;&lt;region&gt;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nv">application_credential_id</span> <span class="o">=</span> <span class="s2">&#34;&lt;cred-id&gt;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nv">application_credential_secret</span> <span class="o">=</span> <span class="s2">&#34;&lt;cred-secret&gt;&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><blockquote> <p>We are using Application Credentials instead of a username and password. These credentials are project-scoped and linked to a user, which is why a username isn’t required.</p> </blockquote> <p>The following diagram illustrates the authentication flow in OpenStack using application credentials:</p> <p><img src="https://habibiops.com/p/provisioning-openstack-project-with-terraform/assets/auth-flow.png" width="3519" height="564" srcset="https://habibiops.com/p/provisioning-openstack-project-with-terraform/assets/auth-flow_hu_c4b83e807f348780.png 480w, https://habibiops.com/p/provisioning-openstack-project-with-terraform/assets/auth-flow_hu_ecc73888639be714.png 1024w" loading="lazy" alt="Auth Flow" class="gallery-image" data-flex-grow="623" data-flex-basis="1497px" ></p> <h2 id="openstack-components-for-a-vm">OpenStack Components for a VM </h2><p>Creating a single functioning VM in OpenStack requires several components to be in place. At a high level, three major resources are needed:</p> <ul> <li><strong>Security:</strong> <ul> <li><strong>SSH:</strong> Assigns the SSH key to connect to the VM</li> <li><strong>Security Group/s:</strong> firewall rules to control traffic (SSH, ICMP etc.).</li> </ul> </li> <li><strong>Block Storage:</strong> Additional persistent storage attached to the VM (optional).</li> <li><strong>Compute Instance:</strong> <ul> <li><strong>OS Image:</strong> The operating system template for the VM.</li> <li><strong>Flavor:</strong> Defines CPU, RAM, and disk configuration of the VM.</li> <li><strong>Network:</strong> One or more network interfaces to attach to the VM</li> </ul> </li> </ul> <blockquote> <p>Regarding the network, a default one already exists in the project. So there&rsquo;s no need to provision/create it in Terraform for this example.</p> </blockquote> <h2 id="project-structure">Project Structure </h2><p>Each main component will be implemented as a separate module. We will be covering each of these components as we go.</p> <h3 id="security">Security </h3><p>The <code>security</code> module has no dependencies on other modules, so we create it first. In OpenStack, the Security Groups consist of two resources:</p> <ul> <li>The Security Group itself.</li> <li>One or more Security Rules.</li> </ul> <p>In Terraform, they would be translated to the following resources:</p> <ul> <li><code>openstack_networking_secgroup_v2</code></li> <li><code>openstack_networking_secgroup_rule_v2</code></li> </ul> <h4 id="defining-the-security-group">Defining the Security Group </h4><p>Security Group is probably the simplest resource to create in Terraform, as it only takes two parameters:</p> <ul> <li><code>name</code></li> <li><code>description</code></li> </ul> <p>The code snippet below creates an <code>external_access</code> Security Group, which will later hold the rules to allow external SSH connections:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">resource</span> <span class="s2">&#34;openstack_networking_secgroup_v2&#34;</span> <span class="s2">&#34;tf_external_access&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">name</span> <span class="o">=</span> <span class="nb">var</span><span class="p">.</span><span class="nx">secgroup_tf_external_access_name</span> </span></span><span class="line"><span class="cl"> <span class="nx">description</span> <span class="o">=</span> <span class="nb">var</span><span class="p">.</span><span class="nx">secgroup_tf_external_access_description</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><blockquote> <p>All the variables referenced here are defined in the <code>variables.tf</code> file.</p> </blockquote> <h4 id="defining-the-security-rules">Defining the Security Rules </h4><p>Now that we have our Security Group defined, we can proceed to create the rules. Every Security Rule is its own separate resource. We only need one rule in our example, so one resource is enough:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">resource</span> <span class="s2">&#34;openstack_networking_secgroup_rule_v2&#34;</span> <span class="s2">&#34;ipv4_ingress_rule&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">direction</span> <span class="o">=</span> <span class="s2">&#34;ingress&#34;</span><span class="c1"> # allow incoming traffic </span></span></span><span class="line"><span class="cl"> <span class="nx">ethertype</span> <span class="o">=</span> <span class="s2">&#34;IPv4&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nx">protocol</span> <span class="o">=</span> <span class="s2">&#34;tcp&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nx">port_range_min</span> <span class="o">=</span> <span class="m">22</span> </span></span><span class="line"><span class="cl"> <span class="nx">port_range_max</span> <span class="o">=</span> <span class="m">22</span> </span></span><span class="line"><span class="cl"> <span class="nx">remote_ip_prefix</span> <span class="o">=</span> <span class="s2">&#34;0.0.0.0/0&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nx">security_group_id</span> <span class="o">=</span> <span class="nx">openstack_networking_secgroup_v2</span><span class="p">.</span><span class="nx">tf_external_access</span><span class="p">.</span><span class="nx">id</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Notice the <code>security_group_id</code> parameter that links our rule to the previously created Security Group. This creates an implicit dependency for Terraform and allows it to know how which resources are dependent on each other.</p> <h4 id="ssh">SSH </h4><p>The SSH keypair is defined in the <code>security/keypair.tf</code> file as a resource:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">resource</span> <span class="s2">&#34;openstack_compute_keypair_v2&#34;</span> <span class="s2">&#34;tf_demo_keypair&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">name</span> <span class="o">=</span> <span class="nb">var</span><span class="p">.</span><span class="nx">ssh_keypair_name</span> </span></span><span class="line"><span class="cl"> <span class="nx">public_key</span> <span class="o">=</span> <span class="nb">file</span><span class="p">(</span><span class="nb">var</span><span class="p">.</span><span class="nx">ssh_pubkey_filename</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>The user has to provide the public key file name, and a new key pair will be created inside the project.</p> <h3 id="compute">Compute </h3><p>The <code>openstack_compute_instance_v2</code> resource is responsible for creating one or more OpenStack compute instances. As a reminder, we need to define the following:</p> <ul> <li>Flavor</li> <li>OS image</li> <li>SSH keypair</li> <li>Security Group</li> <li>Network</li> </ul> <p>This can be done using the code snippet below:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">resource</span> <span class="s2">&#34;openstack_compute_instance_v2&#34;</span> <span class="s2">&#34;tf-hello-compute&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">name</span> <span class="o">=</span> <span class="nb">var</span><span class="p">.</span><span class="nx">compute_instance_name</span> </span></span><span class="line"><span class="cl"> <span class="nx">image_name</span> <span class="o">=</span> <span class="nb">var</span><span class="p">.</span><span class="nx">compute_image_name</span> </span></span><span class="line"><span class="cl"> <span class="nx">flavor_name</span> <span class="o">=</span> <span class="nb">var</span><span class="p">.</span><span class="nx">compute_flavor_name</span> </span></span><span class="line"><span class="cl"> <span class="nx">key_pair</span> <span class="o">=</span> <span class="nb">var</span><span class="p">.</span><span class="nx">keypair</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nx">security_groups</span> <span class="o">=</span> <span class="nb">var</span><span class="p">.</span><span class="nx">security_groups</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nx">network</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">name</span> <span class="o">=</span> <span class="nb">var</span><span class="p">.</span><span class="nx">network_name</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><blockquote> <p><code>security_groups</code> is defined as a variable. At this stage it does not yet have a value as it will be provided by the security module. The modules are not aware of one another. This dependency will be resolved later when the modules are connected in the root configuration.</p> </blockquote> <p>The diagram below illustrates how the compute resources fit into the overall architecture:</p> <p><img src="https://habibiops.com/p/provisioning-openstack-project-with-terraform/assets/compute.png" width="2239" height="887" srcset="https://habibiops.com/p/provisioning-openstack-project-with-terraform/assets/compute_hu_50bfa230408a11c3.png 480w, https://habibiops.com/p/provisioning-openstack-project-with-terraform/assets/compute_hu_e67e4934c9b1edae.png 1024w" loading="lazy" alt="Compute" class="gallery-image" data-flex-grow="252" data-flex-basis="605px" ></p> <p>Now onto our <code>storage</code> module.</p> <h3 id="storage">Storage </h3><p>The volume is created using <code>openstack_blockstorage_volume_v3</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">resource</span> <span class="s2">&#34;openstack_blockstorage_volume_v3&#34;</span> <span class="s2">&#34;volume-1&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">size</span> <span class="o">=</span> <span class="nb">var</span><span class="p">.</span><span class="nx">volume_size</span> </span></span><span class="line"><span class="cl"> <span class="nx">volume_type</span> <span class="o">=</span> <span class="nb">var</span><span class="p">.</span><span class="nx">volume_type</span> </span></span><span class="line"><span class="cl"> <span class="nx">name</span> <span class="o">=</span> <span class="nb">var</span><span class="p">.</span><span class="nx">volume_name</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>We only need the above three variables. But there&rsquo;s still something missing, it is not attached to anything. Right now, the volume just exists in a detached state.</p> <p>A block storage volume in OpenStack is independent of compute instances. The attachment is handled by the <code>openstack_compute_volume_attach_v2</code> resource, which <strong>links</strong> a volume to a compute instance. This can be done as:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">resource</span> <span class="s2">&#34;openstack_compute_volume_attach_v2&#34;</span> <span class="s2">&#34;va_1&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">instance_id</span> <span class="o">=</span> <span class="nb">var</span><span class="p">.</span><span class="nx">instance_id</span> </span></span><span class="line"><span class="cl"> <span class="nx">volume_id</span> <span class="o">=</span> <span class="nx">openstack_blockstorage_volume_v3</span><span class="p">.</span><span class="nx">volume</span><span class="m">-1</span><span class="p">.</span><span class="nx">id</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>The diagram below helps to visualize the <code>storage</code> module:</p> <p><img src="https://habibiops.com/p/provisioning-openstack-project-with-terraform/assets/storage-attachment.png" width="2529" height="909" srcset="https://habibiops.com/p/provisioning-openstack-project-with-terraform/assets/storage-attachment_hu_ddd30fb6f7ab6c08.png 480w, https://habibiops.com/p/provisioning-openstack-project-with-terraform/assets/storage-attachment_hu_88ccc6c9a3823215.png 1024w" loading="lazy" alt="Storage Attachemnt" class="gallery-image" data-flex-grow="278" data-flex-basis="667px" ></p> <p>The attachment acts as the <strong>bridge</strong> between our compute instance and the block storage.</p> <h2 id="module-outputs">Module Outputs </h2><p>Each module exposes outputs that can be consumed by other modules. This allows Terraform to automatically build the dependency graph. For example:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">output</span> <span class="s2">&#34;compute_instance&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">value</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">id</span> <span class="o">=</span> <span class="nx">openstack_compute_instance_v2</span><span class="p">.</span><span class="nx">tf</span><span class="o">-</span><span class="nx">hello</span><span class="o">-</span><span class="nx">compute</span><span class="p">.</span><span class="nx">id</span> </span></span><span class="line"><span class="cl"> <span class="nx">name</span> <span class="o">=</span> <span class="nx">openstack_compute_instance_v2</span><span class="p">.</span><span class="nx">tf</span><span class="o">-</span><span class="nx">hello</span><span class="o">-</span><span class="nx">compute</span><span class="p">.</span><span class="nx">name</span> </span></span><span class="line"><span class="cl"> <span class="nx">image_name</span> <span class="o">=</span> <span class="nx">openstack_compute_instance_v2</span><span class="p">.</span><span class="nx">tf</span><span class="o">-</span><span class="nx">hello</span><span class="o">-</span><span class="nx">compute</span><span class="p">.</span><span class="nx">image_name</span> </span></span><span class="line"><span class="cl"> <span class="nx">flavor_name</span> <span class="o">=</span> <span class="nx">openstack_compute_instance_v2</span><span class="p">.</span><span class="nx">tf</span><span class="o">-</span><span class="nx">hello</span><span class="o">-</span><span class="nx">compute</span><span class="p">.</span><span class="nx">flavor_name</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>These outputs are later referenced in <code>main.tf</code> when connecting modules.</p> <blockquote> <p>All outputs are purposely defined to be in a JSON format. This makes it easier to consume them programmatically if we ever need to.</p> </blockquote> <h2 id="linking-the-modules">Linking the Modules </h2><p>Right now, the modules exist independently and are unaware of one another. To piece everything together, we create <code>main.tf</code> file at the root of the project. The <code>main.tf</code> file will act as an entrypoint and ties all modules together:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">module</span> <span class="s2">&#34;security&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">source</span> <span class="o">=</span> <span class="s2">&#34;./security&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nx">ssh_keypair_name</span> <span class="o">=</span> <span class="s2">&#34;tf-demo-keypair&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nx">ssh_pubkey_filename</span> <span class="o">=</span> <span class="s2">&#34;ssh_key.pub&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kr">module</span> <span class="s2">&#34;storage&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">source</span> <span class="o">=</span> <span class="s2">&#34;./storage&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nx">instance_id</span> <span class="o">=</span> <span class="nb">module</span><span class="p">.</span><span class="nx">compute</span><span class="p">.</span><span class="nx">compute_instance</span><span class="p">.</span><span class="nx">id</span> </span></span><span class="line"><span class="cl"> <span class="nx">volume_name</span> <span class="o">=</span> <span class="s2">&#34;tf-volume&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nx">volume_type</span> <span class="o">=</span> <span class="s2">&#34;ceph&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kr">module</span> <span class="s2">&#34;compute&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">source</span> <span class="o">=</span> <span class="s2">&#34;./compute&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nx">keypair</span> <span class="o">=</span> <span class="nb">module</span><span class="p">.</span><span class="nx">security</span><span class="p">.</span><span class="nx">keypair</span> </span></span><span class="line"><span class="cl"> <span class="nx">security_groups</span> <span class="o">=</span> <span class="p">[</span><span class="nb">module</span><span class="p">.</span><span class="nx">security</span><span class="p">.</span><span class="nx">tf_external_access</span><span class="p">.</span><span class="nx">name</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nx">compute_flavor_name</span> <span class="o">=</span> <span class="s2">&#34;small&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nx">compute_image_name</span> <span class="o">=</span> <span class="s2">&#34;Ubuntu 22.04 LTS&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nx">network_name</span> <span class="o">=</span> <span class="s2">&#34;external_network&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>The diagram below gives us a bird&rsquo;s eye view of the entire architecture that we have so far, showing the relation and interaction between each component:</p> <p><img src="https://habibiops.com/p/provisioning-openstack-project-with-terraform/assets/cover.png" width="6846" height="2091" srcset="https://habibiops.com/p/provisioning-openstack-project-with-terraform/assets/cover_hu_f6907b98b95e0689.png 480w, https://habibiops.com/p/provisioning-openstack-project-with-terraform/assets/cover_hu_9d9bf82d066d2019.png 1024w" loading="lazy" alt="High Level Diagram" class="gallery-image" data-flex-grow="327" data-flex-basis="785px" ></p> <h2 id="terraform-plan-and-apply">Terraform Plan and Apply </h2><p>Now that we finally have everything set, we&rsquo;re ready to continue with the provisioning and run our first <code>terraform plan</code> command. Terraform would output all the resources that would be created, modified and/or deleted.</p> <p>Since this is a new project, we expect to have <strong>only</strong> additions.</p> <blockquote> <p>The output is far too long to display here, so only the summary will be shown</p> </blockquote> <p>You should expect to have:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">Plan : <span class="m">8</span> to add, <span class="m">0</span> to change, <span class="m">0</span> to destroy. </span></span></code></pre></td></tr></table> </div> </div><p>Review the plan output, check each resource and see if you can relate which resource is to which module. Terraform even tells you this info, for example:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># module.storage.openstack_compute_volume_attach_v2.va_1 will be created</span> </span></span><span class="line"><span class="cl">+ resource <span class="s2">&#34;openstack_compute_volume_attach_v2&#34;</span> <span class="s2">&#34;va_1&#34;</span> <span class="o">{</span> </span></span><span class="line"><span class="cl">+ <span class="nv">device</span> <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> </span></span><span class="line"><span class="cl">+ <span class="nv">id</span> <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> </span></span><span class="line"><span class="cl">+ <span class="nv">instance_id</span> <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> </span></span><span class="line"><span class="cl">+ <span class="nv">region</span> <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> </span></span><span class="line"><span class="cl">+ <span class="nv">volume_id</span> <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="apply">Apply </h3><p>When all is set and done, we can go ahead and run:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">terraform apply </span></span></code></pre></td></tr></table> </div> </div><p>You can review the plan again, and if all&rsquo;s set, you can go ahead and type <code>yes</code>, and Terraform would start creating the resources one after the other. In the end, you should get an output similar to this one:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">infrastructure</span> <span class="o">=</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;compute&#34;</span> <span class="o">=</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;compute_instance&#34;</span> <span class="o">=</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;flavor_name&#34;</span> <span class="o">=</span> <span class="s2">&#34;tiny&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;id&#34;</span> <span class="o">=</span> <span class="s2">&#34;&lt;redacted&gt;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;image_name&#34;</span> <span class="o">=</span> <span class="s2">&#34;Ubuntu 22.04&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span> <span class="o">=</span> <span class="s2">&#34;tf-hello-compute&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;security&#34;</span> <span class="o">=</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;keypair&#34;</span> <span class="o">=</span> <span class="s2">&#34;dk-aout&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;tf_external_access&#34;</span> <span class="o">=</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;id&#34;</span> <span class="o">=</span> <span class="s2">&#34;&lt;redacted&gt;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span> <span class="o">=</span> <span class="s2">&#34;tf_external_access&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;storage&#34;</span> <span class="o">=</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;blockstorage&#34;</span> <span class="o">=</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;device&#34;</span> <span class="o">=</span> <span class="s2">&#34;/dev/vdb&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;id&#34;</span> <span class="o">=</span> <span class="s2">&#34;&lt;redacted&gt;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;instance_id&#34;</span> <span class="o">=</span> <span class="s2">&#34;&lt;redacted&gt;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span> <span class="o">=</span> <span class="s2">&#34;tf_ceph_volume&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="conclusion">Conclusion </h2><p>We&rsquo;ve covered a lot in this post, from the basics of integrating Terraform with the OpenStack provider, to provisioning an OpenStack project and creating independent modules with their own output. There are still plenty of improvements to be made though. For example:</p> <ul> <li>Credentials are currently stored in plaintext in the <code>provider.tf</code> file.</li> <li>Terraform is being executed directly from a local or remote machine instead of a containerized environment.</li> <li>There is no CI/CD pipeline in place.</li> <li>State management and secret handling are not yet addressed.</li> </ul> <p>We will be covering the topics step by step in future posts, working towards a fully automated, secure and robust Terraform workflow for managing infrastructure in a private OpenStack cloud.</p> <p>Note: This <a class="link" href="https://github.com/habibiops/provisioning-openstack-project-with-terraform" target="_blank" rel="noopener" >GitHub repo</a> contains the complete source code used in this post.</p>