Post

Automating deployments using Terraform with Proxmox and ansible

1683363809
1691482830
6

Over the years my home lab has grown and become more and more difficult to maintain, especially because some servers I build and forget as they function so well.

I have found recently though that moving to newer versions of operating systems can be difficult for the servers that I cant easily containerise at the moment.

For this reason I have moved over to using Terraform with Proxmox and ansible.

Telemate developed a Terraform provider that maps Terraform functionality to the Proxmox API, so start by defining the use of that provider in provider.tf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
terraform {
  required_version = ">=0.13.0"

  required_providers {
    proxmox = {
      source  = "telmate/proxmox"
      version = "2.9.14"
    }
  }
}

provider "proxmox" {
  # Configuration options
  pm_api_url = var.proxmox_api_url
  pm_api_token_id = var.proxmox_api_token_id
  pm_api_token_secret = var.proxmox_api_token_secret

  # Optional: skip TLS Verification
  pm_tls_insecure = true
  pm_parallel     = 2
  pm_timeout      = 1200
}

Here we see two sections, the first of which contains the configuration for Terraform, it specifies the version of Terraform that is required along with all of the required providers and their required versions.

The second section contains the provider itself, and the configuration, a full list of arguments can be found here

A provider is a plugin that allows Terraform to manage external APIs (such as proxmox)

Now this is no good without some servers or “resources”, I create a file per resource for my lab, this keeps it simple for me, however you may want to do this differently depending on your requirements. Create a file with the resource name bastion.tf There is a lot more going on in this file, so I have added comments to it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# Specify the resource type, and then the name
resource "proxmox_vm_qemu" "bastion" {

  name = "td-bast01" # Name to call the VM
  desc = "Bastion" # Description for the VM
  target_node = var.proxmox_host # Proxmox target node

  clone = var.template_name  # The name of the template that this resource will be created from

  agent = 1 # is the qemu agent installed?

  os_type = "cloud-init" # The OS type of the image clone
  cores = 2 # number of CPU cores
  sockets = 1 # number of CPU sockets
  cpu = "host" # The CPU type
  memory = 4096 # Amount of memory to allocate
  onboot = true # start the VM on host startup
  scsihw = "virtio-scsi-pci" # Scsi hardware type
  bootdisk = "scsi0" # The boot disk scsi

  # This section contains the disk configuration, it can be duplicated for additional disks
  disk {
    size = "30G"
    type = "scsi"
    storage = "local-thin"
    iothread = 0
  }

  # if you want two NICs, just copy this whole network section and duplicate it
  network {
    model = "virtio"
    bridge = "vmbr0"
    tag = 20
  }

  ipconfig0 = "ip=172.16.20.43/24,gw=172.16.20.1"
  nameserver = "172.16.20.1"

  serial {
    id = 0
    type = "socket"
  }
  # sshkeys set using variables. the variable contains the text of the key.
  sshkeys = <<EOF
  ${var.ssh_key}
  EOF

  # Terraform has provisioners that allow the execution of commands / scripts on a local or remote machine.
  # Here I execute a command to update the VM.
  provisioner "remote-exec" {
    inline = ["sudo apt update", "sudo apt upgrade -y", "echo Done!"]

    connection {
      host        = "172.16.20.43"
      type        = "ssh"
      user        = "ubuntu"
      private_key = file(var.private_key_path)
    }
  }
}

resource "null_resource" "bastion-ansible" {
  provisioner "local-exec" {
    command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ${var.ansible_user}  -l bastion -i ../home-deploy/inventory --private-key ${var.private_key_path} -e 'pub_key=${var.public_key_path}' --ssh-extra-args '-o UserKnownHostsFile=/dev/null' ../home-deploy/main.yml"
  }
  depends_on = [ proxmox_vm_qemu.bastion ]
}

I now use a null_resource for executing ansible the reason for this is that it will run every time even if the resource has not changed.

Through all of the files creates you will have noticed variables have been used against various configuration parameters, before they will work they need to be defined in a file, we will call this vars.tf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# provider vars
variable "proxmox_api_url"{
  type = string
}

variable "proxmox_api_token_id" {
  type = string
}

variable "proxmox_api_token_secret" {
  type = string
}

# resource vars
variable "proxmox_host" {
  type = string
  default = "td-vh01"
}
variable "template_name" {
  type = string
  default = "jammy-template"
}
variable "ansible_user"{
  default = "ubuntu"
  type = string
}

variable "private_key_path"{
  type = string
}

variable "public_key_path"{
  type = string
}

variable "ssh_key" {
  type = string
  default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINm8L9RZ4lDsRDm6Zx7jqOrQx9mO7FphqcrV5teyGVJN"
}

Now that we have defined the variables create a credential file to store all our variable information:

1
2
3
4
5
6
proxmox_api_url = "https://127.0.0.1:8006/api2/json"
proxmox_api_token_id = ""
proxmox_api_token_secret = ""
private_key_path = "~/.ssh/id_ed25519"
public_key_path = "~/.ssh/id_ed25519.pub"
ansible_user = ""

Don’t commit this file to Git as it contains sensitive information

Any variables in vars.tf that have a default value don’t need to be defined in the credential file if the default value is sufficient.

The Cloud-Init template

The configuration that is used utilises a cloud-init template, check out my previous post (Proxmox template with cloud image and cloud init) where I cover how to set this up for use in Proxmox with Terraform.

Usage

Now all of the files we require are created, lets get it running:

  1. Install Terraform and Ansible

    1
    
     apt install -y terraform ansible
    
  2. Enter the directory where your Terraform files reside
  3. Run terraform init, this will initialize your Terraform configuration and pull all the required providers.
  4. Ensure that you have the credential.auto.tfvars file created and with your variables populated
  5. Run terraform plan -out plan and if everything seems good terraform apply.

Use terraform apply --auto-approve to automatically apply without a prompt

To destroy the infrastructure, run terraform destroy

Final Thoughts

There is so much more potential using Terraform and Ansible. I have just scratched the surface, but you could automate everything up to firewall configuration as well, this is something I still need to look into, but it would be great to deploy and configure the firewall based on each individual device.

If you have any cool ideas for using Terraform and Ansible please let me know in the comments below!

Until next time…

This post is licensed under CC BY 4.0 by the author.