Terraform + proxmox + sops: init

.gitignore

@@ -0,0 +1,13 @@
+# managed by sops
+terraform.tvars
+
+# https://developer.hashicorp.com/terraform/language/style#gitignore
+.terraform
+terraform.tfstate
+terraform.tfstate.*
+.terraform.tfstate.lock.info
+.terraform/
+!.terraform.lock.hcl
+
+# debug
+terraform-plugin-proxmox.log

.sops.yaml

@@ -0,0 +1,2 @@
+creation_rules:
+  - pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318

.terraform.lock.hcl

@@ -0,0 +1,39 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/carlpett/sops" {
+  version     = "0.7.2"
+  constraints = "~> 0.5"
+  hashes = [
+    "h1:+A1/RJ3eNVQHDFHjol70EfC5Yh9e78WMXxh1uoxlAYQ=",
+    "zh:43f218054ea3a72c9756bf989aeebb9d0f23b66fd08e9fb4ae75d4f921295e82",
+    "zh:57fd326388042a6b7ecd60f740f81e5ef931546c4f068f054e7df34acf65d190",
+    "zh:87b970db8c137f4c2fcbff7a5705419a0aea9268ae0ac94f1ec5b978e42ab0d2",
+    "zh:9e3b67b89ac919f01731eb0466baa08ce0721e6cf962fe6752e7cc526ac0cba0",
+    "zh:c028f67ef330be0d15ce4d7ac7649a2e07a98ed3003fca52e0c72338b5f481f8",
+    "zh:c29362e36a44480d0d9cb7d90d1efba63fe7e0e94706b2a07884bc067c46cbc7",
+    "zh:d5bcfa836244718a1d564aa96eb7d733b4d361b6ecb961f7c5bcd0cadb1dfd05",
+  ]
+}
+
+provider "registry.opentofu.org/telmate/proxmox" {
+  version     = "3.0.1-rc2"
+  constraints = "3.0.1-rc2"
+  hashes = [
+    "h1:y8H14NlOdJnm3saCxuepUukL1gOPlZCg/tTp6GvwPS8=",
+    "zh:0158ecead8265f79ca069fcb7e9c07283545f90a09abe8a28a5944c2c9b8dc89",
+    "zh:04731d141b77b0072bf650ee91670594f3ec93cf01c2612a5a3eecbda01e745e",
+    "zh:06460b2b32b06684f3ce8416d328868cdc26f88c1e0379522fdf797ba7072ccf",
+    "zh:15e9ece8a8106e32fa842f84494952298a24883b6dc164acdc375594ed4c3840",
+    "zh:2ff19ed9d1b36d4890b3c036fa027f831889535e9e9c6bf7aa185423e620d93c",
+    "zh:45efb6d48df0cab681677fa58557b964cbaec6b5a5acc5ff19f446760670c4ea",
+    "zh:554351399ef605a708653d7d716ecc36d39e85088c37435b7f391a841e1bee93",
+    "zh:5b78fe1f4e796cb56cbc6fc7e43e95d2ad0f46f86cb2a4795c617c73681f5374",
+    "zh:61a379c5380f69d474b8a22fedd68f34e7df57ab24fdfcd0336a3a88e9d1706a",
+    "zh:73cf31280728ee48b645c537de89881788c6e6aa6a9a2a9a09ec4510f594db2e",
+    "zh:85e2f22617fa1450deeaefffe6d455f26054ab8a9a6a1eb1a5c50b51703304ec",
+    "zh:a0cc2bd9581fcddc1f64692c9c431c652e4e0edc035a357aa1279788a8d580d0",
+    "zh:b99a25084d77075dce5b32604953e4266fc8cdda9ec00cbb06f886331743b492",
+    "zh:bcaace9bec999f869ecc308075c98139a5762b4a4f45541c7b59aa3df4f7484d",
+  ]
+}

README.md

@@ -0,0 +1,7 @@
+# Terraform/OpenTofu Proxmox vm manager
+
+Sample SOPS integration  https://github.com/carlpett/terraform-provider-sops to manage secrets.
+
+Working VM cloning sample taken from: https://github.com/Telmate/terraform-provider-proxmox/issues/935
+
+https://developer.hashicorp.com/terraform/language/style#gitignore

main.tf

@@ -0,0 +1,78 @@
+terraform {
+  required_providers {
+    proxmox = {
+      source  = "Telmate/proxmox"
+      version = "3.0.1-rc2"
+    }
+
+    sops = {
+      source = "carlpett/sops"
+      version = "~> 0.5"
+    }
+  }
+}
+
+data "sops_file" "tf-secret" {
+  source_file = "tf-secret.enc.json"
+}
+
+provider "proxmox" {
+  pm_api_url      = "https://192.168.50.182:8006/api2/json"
+  pm_user         = "root@pam"
+  pm_password     = data.sops_file.tf-secret.data["proxmox_password"]
+  pm_tls_insecure = true
+  pm_log_enable = true
+  pm_log_file   = "terraform-plugin-proxmox.log"
+  pm_debug      = true
+  pm_log_levels = {
+        _default    = "debug"
+        _capturelog = ""
+    }
+  }
+
+
+#  https://registry.terraform.io/providers/Telmate/proxmox/latest/docs/resources/vm_qemu#attribute-reference
+resource "proxmox_vm_qemu" "test_server" {
+  count = 1 
+  name = "test-vm-${count.index + 1}"
+  target_node = "pve"
+  clone = "debian-cloud"
+  agent = 1
+  os_type = "cloud-init"
+  cores = 2
+  sockets = 1
+  cpu = "host"
+  memory = 1024
+  scsihw = "virtio-scsi-pci"
+  bootdisk = "scsi0"
+
+  disks {
+    scsi {
+      scsi0 {
+        disk {
+          size = 10
+          storage = "local-lvm"
+        }
+      }
+    }
+    ide {
+        ide3 {
+            cloudinit {
+                storage = "local-lvm"
+            }
+        }
+    }
+  }
+
+  network {
+    model = "virtio"
+    bridge = "vmbr0"
+  }
+
+  ipconfig0 = "ip=192.168.50.222/24,gw=192.168.50.1"
+
+  ssh_user = "root"
+  sshkeys = <<EOF
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfsg9RFSSGn31DNMy6Ap7QiD3cmkmY5RdgqOs8VtPPW1/jo5n49LzNHE1xNBf4nm+MdAQabnQzPIsjijsVGE/0q1RmRQZE9E7KrecnTWuFXuKXcCW12OxerxTmx7UF2yQwOG9Ws2b0D7zFQau6S0bwaVeAgM4EqKBIdOgCvR/cLoMuBpZphLAEgNgFXSmDtoU/uf5FebUsXY051rL8yN/hghy+3nE6RMr79yEFYtrtRWhiE5OdXzVurtPdecs2HulhvNIXGQLsYAX8/vrDMMidjGZBzrHcjCWxYVMM6RFc6u5DWIpQXT7atDJdIjoQvdFLUtbalNGrjCU0d/pz6yANyKR7yWRzZCOjA2Osqr3zEH1R84dNRSN2BXftGRYPtX6rgdj37FF7Lq83WQgUyuRZRUqROtPHLz7VxfbWv5St6Mi2stSJ4FSlPGAFDdCdHxCWphuCCEXzoo/HKFt6G0qngZ+BicmJHBwWB0McLuS9F5JQs06hL8YGyV4z6RG4lLM= rekin@mac13.local
+  EOF
+}

tf-secret.enc.json

@@ -0,0 +1,25 @@
+{
+	"proxmox_password": "ENC[AES256_GCM,data:nJh4OA782Rl9QGZuWw+AuoeSC9XlDA==,iv:og2UtENmuPFQy2YqcLWYWQpIQPQM4RU0jKEvfLsrVGs=,tag:C0SDWmy05M1HFv/aBhYtIw==,type:str]",
+	"password": "ENC[AES256_GCM,data:hii1,iv:0343llG5iReX09ZKJ66DD83T5O8JjvqHlIJ86KmD4kc=,tag:dn9U7cszGrXPxS5xBX99RA==,type:str]",
+	"db": {
+		"password": "ENC[AES256_GCM,data:kIuf,iv:WmfIzsMrs5b6jjUOJM6xbqEmh0uyrLYd55CIOQPvtV0=,tag:7WtA3+aOYFvSjiSfLnLT/w==,type:str]"
+	},
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2024-06-01T22:42:11Z",
+		"mac": "ENC[AES256_GCM,data:BBS5KtNAnzlqToHimjfjU6J2Z0XKKuLi/7To0DVKqFSn9cXK2AB6Fl6Kpb/mdaIzl/S1iHb8Auz73RhRhdG+WmgzfiXR0SX8tcjE80tE3yZ7kgdIF6wCgIwaibC60grqvuHCdJ6l8fFKftqzfotA+clDt4fWr/fYvJiuG3Y1Snc=,iv:I/w1EmYpfX0E5xEIiaVGrZsLX3Tpf+x/NdZJiJUmfwY=,tag:/042ByDamZMRXF2Q/c9a2w==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-06-01T22:06:19Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMAyzbm9WLP+K6AQv/f+yWwcyzlRVpwiA5mzehC582YdXqUkGJ7lTo/L7iYvs+\nKLSi+DOqpN6ytG2sg+7Yoc1HiFLcjYOi/ZWjDSnawbLyVdfr8k84YfD5t7P+bpG2\nMUOZZ94nQMRTAOmWho5tWo5SccXMewi1GQ5h4zzqwXqAf1wPXjzABllXDHuFCndO\nOp/DqpkoR/zleMV7h6qO4g5y9B4mridyy3CLQ2ANKxHrEatYhUgglUnjlrKuZo6V\nWAhIug0opSuY30fzSaJwnP5DOIGBx4BXsp6OfTQBa9rzjDErhuXqpyBhqZKUb+z5\nxeZxTQcrs5xrlCmqhg5eeb2C3MpmVxQNa3C/qlBvK+8fzSSM9to8yFNjlOReI08C\nuuDiLdqHkOglnm3lbH5zznYezNFQDpgAukhC+bX4YE202/6+1CCDvb/1b8OSi+0k\nmISaDcoDyJvGgpcfu9fSmfQDqF9iuPyqGhv+9mw6O997FeYgFFmkKfLOV3j/dzR6\nYAihSv75/JDE33bm1kR01GYBCQIQPAXgIJ3ZO5CLKJUqRZOIq0HYHJe8nGPe20P/\nhAD7mtbac92BKR/Eth0CTQxbTTAWH8uHZvzvSOkXoa9DHhwRt/9YWZlwRHEy/Fx0\nX5I/xPtN92yuPuoTaYUu2XSvazWFhEQ=\n=xCKS\n-----END PGP MESSAGE-----",
+				"fp": "D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}