RE: Terraform with cloud-init

@m4xm0rris Xen Orchestra's web application is doing this templating on the client side (reference). Since terraform already has a nice interface for templating (using its template_file data source), you can do the substitution yourself.

Here is an example below. Note: this code is not tested but was pulled from an internal project I have.

# template_file.tpl
#cloud-config

hostname: ${name}

# any other cloud-config you need
[...]

# vm.tf
data "template_file" "cloud_config" {
  template = file("${path.module}/template_file.tpl")
  vars = {
    name = "your_hostname_value"
  }
}

resource "xenorchestra_cloud_config" "cloud_config" {
  name = "cloud_config"
  # This performs the templating
  template = data.template_file.cloud_config.rendered
}

resource "xenorchestra_vm" "vm" {
  [ ... ]
  cloud_config = xenorchestra_cloud_config.cloud_config.template
  
}

Please share your terraform code if you would like more specific advice on how to recreate exactly what you are trying to do.

@ruskofd is right. You should be able to use the cloud_network_config attribute to achieve this.

The following code is untested but should launch a vm with a static IP. Please see the xenorchestra_vm resource docs and the cloud-init networking v1 docs for more details.

resource "xenorchestra_vm" "static_ip_vm" {
....
  cloud_network_config = <<EOF
network:
version: 1
config:
  - type: physical
    name: eth0
    subnets:
      - type: static
        address: STATIC_IP/24
        gateway: GATEWAY_IP
        dns_nameservers:
          - 8.8.8.8
EOF
}

Let me know if you have any questions or issues using cloud_network_config,

As for the blog post, the VM would have been assigned an ip address via dhcp (assuming the guest OS had cloud-init installed which was true for the VM template in the blog post).

@fred974

I just saw that terraform had a free cloud account for less that 5 users and I was thinking of registering, will it work?

Terraform cloud would work if your XO deployment was publicly accessible. I highly advise against this because if your XO deployment were compromised an attacker has access to your entire infrastructure.

If you were to do this I would make sure all of your user's have strong passwords and if Hashicorp has documented public IPs that you only open your firewall to Hashicorp's Ips. It seems from this forum post that this is only available if you on the business tier.

If I run Terraform in a VM on xcp-ng, I don't need to open any port and use Terraform localy.

Yes running it on the xcp-ng host would work, however, keeping best practices in mind I would run it on a less privileged host (laptop with vpn access, development VM). If you have others collaborating on this terraform deployment, giving access to the xcp-ng host just to use terraform seems like a heavy hammer.

Is there a simple script I can run to see if I can access the Xen Orchestra API?

nmap will be able to tell you this.

nmap -sT -P0 -p 443 xo-domain

I was able to confirm that using the cloudinit data source does work with Xen Orchestra.

Here is the following terraform code that I used (essential pieces like SR and network are excluded for the example):

data "cloudinit_config" "cloud_config" {
  gzip = false
  base64_encode = false

  part {
    content_type = "text/cloud-config"
    content = <<EOF
users:
  - name: ddelnano
    sudo: ALL=(ALL) NOPASSWD:ALL
    ssh_import_id:
      - gh:ddelnano

packages:
- make
- build-essential

runcmd:
- echo 'this is a test'
EOF
  }
}

resource "xenorchestra_vm" "vm" {
  memory_max = 2147467264
  cpus = 1
  name_label = "XO terraform tutorial"
  template = data.xenorchestra_template.vm_template.id
  cloud_config = data.cloudinit_config.cloud_config.rendered

  network {
    network_id = data.xenorchestra_network.network.id
  }

  disk {
    sr_id = data.xenorchestra_sr.sr.id
    name_label = "VM root volume"
    size = 4294967296
  }
}

This creates a VM and runs the cloudinit I specified, however, it doesn't allow you to do any templating. So you would still need to use the templatfile function built into Terraform.

I'm going to update the docs to use the templatefile function since that is the most streamlined approach.

@m4xm0rris it looks like there is a builtin function to do templating now (templatefile). Apologies, it's been a while since I've written any new templated terraform code.

I created terraform-provider-xenorchestra #181 to track updating the docs.

Cool, I didn't realize that there was a cloudinit terraform provider :). I'll be giving that a try and may use that in the examples if its better than using template_file directly.

@nickdsl can you please share a terraform code example and the necessary commands to reproduce the problem? I'm not sure I understand what happened without seeing a concrete example of the problem.

@m4xm0rris thanks for posting your solution. Would you mind reviewing my changes to the terraform registry documentation (here)?

Since I've been working with terraform long before Xen Orchestra, having your opinion on the documentation would be valuable

I was able to confirm that using the cloudinit data source does work with Xen Orchestra.

Here is the following terraform code that I used (essential pieces like SR and network are excluded for the example):

data "cloudinit_config" "cloud_config" {
  gzip = false
  base64_encode = false

  part {
    content_type = "text/cloud-config"
    content = <<EOF
users:
  - name: ddelnano
    sudo: ALL=(ALL) NOPASSWD:ALL
    ssh_import_id:
      - gh:ddelnano

packages:
- make
- build-essential

runcmd:
- echo 'this is a test'
EOF
  }
}

resource "xenorchestra_vm" "vm" {
  memory_max = 2147467264
  cpus = 1
  name_label = "XO terraform tutorial"
  template = data.xenorchestra_template.vm_template.id
  cloud_config = data.cloudinit_config.cloud_config.rendered

  network {
    network_id = data.xenorchestra_network.network.id
  }

  disk {
    sr_id = data.xenorchestra_sr.sr.id
    name_label = "VM root volume"
    size = 4294967296
  }
}

This creates a VM and runs the cloudinit I specified, however, it doesn't allow you to do any templating. So you would still need to use the templatfile function built into Terraform.

I'm going to update the docs to use the templatefile function since that is the most streamlined approach.

@m4xm0rris it looks like there is a builtin function to do templating now (templatefile). Apologies, it's been a while since I've written any new templated terraform code.

I created terraform-provider-xenorchestra #181 to track updating the docs.

Cool, I didn't realize that there was a cloudinit terraform provider :). I'll be giving that a try and may use that in the examples if its better than using template_file directly.

@m4xm0rris Xen Orchestra's web application is doing this templating on the client side (reference). Since terraform already has a nice interface for templating (using its template_file data source), you can do the substitution yourself.

Here is an example below. Note: this code is not tested but was pulled from an internal project I have.

# template_file.tpl
#cloud-config

hostname: ${name}

# any other cloud-config you need
[...]

# vm.tf
data "template_file" "cloud_config" {
  template = file("${path.module}/template_file.tpl")
  vars = {
    name = "your_hostname_value"
  }
}

resource "xenorchestra_cloud_config" "cloud_config" {
  name = "cloud_config"
  # This performs the templating
  template = data.template_file.cloud_config.rendered
}

resource "xenorchestra_vm" "vm" {
  [ ... ]
  cloud_config = xenorchestra_cloud_config.cloud_config.template
  
}

Please share your terraform code if you would like more specific advice on how to recreate exactly what you are trying to do.

@olivierlambert

1. it would be our responsibility to create the repo and users would likely install it with Helm (from my reading of the cloud-provider-vsphere docs
2. I think either is fine. My personal vote would be for the latter (cloud-provider-xenorchestra).

@fred974

I just saw that terraform had a free cloud account for less that 5 users and I was thinking of registering, will it work?

Terraform cloud would work if your XO deployment was publicly accessible. I highly advise against this because if your XO deployment were compromised an attacker has access to your entire infrastructure.

If you were to do this I would make sure all of your user's have strong passwords and if Hashicorp has documented public IPs that you only open your firewall to Hashicorp's Ips. It seems from this forum post that this is only available if you on the business tier.

If I run Terraform in a VM on xcp-ng, I don't need to open any port and use Terraform localy.

Yes running it on the xcp-ng host would work, however, keeping best practices in mind I would run it on a less privileged host (laptop with vpn access, development VM). If you have others collaborating on this terraform deployment, giving access to the xcp-ng host just to use terraform seems like a heavy hammer.

Is there a simple script I can run to see if I can access the Xen Orchestra API?

nmap will be able to tell you this.

nmap -sT -P0 -p 443 xo-domain

@itnok yea it appears the project uses the plugin api for Vagrant 1.x which may not work with Vagrant 2.x (the latest version) I'm not sure if the plugin api has changed significantly since I haven't written any plugins myself.

@ruskofd is right. You should be able to use the cloud_network_config attribute to achieve this.

The following code is untested but should launch a vm with a static IP. Please see the xenorchestra_vm resource docs and the cloud-init networking v1 docs for more details.

resource "xenorchestra_vm" "static_ip_vm" {
....
  cloud_network_config = <<EOF
network:
version: 1
config:
  - type: physical
    name: eth0
    subnets:
      - type: static
        address: STATIC_IP/24
        gateway: GATEWAY_IP
        dns_nameservers:
          - 8.8.8.8
EOF
}

Let me know if you have any questions or issues using cloud_network_config,

As for the blog post, the VM would have been assigned an ip address via dhcp (assuming the guest OS had cloud-init installed which was true for the VM template in the blog post).