A Terraform provider is responsible for understanding API interactions and exposing resources. The Proxmox provider uses the Proxmox API. This provider exposes two resources: proxmox_vm_qemu and proxmox_lxc.
The particular privileges required may change but here is a suitable starting point rather than using cluster-wide Administrator rights
Log into the Proxmox cluster or host using ssh (or mimic these in the GUI) then:
- Create a new role for the future terraform user.
- Create the user "terraform-prov@pve"
- Add the TERRAFORM-PROV role to the terraform-prov user
pveum role add TerraformProv -privs "VM.Allocate VM.Clone VM.Config.CDROM VM.Config.CPU VM.Config.Cloudinit VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.Monitor VM.Audit VM.PowerMgmt Datastore.AllocateSpace Datastore.Audit"
pveum user add terraform-prov@pve --password <password>
pveum aclmod / -user terraform-prov@pve -role TerraformProv
The provider also supports using an API key rather than a password, see below for details.
After the role is in use, if there is a need to modify the privileges, simply issue the command showed, adding or removing privileges as needed.
pveum role modify TerraformProv -privs "VM.Allocate VM.Clone VM.Config.CDROM VM.Config.CPU VM.Config.Cloudinit VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.Monitor VM.Audit VM.PowerMgmt Datastore.AllocateSpace Datastore.Audit"
For more information on existing roles and privileges in Proxmox, refer to the vendor docs on PVE User Management
When connecting to the Proxmox API, the provider has to know at least three parameters: the URL, username and password. One can supply fields using the provider syntax in Terraform. It is recommended to pass secrets through environment variables.
export PM_USER="terraform-prov@pve"
export PM_PASS="password"
Note: these values can also be set in main.tf but users are encouraged to explore Vault as a way to remove secrets from their HCL.
provider "proxmox" {
pm_api_url = "https://proxmox-server01.example.com:8006/api2/json"
}
export PM_API_TOKEN_ID="terraform-prov@pve!mytoken"
export PM_API_TOKEN_SECRET="afcd8f45-acc1-4d0f-bb12-a70b0777ec11"
provider "proxmox" {
pm_api_url = "https://proxmox-server01.example.com:8006/api2/json"
}
You can enable global debug mode for the provider underlying api client, using the new provider parameter. The default setting is false
provider "proxmox" {
pm_debug = true
}
You can send all api calls from the provider api client to a proxy server rather than directly to proxmox itself. This can make debugging easier. A nice proxy server is mitmproxy.
provider "proxmox" {
pm_proxy_server = "http://proxyurl:proxyport"
}
The following arguments are supported in the provider block:
pm_api_url
- (Required; or use environment variablePM_API_URL
) This is the target Proxmox API endpoint.pm_user
- (Optional; or use environment variablePM_USER
) The user, remember to include the authentication realm such as myuser@pam or myuser@pve.pm_password
- (Optional; sensitive; or use environment variablePM_PASS
) The password.pm_api_token_id
- (Optional; or use environment variablePM_API_TOKEN_ID
) This is an API token you have previously created for a specific user.pm_api_token_secret
- (Optional; or use environment variablePM_API_TOKEN_SECRET
) This uuid is only available when the token was initially created.pm_otp
- (Optional; or use environment variablePM_OTP
) The 2FA OTP code.pm_tls_insecure
- (Optional) Disable TLS verification while connecting to the proxmox server.pm_parallel
- (Optional; defaults to 4) Allowed simultaneous Proxmox processes (e.g. creating resources).pm_log_enable
- (Optional; defaults to false) Enable debug logging, see the section below for logging details.pm_log_levels
- (Optional) A map of log sources and levels.pm_log_file
- (Optional; defaults to "terraform-plugin-proxmox.log") If logging is enabled, the log file the provider will write logs to.pm_timeout
- (Optional; defaults to 300) Timeout value (seconds) for proxmox API calls.pm_debug
- (Optional; defaults to false) Enable verbose output in proxmox-api-gopm_proxy_server
- (Optional; defaults to nil) Send provider api call to a proxy server for easy debugging
Additionally, one can set the PM_OTP_PROMPT
environment variable to prompt for OTP 2FA code (if required).
The provider is able to output detailed logs upon request. Note that this feature is intended for development purposes,
but could also be used to help investigate bugs. For example: the following code when placed into the provider "proxmox"
block will enable loging to the file "terraform-plugin-proxmox.log". All log sources will default to the "debug" level.
To silence and any stdout/stderr from sub libraries (proxmox-api-go), remove or comment out _capturelog
.
provider "proxmox" {
pm_log_enable = true
pm_log_file = "terraform-plugin-proxmox.log"
pm_debug = true
pm_log_levels = {
_default = "debug"
_capturelog = ""
}
}