Using OVHcloud Object Storage as Terraform Backend to store your Terraform state

Find out how to use an OVHcloud Object Storage as a Terraform Backend to store your Terraform state

Last updated 5th April 2022

Objective

It is possible to store Terraform state on a remote data store/backend like a AWS S3 bucket, a Google Cloud Storage (GCS)... but do you know that you can also store your Terraform states on an OVHcloud Object Storage container?

In this tutorial you will:

  • create an Object Storage container
  • create a Terraform remote backend
  • create an OpenStack user with Object Storage rights and retrieve OpenStack credentials
  • initialize your Terraform backend

Requirements

Before you begin

Terraform

Terraform is an open-source infrastructure as code (IaC) tool created by Hashicorp in 2014, written in Go. It aims to build, change and version control your infrastructure. You can define and provision your infrastructure by writing the definition of your resources in Hashicorp Configuration Language (HCL).

Terraform

This tool has a powerful and very intuitive command line interface (CLI). If you are interested in leveraging your knowledge about Terraform CLI, a Cheat Sheet exists.

At OVHcloud we created a Terraform provider that you can use to interact with and manage OVHcloud resources.

Terraform states and backend

Terraform has several concepts, one of them is the state.

A Terraform state is a snapshot of your infrastructure from when you last ran the terraform apply command. By default, the state file is stored locally in a terraform.tfstate file. But the common usage, in production environment, is to store it remotely.

Terraform state schema

You can for example store your Terraform state on an OVHcloud Object Storage container.

In order to do that you need to configure a backend in your Terraform HCL configuration files.

Terraform States are not encrypted at rest when stored inside an Object Storage container.

Instructions

Creating an Object Storage container/bucket

First, you need to have an Object Storage container. If you don't already had one, you can follow the Creating an Object Storage container tutorial.

For this guide, our Object Storage container is named terraform-state and its region is GRA.

terraform state container in OVHcloud Object Storage

Initializing Terraform configuration

Create a backend.tf file with the following content:

terraform {
    backend "swift" {
        container = "terraform-state"
        region_name = "GRA"
        cloud = "tfstate"
        archive_container = "terraform-state-archive"
    }
}

In this file you define a Swift Terraform backend in the GRA region. Don't hesitate to change this parameter if you created an Object Storage container in another region.

We also use an OpenStack clouds.yaml file.

Don't forget to define an archive_container to activate the object versioning in Swift.

Creating an OpenStack user with Object Storage rights

In order to store your Terraform states on an Object Storage, and generally if you want to interact with the Object Storage, you need to have the rights to manage an Object Storage.

In order to do that you will create an OpenStack user.

Log in to the OVHcloud Control Panel, go to the Public Cloud section and select the Public Cloud project concerned.

Access the administration UI for your OVHcloud Managed Kubernetes clusters by clicking on Users & Roles in the left-hand menu and click on + Add user.

Create OpenStack user

Enter a description for the user you want to create, for example Terraform and click on Next.

Create OpenStack user

Check the ObjectStore operator role and click on Confirm.

Create OpenStack user

Your user is being created. Username and password will be automatically generated and displayed in your Control Panel.

Create OpenStack user

Be sure to save the password shown in the green message box to a password manager at this time. The password cannot be recovered afterwards. However, you can always create a new password by clicking on ... and selecting Generate a password.

Generate OpenStack user password

Retrieve OpenStack credentials

Now click on ... and select Launch OpenStack Horizon.

Enter the user and password information you saved before then click on Connect.

Horizon Login

In the side bar, click on API Access.

Horizon Home Page

Click on Download OpenStack RC File button and then on OpenStack clouds.yaml File.

Horizon API Access

Save the clouds.yaml file in your local machine.

You need to edit the generated clouds.yaml file in order to provide all details needed by Terraform.

Edit this clouds.yaml file like below:

clouds:
  tfstate:
    auth:
      auth_url: https://auth.cloud.ovh.net/v3/
      domain_name: default
      username: "user-xxxxxx"
      password: xxxxx
      project_domain_name: default
      project_name: "xxxxx"
      user_domain_name: default
    region_name: GRA

If the password line is missing in your clouds.yaml file, please add it with the password you copied/pasted earlier.

Terraform needs to know where your OpenStack credentials are located (clouds.yaml file) so you have several possibilities:

  • place the clouds.yaml into the current working directory of your Terraform files
  • place it in ~/.config/openstack
  • or place it on /etc/openstack

Whatever the solution you choose, Terraform will automatically find the clouds.yaml file.

In this guide we choose to save it next to the backend.tf file:

.
├── backend.tf
└── clouds.yaml

Terraform Init

Now you can initialize your Terraform configuration with the terraform init command.

The terraform init command is used to initialize a working directory containing Terraform configuration files. This is the first command that should be run after writing a new Terraform configuration or cloning an existing one from version control. It is safe to run this command multiple times.

This command initializes the backend (remote or local state).

After executing this command, you should obtain a result like this:

$ terraform init

Initializing the backend...

Successfully configured the backend "swift"! Terraform will automatically
use this backend unless the backend configuration changes.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Now you can define your Terraform configuration files and providers and after running the terraform apply command, your Terraform state file will be stored in an OVHcloud Object Storage container.

Go further

Join our community of users on https://community.ovh.com/en/.


Did you find this guide useful?

Please feel free to give any suggestions in order to improve this documentation.

Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.

Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.

Thank you. Your feedback has been received.


These guides might also interest you...

OVHcloud Community

Access your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.

Discuss with the OVHcloud community