This project contains Terraform/Terragrunt configurations for managing Proxmox VE infrastructure with virtual machines for automation, development, logging, and service management.
This repository provides Terraform configurations to provision and manage:
- Virtual machines and containers on Proxmox VE
- Automation infrastructure to manage all VMs and containers
- Logging infrastructure and centralized syslog
- Container orchestration with Kubernetes k3s and Docker
- Resource pools and networking
- SSH keys and authentication
The project uses a modular structure for better maintainability and reusability:
terraform-proxmox/
├── main.tf # Root module orchestrating all components
├── variables.tf # Root-level variable definitions
├── outputs.tf # Root-level outputs
├── locals.tf # Local value definitions
├── container.tf # Container resource definitions
├── deployment.json # Non-secret deployment config (committed plaintext)
├── terraform.sops.json # Encrypted network topology (3 values)
├── terraform.sops.json.example # SOPS template
├── terragrunt.hcl # Terragrunt configuration (generates provider.tf)
├── packer/ # Packer templates for VM images
│ ├── splunk.pkr.hcl # Splunk Enterprise template build
│ └── variables.pkr.hcl # Packer variables (Doppler integration)
└── modules/
├── proxmox-pool/ # Resource pool management
│ ├── main.tf
│ ├── variables.tf
│ └── outputs.tf
├── proxmox-vm/ # Virtual machine creation
│ ├── main.tf
│ ├── variables.tf
│ └── outputs.tf
├── proxmox-container/ # Container management
│ ├── main.tf
│ ├── variables.tf
│ └── outputs.tf
├── splunk-vm/ # Splunk Enterprise all-in-one VM
│ ├── main.tf
│ ├── variables.tf
│ └── outputs.tf
├── security/ # Security resources (SSH keys, passwords)
│ ├── main.tf
│ ├── variables.tf
│ └── outputs.tf
├── firewall/ # Proxmox firewall rules for clusters
│ ├── main.tf
│ ├── variables.tf
│ └── outputs.tf
└── storage/ # Storage and cloud-init configs
├── main.tf
├── variables.tf
└── outputs.tf
- Modular Design: Separate modules for different resource types
- Security: Static SSH key management via cloud-init
- Resource Pools: Organized resource management
- Virtual Machines: Configurable VM deployments with virtio disk interface
- Containers: LXC container support (configurable)
- Storage: Cloud-init configuration management
- Splunk Infrastructure: Packer-built Splunk Enterprise template with dedicated splunk-vm module
- Firewall Management: Integrated Proxmox firewall module for network isolation and security
- Terragrunt Integration: Backend configuration and state management
- Latest Versions: See
terragrunt.hclfor current provider version constraints
- Eliminated Duplication: All VMs use the same module
- Improved Reusability: Modules can be used across different environments
- Enhanced Maintainability: Clear separation of concerns
- Better Security: Static SSH key management with cloud-init
- Consistent Configuration: Standardized VM settings with virtio interfaces
- Performance Optimized: Virtio disk interfaces eliminate Proxmox warnings
All tools are provided via the shared nix-devenv terraform shell.
The repository ships a committed .envrc file that auto-activates
the shell via direnv when you enter the directory.
Requirements:
- Nix with flakes enabled
- direnv with nix-direnv
# Automatic activation (requires direnv + nix-direnv)
direnv allow # one-time per worktree, then automatic on cd
# Manual activation
nix develop "github:JacobPEvans/nix-devenv?dir=shells/terraform"Tools provided:
terragrunt,opentofu,terraform-docs,tflint-- IaC toolingtfsec,trivy-- security scanningsops,age-- secrets managementawscli2,git,python3-- cloud and developmentjq,yq-- utilitiespre-commit-- git hook management
See nix-devenv shells/terraform for the complete dev environment definition.
Install the following tools manually:
- Terraform >= 1.12.2
- Terragrunt >= 0.81.10
- AWS CLI configured
- Proxmox API token
- SSH key pair
- Security scanners (tfsec, trivy)
- Ansible and molecule (for configuration management)
# Plan changes
terragrunt plan
# Deploy infrastructure
terragrunt apply -auto-approve
# Destroy infrastructure
terragrunt destroy --terragrunt-parallelism=1
# Check state
terragrunt state list
# View infrastructure
terragrunt showConfiguration is split into three layers:
deployment.json (committed, plaintext) — containers, VMs, pools, proxmox_node
terraform.sops.json (committed, encrypted) — network_prefix, SSH key paths
Doppler env vars (runtime only) — PROXMOX_VE_*, SPLUNK_*, credentials
-
Edit non-secret config directly in
deployment.json:# deployment.json is committed plaintext — edit and commit normally $EDITOR deployment.json git add deployment.json && git commit -m "chore: update containers"
-
Set up SOPS for the 3 encrypted values (network prefix + SSH key paths):
cp terraform.sops.json.example terraform.sops.json $EDITOR terraform.sops.json # fill in real values sops --encrypt --in-place terraform.sops.json git add terraform.sops.json
-
See the complete guide: docs/SOPS_SETUP.md
This document explains the full 3-layer architecture, SOPS key setup, Doppler credential management, and derived network values.
| File | Purpose |
|---|---|
main.tf |
Core resource definitions and VM orchestration |
variables.tf |
Input variable definitions with validation |
locals.tf |
Local value computations and transformations |
container.tf |
Container resources and configurations |
outputs.tf |
Output value definitions |
terragrunt.hcl |
Remote state management (generates provider.tf) |
deployment.json |
Non-secret deployment config (containers, VMs, pools) |
terraform.sops.json |
Encrypted network topology (3 values) |
terraform.sops.json.example |
SOPS template |
proxmox_api_endpoint- Proxmox API URLproxmox_api_token- API authentication tokenproxmox_ssh_private_key- SSH key for Proxmox host access
- Backend: AWS S3 + DynamoDB
- Encryption: Enabled
- Locking: DynamoDB table for state locking
Note: Proxmox datastore creation is typically done manually or via Proxmox API. The bpg/proxmox provider doesn't support datastore creation through Terraform. This follows Proxmox best practices to manage storage at the hypervisor level.
Default datastores used:
local: For ISO images, snippets, backupslocal-zfs: For VM disks (recommended for better performance)local-lvm: Alternative storage option
Additional datastores should be configured directly in Proxmox VE before running Terraform.
All VMs are configured with:
- Hardware-constrained resource allocation
- Virtio disk interfaces for optimal performance
- Debian 13.2.0 (Trixie)
- Cloud-init integration with static SSH keys
- SSH key authentication from configured SSH key
Infrastructure Summary:
- 1 VM (Splunk Enterprise all-in-one): ID 100
- 5 LXC Containers: IDs 200, 205, 210-211, 220
- See INFRASTRUCTURE_NUMBERING.md for complete details
Verify Splunk VM protection guarantees (plan safety, output structure, live health):
# Plan-level tests (safe, no infrastructure changes):
aws-vault exec tf-proxmox -- doppler run -- ./scripts/test-splunk-protection.sh
# With live VM health checks:
aws-vault exec tf-proxmox -- doppler run -- ./scripts/test-splunk-protection.sh --liveRun the .tftest.hcl mock test suite directly:
terraform test
# or: tofu test- DEPLOYMENT_GUIDE.md - START HERE: Complete deployment walkthrough
- Managing Real Infrastructure Values - CRITICAL: How to safely maintain real IPs/hostnames separate from committed code
- Nix Shell Setup Guide - Comprehensive guide to using Nix shells for development
- OpenHands Integration - Guide for integrating OpenHands AI software engineer with Nix, OrbStack, Terraform, and Kubernetes
- INFRASTRUCTURE_NUMBERING.md - Complete infrastructure map and numbering scheme
- Splunk Cluster Specification - Detailed Splunk configuration
- TROUBLESHOOTING.md - Operational guidance and common issues
- TERRAGRUNT_STATE_TROUBLESHOOTING.md - Historical state management issues (resolved)
Infrastructure Ready: Terraform state synchronization issues completely resolved. All state operations (plan, refresh, apply) work reliably with proper S3 + DynamoDB backend connectivity. Ready for controlled infrastructure deployment and k3s/Docker container setup.
- Passwords configured per VM via cloud-init user accounts
- All sensitive outputs are marked as sensitive
- State files are encrypted in S3
- Least-privilege access principles applied
- Virtio interfaces provide secure disk access
- Resource Tagging: All resources tagged with environment and purpose
- Module Versioning: Provider versions pinned for stability
- State Management: Remote state with S3 backend and DynamoDB locking
- Variable Validation: Input validation where appropriate
- Lifecycle Management: Proper resource lifecycle configuration
- Error Handling: Robust error handling and validation
- Plan changes with
terragrunt plan - Review infrastructure changes carefully
- Test in isolated environments
- Follow conventional commit messages
- Add support for additional VM types
- Implement backup automation
- Add monitoring and alerting configurations
- Integrate with configuration management tools
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.