Use Terraform to manage LXD resources.
This provider connects to the LXD daemon over local Unix socket or HTTPS.
It makes use of the LXD client library, which
currently looks in ~/snap/lxd/common/config (and ~/.config/lxc) for client.crt
and client.key files to authenticate against the LXD daemon.
To generate these files and store them in the LXD client config, follow these
steps.
Alternatively, the LXD Terraform provider can generate them on demand if
generate_client_certificates is set to true.
Minimum required LXD version is 4.0.
This is all that is needed if the LXD remotes have been defined out of band via
the lxc client.
provider "lxd" {
}If you're running terraform from a system where lxc is not installed then you
can define all the remotes in the Provider config:
provider "lxd" {
generate_client_certificates = true
accept_remote_certificate = true
remote {
name = "lxd-server-1"
address = "https://10.1.1.8:8443"
password = "password"
default = true
}
remote {
name = "lxd-server-2"
address = "https://10.1.2.8"
token = "token"
}
}The following arguments are supported:
-
remote- Optional - Specifies an LXD remote (LXD server) to connect to. See theremotereference below for details. -
config_dir- Optional - The directory to look for existing LXD configuration. Defaults to$HOME/snap/lxd/common/config(and fallbacks to$HOME/.config/lxc). -
generate_client_certificates- Optional - Automatically generate the LXD client certificate if it does not exist. Defaults tofalse. -
accept_remote_certificate- Optional - Automatically accept the LXD remote's certificate during initial authentication. If this is not set totrue, you must accept the certificate out of band of Terraform or use a trust token instead (recommended, seetokeninremote). Defaults tofalse.
The remote block supports:
-
name- Optional - The name of the remote. -
protocol- Optional - The protocol of remote server (lxdorsimplestreams). -
address- Optional - The remote address in format[<scheme>://]<host>[:<port>]. Scheme can be set to eitherunixorhttps. If scheme is not set, it will default tounixif first character is/, otherwise tohttps. Port can be set only for remote HTTPS servers. Port value defaults to8443forlxdprotocol, and to443forsimplestreamsprotocol. -
default- Optional - Whether this should be the default remote. This remote will then be used when one is not specified in a resource. If you choose to not set default=true on aremoteand do not specify a remote in a resource, this provider will attempt to connect to an LXD server running on the same host through the UNIX socket. SeeUndefined Remotefor more information. The default can also be set with theLXD_REMOTEEnvironment variable. -
password- Optional - The trust password used for initial authentication with the LXD remote. This method is not recommended and has been removed in LXD 6.1. Please, usetokeninstead. -
token- Optional - The one-time trust token used for initial authentication with the LXD remote.
If you choose to not define a remote, this provider will attempt
to connect to an LXD server running on the same host through the UNIX
socket.
It is possible to define a single remote through environment variables.
The supported variables are:
LXD_REMOTE- The name of the remote.LXD_ADDR- The address of the LXD remote.LXD_PASSWORD- The password of the LXD remote.LXD_TOKEN- The trust token of the LXD remote.LXD_GENERATE_CLIENT_CERTS- Automatically generate the LXD client certificate if missing.LXD_ACCEPT_SERVER_CERTIFICATE- Automatically accept the LXD remote's certificate during initial authentication.
LXD is capable of authenticating via PKI. In order to do this, you must generate appropriate certificates on both the remote/server side and client side. Details on how to generate these certificates is out of scope of this document.