Operations grimoire/Deploy with Terraform
Where to work?
We deploy from Complector using /opt/salt/nasqueron-operations as our local copy of rOPS, authoritative for both Salt and Terraform
You need to belong to the ops group to be able to have access and have write-rights on the repository
It's important to work from there to save a shared Terraform state.
Specific deployment notes
Vault / OpenBao
- OpenTofu support
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.
- Vault
You need a Vault token to allow the provider to connect.
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1
$ export VAULT_ADDR=https://172.27.27.7:8200
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token
$ cd /opt/salt/nasqueron-operations/terraform/openbao
$ terraform init # if you've a new entry requiring a module, it needs to be installed
$ terraform plan
$ terraform apply
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.
Table of Terraform states
| Configuration | State back-end | Path | Software to use |
|---|---|---|---|
| openbao | On disk | /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate | Terraform |
On disk paths are stored in Complector.
Troubleshoot
Error: Module not installed
You need to run tofu init to prepare for any new provider.
$ tofu plan
│ Error: Module not installed
│
│ on rhyne_wyse.tf line 23:
│ 23: module "rhyne_wyse_approle" {
│
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.
Error: Incompatible provider version
$ tofu init
Initializing the backend...
Initializing modules...
- rhyne_wyse_approle in modules/app_credentials
Initializing provider plugins...
- Finding hashicorp/vault versions matching "5.3.0"...
╷
│ Error: Incompatible provider version
│
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.
│
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD. Switch to Terraform pending a solution to help the OpenTofu builds.
