terraform-provider-incus icon indicating copy to clipboard operation
terraform-provider-incus copied to clipboard

Published 20 hours ago verified publisher icon lxc

Terraform implementation creates only in the default project.

Open snoby opened this issue 7 months ago • 2 comments

I tried to do everything i could to prove this out, I have some terraform code to generate incus instances and no matter if i hard code a different project name than 'default' everything gets created in the default project.

I put this bit of terraform in my module

resource "null_resource" "assert_not_default_project" {
  provisioner "local-exec" {
    when    = create
    command = "echo 'ASSERT: instance ${var.name} might be created in the wrong project'"
  }

  lifecycle {
    # This makes sure it runs every apply
    create_before_destroy = true
  }

  triggers = {
    # Watch for this dummy field — set it to cause a diff
    debug_trigger = timestamp()
  }
}

along with this


data "incus_project" "current" {
  name = "default" # Terraform Incus provider only supports reading named projects
}

the terraform output was this module.postgres_cluster.module.postgres["lxd3-pg-2"].module.instance.null_resource.assert_not_default_project (local-exec): ASSERT: instance lxd3-pg-2 might be created in the wrong project So i'm definitely passing down to the module something different than default.

I even hardcoded it in the provider section

provider "incus" {

  config_dir = "/Users/snoby/.config/incus"

  generate_client_certificates = false
  accept_remote_certificate    = false
  #project                      = var.incus_project
  project = "database"
  remote {
    name    = var.incus_remote
    scheme  = "https"
    address = "10.0.0.237"
    default = true
  }
}


incus remote list
  | https://images.linuxcontainers.org | simplestreams | none        | YES    | NO     | NO     |
+--------------------+------------------------------------+---------------+-------------+--------+--------+--------+
| local              | unix://                            | incus         | file access | NO     | YES    | NO     |
+--------------------+------------------------------------+---------------+-------------+--------+--------+--------+
| lxd-3              | https://10.0.0.237:8443            | incus         | tls         | NO     | NO     | NO     |
+--------------------+------------------------------------+---------------+-------------+--------+--------+--------+
| lxd-3-db (current) | https://10.0.0.237:8443            | incus         | tls         | NO     | NO     | NO     |
+--------------------+------------------------------------+---------------+-------------+--------+--------+--------+
| theminer           | https://10.0.0.167:8443            | incus         | tls         | NO     | NO     | NO     |
+--------------------+------------------------------------+---------------+-------------+--------+--------+--------+

further i even tried setting up my remote

incus remote add lxd-3-db https://10.0.0.237 --project database

to no avail.

Has it been verified that the terraform can create instances in something other than the default project?

snoby avatar Apr 11 '25 02:04 snoby

Yes, I commonly have the provider create instances and other resources across dozens of remotes and projects. We also have quite a few tests that validate that you can create various resources inside of projects.

Did you try actually indicating what project you want your resource to go into?

resource "incus_instance" "foo" {
  remote  = "my-remote"
  project = "my-project"
  name = "foo"
  image = "images:debian/13/amd64"
}

stgraber avatar Apr 11 '25 02:04 stgraber

project = "my-project"

Your right when hard coded in the instance it does indeed work as intended.

resource "incus_instance" "instance" {
  name     = var.name
  image    = var.image
  profiles = [var.profile]

  #provider = incus
  project = "database"
  config = {
    "limits.cpu"    = var.cpu
    "limits.memory" = "${var.memory}GB"
  }

I am passing the provider down to the module so clearly i messed up something or some inheritance isn't working right.

snoby avatar Apr 11 '25 02:04 snoby

@snoby I close this issue for now.

maveonair avatar May 23 '25 15:05 maveonair

I ran into the same issue. When creating an instance using this config, it is created in the default project.

resource "incus_instance" "i1" {
  image    = "images:debian/12"
  name     = "i1"
}

provider "incus" {
  remote {
    name = "my-server"
    default = true
  }
  project = "test"
}

terraform {
  required_version = ">=1.5.7"
  required_providers {
    incus = {
      source  = "lxc/incus"
      version = ">=0.3"
    }
  }
}

If I define the project key in the resource itself, the instance is created in the test project as expected. It seems that the project key defined in the provider is not inherited by the resource. If it is not supposed to be inherited, could please explain me what the project key in the provider is supposed to be used for ?

positiveEV avatar Jun 23 '25 13:06 positiveEV

I just did one more test, and I got my answer. The project key in the provider is only used when connecting to the Incus server API. It allows the provider to use a client with access restricted to a project and, therefore, to make changes only for this project. Nevertheless, the project key is not inherited by the resources, so if we do not define it again in each resource, the tofu apply command will try to create the resource in the default project. I think that it would be more intuitive and save some configuration lines if the project defined in the provider became the default project when creating a resource, but it is not a big deal.

positiveEV avatar Jun 23 '25 13:06 positiveEV