diff --git a/.checkov.yml b/.checkov.yml
new file mode 100644
index 0000000..34ce1d8
--- /dev/null
+++ b/.checkov.yml
@@ -0,0 +1,6 @@
+soft-fail: true
+framework:
+ - terraform
+skip-check:
+ - CKV_TF_1 # Ensure Terraform module sources use a commit hash
+ - CKV_TF_2 # Ensure Terraform module sources use a tag with a version number
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..3619e00
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,43 @@
+name: CI
+
+on:
+ push:
+ branches: [main]
+ tags: ['v*']
+ pull_request:
+ branches: [main]
+
+permissions:
+ contents: write
+
+jobs:
+ test:
+ name: Pre-commit Tests
+ runs-on: ubuntu-latest
+ container:
+ image: ghcr.io/makeitworkcloud/runner:latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+
+ - name: Initialize OpenTofu
+ run: tofu init -backend=false
+
+ - name: Run tests
+ run: make test
+
+ release:
+ name: Create Release
+ runs-on: ubuntu-latest
+ needs: [test]
+ if: startsWith(github.ref, 'refs/tags/v')
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ - name: Create GitHub Release
+ uses: softprops/action-gh-release@v2
+ with:
+ generate_release_notes: true
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..531e42d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,12 @@
+# vim swap files
+**/*.sw[po]
+
+# Terraform state and lock files
+**/.terraform.lock.hcl
+**/.terraform
+
+# IDE Folders
+**/.vscode
+
+# Mac Finder cache
+**/.DS_Store
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..f3e633f
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,36 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+ rev: v6.0.0
+ hooks:
+ - id: check-case-conflict
+ - id: check-merge-conflict
+ - id: check-symlinks
+ - id: check-vcs-permalinks
+ - id: destroyed-symlinks
+ - id: detect-private-key
+ - id: mixed-line-ending
+ - id: trailing-whitespace
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+ rev: v1.104.0
+ hooks:
+ - id: terraform_validate
+ args:
+ - --hook-config=--retry-once-with-cleanup=true
+ - --args=-no-color
+ - --tf-init-args=-reconfigure
+ - --tf-init-args=-upgrade
+ - id: terraform_tflint
+ args:
+ - --args=--minimum-failure-severity=error
+ - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
+ - id: terraform_checkov
+ args:
+ - --args=--config-file __GIT_WORKING_DIR__/.checkov.yml
+ - id: terraform_fmt
+ args:
+ - --args=-no-color
+ - --args=-diff
+ - --args=-recursive
+ - id: terraform_docs
+ args:
+ - --args=--config=.terraform-docs.yml
diff --git a/.terraform-docs.yml b/.terraform-docs.yml
new file mode 100644
index 0000000..989a3fd
--- /dev/null
+++ b/.terraform-docs.yml
@@ -0,0 +1,16 @@
+formatter: "markdown"
+
+output:
+ file: "README.md"
+ mode: inject
+
+settings:
+ color: false
+ lockfile: false
+
+sort:
+ enabled: true
+ by: name
+
+recursive:
+ enabled: false
diff --git a/.tflint.hcl b/.tflint.hcl
new file mode 100644
index 0000000..e1e8412
--- /dev/null
+++ b/.tflint.hcl
@@ -0,0 +1,10 @@
+plugin "terraform" {
+ enabled = true
+ preset = "recommended"
+}
+
+config {
+ call_module_type = "local"
+ force = false
+ disabled_by_default = false
+}
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..37137b8
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,44 @@
+SHELL := /bin/bash
+TERRAFORM := $(shell which tofu)
+
+.PHONY: help init test pre-commit-check-deps pre-commit-install-hooks
+
+help:
+ @echo "Terraform Module targets"
+ @echo "------------------------"
+ @echo
+ @echo "\thelp: show this help text"
+ @echo "\tinit: run 'terraform init' (no backend)"
+ @echo "\ttest: run pre-commit checks"
+ @echo
+ @echo "One-time repo init targets"
+ @echo "--------------------------"
+ @echo
+ @echo "\tpre-commit-install-hooks: install pre-commit hooks"
+ @echo "\tpre-commit-check-deps: check pre-commit dependencies"
+ @echo
+
+init:
+ @${TERRAFORM} init -backend=false -upgrade
+
+test: .git/hooks/pre-commit
+ @pre-commit run -a
+
+DEPS_PRE_COMMIT=$(shell which pre-commit || echo "pre-commit not found")
+DEPS_TERRAFORM_DOCS=$(shell which terraform-docs || echo "terraform-docs not found")
+DEPS_TFLINT=$(shell which tflint || echo "tflint not found")
+DEPS_CHECKOV=$(shell which checkov || echo "checkov not found")
+DEPS_JQ=$(shell which jq || echo "jq not found")
+pre-commit-check-deps:
+ @echo "Checking for pre-commit and its dependencies:"
+ @echo " pre-commit: ${DEPS_PRE_COMMIT}"
+ @echo " terraform-docs: ${DEPS_TERRAFORM_DOCS}"
+ @echo " tflint: ${DEPS_TFLINT}"
+ @echo " checkov: ${DEPS_CHECKOV}"
+ @echo " jq: ${DEPS_JQ}"
+ @echo ""
+
+pre-commit-install-hooks: .git/hooks/pre-commit
+
+.git/hooks/pre-commit: pre-commit-check-deps
+ @pre-commit install --install-hooks
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..6a12feb
--- /dev/null
+++ b/README.md
@@ -0,0 +1,95 @@
+# terraform-libvirt-domain
+
+Terraform module for creating libvirt domains (VMs) with cloud-init and optional Ansible Automation Platform integration.
+
+## Usage
+
+```hcl
+module "vm" {
+ source = "git::https://github.com/makeitworkcloud/terraform-libvirt-domain.git?ref=v1.0.0"
+
+ name = "my-vm"
+ description = "My virtual machine"
+ vcpu = 2
+ memory = 4096
+
+ cloudinit_meta_data_template = file("${path.module}/templates/meta-data.tpl")
+ cloudinit_meta_data_vars = { hostname = "my-vm" }
+ cloudinit_user_data_template = file("${path.module}/templates/user-data.tpl")
+ cloudinit_user_data_vars = {}
+ cloudinit_network_config_template = file("${path.module}/templates/network-config.tpl")
+ cloudinit_network_config_vars = { ip_address = "192.168.1.100" }
+
+ private_ip_addr = "192.168.1.100"
+ proxyhost = "bastion.example.com"
+}
+```
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.3 |
+| [libvirt](#requirement\_libvirt) | >= 0.9.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aap](#provider\_aap) | n/a |
+| [libvirt](#provider\_libvirt) | >= 0.9.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| aap_host.host | resource |
+| aap_job.job | resource |
+| [libvirt_cloudinit_disk.commoninit](https://registry.terraform.io/providers/dmacvicar/libvirt/latest/docs/resources/cloudinit_disk) | resource |
+| [libvirt_domain.vm](https://registry.terraform.io/providers/dmacvicar/libvirt/latest/docs/resources/domain) | resource |
+| [libvirt_volume.boot](https://registry.terraform.io/providers/dmacvicar/libvirt/latest/docs/resources/volume) | resource |
+| [libvirt_volume.cloudinit](https://registry.terraform.io/providers/dmacvicar/libvirt/latest/docs/resources/volume) | resource |
+| [libvirt_volume.extra](https://registry.terraform.io/providers/dmacvicar/libvirt/latest/docs/resources/volume) | resource |
+| aap_inventory.inventory | data source |
+| aap_job_template.job_template | data source |
+| aap_organization.org | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aap\_inventory\_name](#input\_aap\_inventory\_name) | Name of the AAP inventory to use. | `string` | `"libvirt-infra"` | no |
+| [aap\_job\_template\_name](#input\_aap\_job\_template\_name) | Name of the AAP job template to run. If left empty, will default to configure\_ | `string` | `""` | no |
+| [aap\_org\_name](#input\_aap\_org\_name) | Name of the Ansible Automation Platform (AAP) organization. | `string` | `"Default"` | no |
+| [boot\_image\_url](#input\_boot\_image\_url) | URL for the base QCOW2 image used as the boot disk. | `string` | `"https://download.fedoraproject.org/pub/fedora/linux/releases/42/Cloud/x86_64/images/Fedora-Cloud-Base-Generic-42-1.1.x86_64.qcow2"` | no |
+| [bridge\_name](#input\_bridge\_name) | Name of the network bridge for the second network interface. | `string` | `"nm-bridge"` | no |
+| [cloudinit\_meta\_data\_template](#input\_cloudinit\_meta\_data\_template) | The template content for cloud-init meta-data configuration. | `string` | n/a | yes |
+| [cloudinit\_meta\_data\_vars](#input\_cloudinit\_meta\_data\_vars) | Variable map for the cloud-init meta-data template. | `map(string)` | n/a | yes |
+| [cloudinit\_network\_config\_template](#input\_cloudinit\_network\_config\_template) | The template content for cloud-init network configuration. | `string` | n/a | yes |
+| [cloudinit\_network\_config\_vars](#input\_cloudinit\_network\_config\_vars) | Variable map for the cloud-init network configuration template. | `map(string)` | n/a | yes |
+| [cloudinit\_user\_data\_template](#input\_cloudinit\_user\_data\_template) | The template content for cloud-init user-data configuration. | `string` | n/a | yes |
+| [cloudinit\_user\_data\_vars](#input\_cloudinit\_user\_data\_vars) | Variable map for the cloud-init user-data template. Set to {} if not used. | `map(string)` | n/a | yes |
+| [description](#input\_description) | Description for the libvirt domain (virtual machine). | `string` | `""` | no |
+| [enable\_aap](#input\_enable\_aap) | Whether to provision Ansible Automation Platform (AAP) resources for this domain. | `bool` | `false` | no |
+| [extra\_volumes](#input\_extra\_volumes) | List of additional volumes to attach to the domain. Each object should contain:
- name: Name of the volume.
- size: Size of the volume in bytes.
Example:
[
{
name = "runner-var-lib-docker.qcow2"
size = 107374182400
}
] | list(object({
name = string
size = number
})) | `[]` | no |
+| [memory](#input\_memory) | Amount of memory (in MB) to assign to the domain. | `number` | `2048` | no |
+| [name](#input\_name) | The name of the libvirt domain (virtual machine) and related resources. | `string` | n/a | yes |
+| [private\_ip\_addr](#input\_private\_ip\_addr) | Private IP address to assign to the VM (used for network config and inventory). | `string` | n/a | yes |
+| [proxyhost](#input\_proxyhost) | Proxy host for SSH connection, used in ansible\_ssh\_common\_args. | `string` | n/a | yes |
+| [storage\_pool](#input\_storage\_pool) | Name of the libvirt storage pool where volumes will be created. | `string` | `"default"` | no |
+| [vcpu](#input\_vcpu) | Number of virtual CPUs to assign to the domain. | `number` | `1` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [boot\_volume\_id](#output\_boot\_volume\_id) | The ID of the boot volume |
+| [cloudinit\_disk\_id](#output\_cloudinit\_disk\_id) | The ID of the cloud-init disk |
+| [domain\_id](#output\_domain\_id) | The ID of the libvirt domain |
+| [domain\_name](#output\_domain\_name) | The name of the libvirt domain |
+
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..e9675fb
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,189 @@
+resource "libvirt_volume" "boot" {
+ name = "${var.name}.qcow2"
+ pool = var.storage_pool
+
+ target = {
+ format = {
+ type = "qcow2"
+ }
+ }
+
+ create = {
+ content = {
+ url = var.boot_image_url
+ }
+ }
+}
+
+resource "libvirt_volume" "extra" {
+ count = length(var.extra_volumes)
+ name = var.extra_volumes[count.index].name
+ pool = var.storage_pool
+ capacity = var.extra_volumes[count.index].size
+}
+
+resource "libvirt_cloudinit_disk" "commoninit" {
+ name = "${var.name}_commoninit"
+ meta_data = templatefile(var.cloudinit_meta_data_template, var.cloudinit_meta_data_vars)
+ user_data = templatefile(var.cloudinit_user_data_template, var.cloudinit_user_data_vars)
+ network_config = templatefile(var.cloudinit_network_config_template, var.cloudinit_network_config_vars)
+}
+
+resource "libvirt_volume" "cloudinit" {
+ name = "${var.name}_cloudinit.iso"
+ pool = var.storage_pool
+
+ create = {
+ content = {
+ url = libvirt_cloudinit_disk.commoninit.path
+ }
+ }
+}
+
+resource "libvirt_domain" "vm" {
+ name = var.name
+ type = "kvm"
+ description = var.description
+ vcpu = var.vcpu
+ memory = var.memory
+ memory_unit = "MiB"
+ running = true
+
+ cpu = {
+ mode = "host-passthrough"
+ }
+
+ os = {
+ type = "hvm"
+ type_arch = "x86_64"
+ boot_devices = [{ dev = "hd" }]
+ }
+
+ devices = {
+ disks = concat(
+ [
+ {
+ source = {
+ volume = {
+ pool = var.storage_pool
+ volume = libvirt_volume.boot.name
+ }
+ }
+ target = {
+ dev = "vda"
+ bus = "virtio"
+ }
+ },
+ {
+ source = {
+ volume = {
+ pool = var.storage_pool
+ volume = libvirt_volume.cloudinit.name
+ }
+ }
+ target = {
+ dev = "vdb"
+ bus = "virtio"
+ }
+ device = "cdrom"
+ }
+ ],
+ [
+ for idx, vol in libvirt_volume.extra : {
+ source = {
+ volume = {
+ pool = var.storage_pool
+ volume = vol.name
+ }
+ }
+ target = {
+ dev = "vd${substr("cdefghij", idx, 1)}"
+ bus = "virtio"
+ }
+ }
+ ]
+ )
+
+ interfaces = [
+ {
+ model = {
+ type = "virtio"
+ }
+ source = {
+ network = {
+ network = "default"
+ }
+ }
+ },
+ {
+ model = {
+ type = "virtio"
+ }
+ source = {
+ bridge = {
+ bridge = var.bridge_name
+ }
+ }
+ }
+ ]
+
+ graphics = [
+ {
+ vnc = {
+ auto_port = true
+ listen = "0.0.0.0"
+ listeners = [
+ {
+ address = {
+ address = "0.0.0.0"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+
+ lifecycle {
+ ignore_changes = [devices]
+ }
+}
+
+data "aap_organization" "org" {
+ count = var.enable_aap ? 1 : 0
+ name = var.aap_org_name
+ depends_on = [libvirt_domain.vm]
+}
+
+data "aap_inventory" "inventory" {
+ count = var.enable_aap ? 1 : 0
+ name = var.aap_inventory_name
+ organization_name = data.aap_organization.org[0].name
+ depends_on = [data.aap_organization.org]
+}
+
+resource "aap_host" "host" {
+ count = var.enable_aap ? 1 : 0
+ name = var.name
+ description = var.description
+ inventory_id = data.aap_inventory.inventory[0].id
+ enabled = true
+ variables = jsonencode({
+ ansible_host = var.private_ip_addr
+ ansible_ssh_common_args = "-o ProxyCommand=\"ssh -o StrictHostKeyChecking=no -W %h:%p ${var.proxyhost}\""
+ })
+ depends_on = [data.aap_inventory.inventory]
+}
+
+data "aap_job_template" "job_template" {
+ count = var.enable_aap ? 1 : 0
+ name = var.aap_job_template_name != "" ? var.aap_job_template_name : "configure_${var.name}"
+ organization_name = data.aap_organization.org[0].name
+ depends_on = [data.aap_organization.org]
+}
+
+resource "aap_job" "job" {
+ count = var.enable_aap ? 1 : 0
+ job_template_id = data.aap_job_template.job_template[0].id
+ depends_on = [aap_host.host, data.aap_job_template.job_template]
+}
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..a3ef12e
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,19 @@
+output "domain_id" {
+ description = "The ID of the libvirt domain"
+ value = libvirt_domain.vm.id
+}
+
+output "domain_name" {
+ description = "The name of the libvirt domain"
+ value = libvirt_domain.vm.name
+}
+
+output "boot_volume_id" {
+ description = "The ID of the boot volume"
+ value = libvirt_volume.boot.id
+}
+
+output "cloudinit_disk_id" {
+ description = "The ID of the cloud-init disk"
+ value = libvirt_cloudinit_disk.commoninit.id
+}
diff --git a/providers.tf b/providers.tf
new file mode 100644
index 0000000..64ae94e
--- /dev/null
+++ b/providers.tf
@@ -0,0 +1,13 @@
+terraform {
+ required_version = ">= 1.3"
+
+ required_providers {
+ libvirt = {
+ source = "dmacvicar/libvirt"
+ version = ">= 0.9.0"
+ }
+ aap = {
+ source = "registry.terraform.io/ansible/aap"
+ }
+ }
+}
diff --git a/vars.tf b/vars.tf
new file mode 100644
index 0000000..44e6bd7
--- /dev/null
+++ b/vars.tf
@@ -0,0 +1,124 @@
+variable "name" {
+ description = "The name of the libvirt domain (virtual machine) and related resources."
+ type = string
+}
+
+variable "description" {
+ description = "Description for the libvirt domain (virtual machine)."
+ type = string
+ default = ""
+}
+
+variable "vcpu" {
+ description = "Number of virtual CPUs to assign to the domain."
+ type = number
+ default = 1
+}
+
+variable "memory" {
+ description = "Amount of memory (in MB) to assign to the domain."
+ type = number
+ default = 2048
+}
+
+variable "storage_pool" {
+ description = "Name of the libvirt storage pool where volumes will be created."
+ type = string
+ default = "default"
+}
+
+variable "boot_image_url" {
+ description = "URL for the base QCOW2 image used as the boot disk."
+ type = string
+ default = "https://download.fedoraproject.org/pub/fedora/linux/releases/42/Cloud/x86_64/images/Fedora-Cloud-Base-Generic-42-1.1.x86_64.qcow2"
+}
+
+variable "extra_volumes" {
+ description = <