Create a cloud server, Managed Kubernetes cluster, and Managed Database cluster in a private subnet using Terraform

Last update: June 04 2026

This is an example of creating infrastructure that consists of:

• from a private subnet 192.168.199.0/24;
• a cloud server of custom configuration with a bootable network volume and an additional network volume;
• a fault-tolerant Managed Kubernetes cluster with nodes of custom configuration;
• a MySQL semi-sync cluster of custom configuration.

We recommend creating resources in order. If you create all resources at once, Terraform will account for dependencies between resources that you specified in the configuration file. If dependencies are not specified, resources will be created in parallel, which may lead to errors. For instance, a resource required for creating another resource might not have been created yet.

1. Optional: configure the providers.

2. Add a public SSH key.

3. Create a private network and subnet.

4. Create a cloud router connected to the internet.

5. Create a cloud server.

6. Create a Managed Kubernetes cluster.

7. Create a Managed Database cluster.

Configuration files

Example file for configuring providers

terraform {
  required_providers {
    selectel  = {
      source  = "selectel/selectel"
      version = "~> 6.0"
    }
    openstack = {
      source  = "terraform-provider-openstack/openstack"
      version = "2.1.0"
    }
  }
}

provider "selectel" {
  domain_name = "123456"
  username    = "user"
  password    = "password"
  auth_region = "ru-9"
  auth_url    = "https://cloud.api.selcloud.ru/identity/v3/"
}

resource "selectel_vpc_project_v2" "project_1" {
  name = "project"
}

resource "selectel_iam_serviceuser_v1" "serviceuser_1" {
  name         = "username"
  password     = "password"
  role {
    role_name  = "member"
    scope      = "project"
    project_id = selectel_vpc_project_v2.project_1.id 
  }
}

provider "openstack" {
  auth_url    = "https://cloud.api.selcloud.ru/identity/v3"
  domain_name = "123456"
  tenant_id   = selectel_vpc_project_v2.project_1.id
  user_name   = selectel_iam_serviceuser_v1.serviceuser_1.name
  password    = selectel_iam_serviceuser_v1.serviceuser_1.password
  region      = "ru-9"
}

Example file for creating a cloud server of custom configuration with a bootable network volume and an additional network volume

resource "selectel_vpc_keypair_v2" "keypair_1" {
  name       = "keypair"
  public_key = file("~/.ssh/id_rsa.pub")
  user_id    = selectel_iam_serviceuser_v1.serviceuser_1.id
}

resource "openstack_compute_flavor_v2" "flavor_1" {
  name      = "custom-flavor-with-network-volume"
  vcpus     = 2
  ram       = 2048
  disk      = 0
  is_public = false

  lifecycle {
    create_before_destroy = true
  }

}

resource "openstack_networking_network_v2" "network_1" {
  name           = "private-network"
  admin_state_up = "true"
}

resource "openstack_networking_subnet_v2" "subnet_1" {
  network_id = openstack_networking_network_v2.network_1.id
  cidr       = "192.168.199.0/24"
}

data "openstack_networking_network_v2" "external_network_1" {
  external = true
}

resource "openstack_networking_router_v2" "router_1" {
  name                = "router"
  external_network_id = data.openstack_networking_network_v2.external_network_1.id
}

resource "openstack_networking_router_interface_v2" "router_interface_1" {
  router_id = openstack_networking_router_v2.router_1.id
  subnet_id = openstack_networking_subnet_v2.subnet_1.id
}

resource "openstack_networking_port_v2" "port_1" {
  name       = "port"
  network_id = openstack_networking_network_v2.network_1.id

  fixed_ip {
    subnet_id = openstack_networking_subnet_v2.subnet_1.id
  }
}

data "openstack_images_image_v2" "image_1" {
  name        = "Ubuntu 20.04 LTS 64-bit"
  most_recent = true
  visibility  = "public"
}

resource "openstack_blockstorage_volume_v3" "volume_1" {
  name                 = "boot-volume-for-server"
  size                 = "5"
  image_id             = data.openstack_images_image_v2.image_1.id
  volume_type          = "fast.ru-9a"
  availability_zone    = "ru-9a"
  enable_online_resize = true

  lifecycle {
    ignore_changes = [image_id]
  }

}

resource "openstack_blockstorage_volume_v3" "volume_2" {
  name                 = "additional-volume-for-server"
  size                 = "7"
  volume_type          = "universal.ru-9a"
  availability_zone    = "ru-9a"
  enable_online_resize = true
}

resource "openstack_compute_instance_v2" "server_1" {
  name              = "server"
  flavor_id         = openstack_compute_flavor_v2.flavor_1.id
  key_pair          = selectel_vpc_keypair_v2.keypair_1.name
  availability_zone = "ru-9a"

  network {
    port = openstack_networking_port_v2.port_1.id
  }

  lifecycle {
    ignore_changes = [image_id]
  }

  block_device {
    uuid             = openstack_blockstorage_volume_v3.volume_1.id
    source_type      = "volume"
    destination_type = "volume"
    boot_index       = 0
  }

  block_device {
    uuid             = openstack_blockstorage_volume_v3.volume_2.id
    source_type      = "volume"
    destination_type = "volume"
    boot_index       = -1
  }

  vendor_options {
    ignore_resize_confirmation = true
  }
}

resource "openstack_networking_floatingip_v2" "floatingip_1" {
  pool = "external-network"
}

resource "openstack_networking_floatingip_associate_v2" "association_1" {
  port_id     = openstack_networking_port_v2.port_1.id
  floating_ip = openstack_networking_floatingip_v2.floatingip_1.address
}

output "public_ip_address" {
  value = openstack_networking_floatingip_v2.floatingip_1.fixed_ip
}

Example file for creating a fault-tolerant Managed Kubernetes cluster with nodes of custom configuration

resource "openstack_networking_network_v2" "network_1" {
  name           = "private-network"
  admin_state_up = "true"
}

resource "openstack_networking_subnet_v2" "subnet_1" {
  name       = "private-subnet"
  network_id = openstack_networking_network_v2.network_1.id
  cidr       = "192.168.199.0/24"
}

data "openstack_networking_network_v2" "external_network_1" {
  external = true
}

resource "openstack_networking_router_v2" "router_1" {
  name                = "router"
  external_network_id = data.openstack_networking_network_v2.external_network_1.id
}

resource "openstack_networking_router_interface_v2" "router_interface_1" {
  router_id = openstack_networking_router_v2.router_1.id
  subnet_id = openstack_networking_subnet_v2.subnet_1.id
}

data "selectel_mks_kube_versions_v1" "versions" {
  project_id = selectel_vpc_project_v2.project_1.id
  region     = "ru-9"
}

resource "selectel_mks_cluster_v1" "cluster_1" {
  name                     = "high_availability_cluster"
  project_id               = selectel_vpc_project_v2.project_1.id
  region                   = "ru-9"
  kube_version             = data.selectel_mks_kube_versions_v1.versions.latest_version
  network_id               = openstack_networking_network_v2.network_1.id
  subnet_id                = openstack_networking_subnet_v2.subnet_1.id
  maintenance_window_start = "00:00:00"
}

resource "selectel_mks_nodegroup_v1" "nodegroup_1" {
  cluster_id                   = selectel_mks_cluster_v1.cluster_1.id
  project_id                   = selectel_mks_cluster_v1.cluster_1.project_id
  region                       = selectel_mks_cluster_v1.cluster_1.region
  availability_zone            = "ru-9a"
  nodes_count                  = "2"
  cpus                         = 2
  ram_mb                       = 4096
  volume_gb                    = 32
  volume_type                  = "fast.ru-9a"
  install_nvidia_device_plugin = false
  labels                       = {
    "label-key0": "label-value0",
    "label-key1": "label-value1",
    "label-key2": "label-value2",
  }
}

Example file for creating a MySQL semi-sync cluster of custom configuration

resource "openstack_networking_network_v2" "network_1" {
  name           = "private-network"
  admin_state_up = "true"
}

resource "openstack_networking_subnet_v2" "subnet_1" {
  network_id = openstack_networking_network_v2.network_1.id
  cidr       = "192.168.199.0/24"
}

data "selectel_dbaas_datastore_type_v1" "datastore_type_1" {
  project_id = selectel_vpc_project_v2.project_1.id
  region     = "ru-9"
  filter {
    engine  = "mysql_native"
    version = "8"
  }
}

resource "selectel_dbaas_mysql_datastore_v1" "datastore_1" {
  name       = "datastore-1"
  project_id = selectel_vpc_project_v2.project_1.id
  region     = "ru-9"
  type_id    = data.selectel_dbaas_datastore_type_v1.datastore_type_1.datastore_types[0].id
  subnet_id  = openstack_networking_subnet_v2.subnet_1.id
  node_count = 3
  flavor {
    vcpus = 1
    ram   = 4096
    disk  = 32
  }
}

resource "selectel_dbaas_user_v1" "user_1" {
  project_id   = selectel_vpc_project_v2.project_1.id
  region       = "ru-9"
  datastore_id = selectel_dbaas_mysql_datastore_v1.datastore_1.id
  name         = "user"
  password     = "secret"
}

resource "selectel_dbaas_mysql_database_v1" "database_1" {
  project_id   = selectel_vpc_project_v2.project_1.id
  region       = "ru-9"
  datastore_id = selectel_dbaas_mysql_datastore_v1.datastore_1.id
  name         = "database_1"
}

resource "selectel_dbaas_grant_v1" "grant_1" {
  project_id   = selectel_vpc_project_v2.project_1.id
  region       = "ru-9"
  datastore_id = selectel_dbaas_mysql_datastore_v1.datastore_1.id
  database_id  = selectel_dbaas_mysql_database_v1.database_1.id
  user_id      = selectel_dbaas_user_v1.user_1.id
}

1. Optional: configure providers

If you have configured the Selectel and OpenStack providers, skip this step.

1. Make sure that in the control panel you have created a service user with the member role in the Account access scope and iam.admin.

2. Create a directory to store configuration files and a separate file with the .tf extension to configure providers.

3. Add the Selectel and OpenStack providers to the file for provider configuration:

   terraform {
     required_providers {
       selectel  = {
         source  = "selectel/selectel"
         version = "~> 7.1.0"
       }
       openstack = {
         source  = "terraform-provider-openstack/openstack"
         version = "2.1.0"
       }
     }
   }

   Here version is the provider version. The current version can be found in the Selectel documentation (in Terraform Registry and GitHub) and OpenStack (in Terraform Registry and GitHub).

   For more information about products, services, and features that can be managed using providers, see the Selectel and OpenStack Providers guide.

4. Initialize the Selectel provider:

   provider "selectel" {
     domain_name = "123456"
     username    = "user"
     password    = "password"
     auth_region = "ru-9"
     auth_url    = "https://cloud.api.selcloud.ru/identity/v3/"
   }

   Where:

   • domain_name — Selectel account number. You can find it in the control panel in the top-right corner;
   • username — name of the service user with the member role in the Account access scope and iam.admin. You can view it in the control panel: in the top menu, click IAM → Service Users section (the section is only available to the Account Owner and a user with the iam.admin role);
   • password — service user password. You can view it when creating the user or change it to a new one;
   • auth_region — pool for authorization, for example, ru-9. You can create resources in other pools. A list of available pools can be found in the Availability Matrix guide.

5. Create a project:

   resource "selectel_vpc_project_v2" "project_1" {
     name = "project"
   }

   See a detailed description of the selectel_vpc_project_v2 resource.

6. Create a service user to access the project and assign them the member role in the Project access scope:

   resource "selectel_iam_serviceuser_v1" "serviceuser_1" {
     name         = "username"
     password     = "password"
     role {
       role_name  = "member"
       scope      = "project"
       project_id = selectel_vpc_project_v2.project_1.id
     }
   }

   Where:

   • username — username;

   • password — user password. The password must be at least 20 characters long and include at least:

     • one uppercase and one lowercase Latin letter (A-Z, a-z);
     • one digit (0-9);
     • one special character from the ASCII Printable 7-Bit Special Characters list:
       !"#$%&'()*+,-./:;<=>?@[]^_{|}~;

   • project_id — project ID. You can find it in the control panel: in the top menu, click Products and select Cloud Servers → open the projects menu → in the row of the target project, click .

   See a detailed description of the selectel_iam_serviceuser_v1 resource.

7. Initialize the OpenStack provider:

   provider "openstack" {
     auth_url    = "https://cloud.api.selcloud.ru/identity/v3"
     domain_name = "123456"
     tenant_id   = selectel_vpc_project_v2.project_1.id
     user_name   = selectel_iam_serviceuser_v1.serviceuser_1.name
     password    = selectel_iam_serviceuser_v1.serviceuser_1.password
     region      = "ru-9"
   }

   Where:

   • domain_name — Selectel account number. You can find it in the control panel in the top-right corner;
   • region — pool, for example, ru-9. All resources will be created in this pool. A list of available pools can be found in the Availability Matrix guide.

8. If you are creating resources while configuring providers, add the depends_on argument for OpenStack resources. For example, for the openstack_networking_network_v2 resource:

   resource "openstack_networking_network_v2" "network_1" {
     name           = "private-network"
     admin_state_up = "true"
   
     depends_on = [
       selectel_vpc_project_v2.project_1,
       selectel_iam_serviceuser_v1.serviceuser_1
     ]
   }

9. Optional: if you want to use a mirror, create a separate Terraform CLI configuration file and add the following block to it:

   provider_installation {
     network_mirror {
       url = "https://tf-proxy.selectel.ru/mirror/v1/"
       include = ["registry.terraform.io/*/*"]
     }
     direct {
       exclude = ["registry.terraform.io/*/*"]
     }
   }

   Read more about mirror settings in the CLI Configuration File guide in the HashiCorp documentation.

10. Open the CLI.

11. Initialize the Terraform configuration in the directory:

    terraform init

12. Verify that the configuration files are syntactically correct:

    terraform validate

13. Format the configuration files:

    terraform fmt

14. Check which resources will be created:

    terraform plan

15. Apply the changes and create the resources:

    terraform apply

16. Confirm creation — enter yes and press Enter. The created resources will appear in the control panel.

17. If quotas were insufficient to create the resources, increase the quotas.

2. Add a public SSH key

resource "selectel_vpc_keypair_v2" "keypair_1" {
  name       = "keypair"
  public_key = file("~/.ssh/id_rsa.pub")
  user_id    = selectel_iam_serviceuser_v1.serviceuser_1.id
}

Here public_key is the path to the public SSH key. If SSH keys are not generated, create them.

See the detailed description of the selectel_vpc_keypair_v2 resource.

3. Create a private network and subnet

resource "openstack_networking_network_v2" "network_1" {
  name           = "private-network"
  admin_state_up = "true"
}

resource "openstack_networking_subnet_v2" "subnet_1" {
  name       = "private-subnet"
  network_id = openstack_networking_network_v2.network_1.id
  cidr       = "192.168.199.0/24"
}

Here cidr is the private subnet CIDR, for example 192.168.199.0/24.

See the detailed resource description:

• openstack_networking_network_v2;
• openstack_networking_subnet_v2.

4. Create a cloud router connected to the internet

A cloud router connected to the internet performs 1:1 NAT for traffic from a private network to the internet via the router's public IP address.

data "openstack_networking_network_v2" "external_network_1" {
  external = true
}

resource "openstack_networking_router_v2" "router_1" {
  name                = "router"
  external_network_id = data.openstack_networking_network_v2.external_network_1.id
}

resource "openstack_networking_router_interface_v2" "router_interface_1" {
  router_id = openstack_networking_router_v2.router_1.id
  subnet_id = openstack_networking_subnet_v2.subnet_1.id
}

See the detailed resource description:

• openstack_networking_network_v2;
• openstack_networking_router_v2;
• openstack_networking_router_interface_v2.

5. Create a cloud server

1. Create a port for the cloud server.

2. Get an image.

3. Create a boot volume.

4. Create a server.

5. Create a public IP address.

6. Assign an association between the public and private IP address of the cloud server.

1. Create a port for the cloud server

resource "openstack_networking_port_v2" "port_1" {
  name       = "port"
  network_id = openstack_networking_network_v2.network_1.id

  fixed_ip {
    subnet_id = openstack_networking_subnet_v2.subnet_1.id
  }
}

See the detailed description of the openstack_networking_port_v2 resource.

2. Get an image

data "openstack_images_image_v2" "image_1" {
  name        = "Ubuntu 20.04 LTS 64-bit"
  most_recent = true
  visibility  = "public"
}

See the detailed description of the openstack_images_image_v2 data source.

3. Create a bootable network volume

resource "openstack_blockstorage_volume_v3" "volume_1" {
  name                 = "boot-volume-for-server"
  size                 = "5"
  image_id             = data.openstack_images_image_v2.image_1.id
  volume_type          = "fast.ru-9a"
  availability_zone    = "ru-9a"
  enable_online_resize = true

  lifecycle {
    ignore_changes = [image_id]
  }

}

Here:

• size — network volume size in GB. Observe the network volume limits for the maximum size;
• volume_type — ID or name of the network volume type. For example, fast.ru-9a — name for creating a network volume with the Fast SSD type in the pool segment ru-9a. The list of types can be viewed in the table List of network volume types in all pool segments;
• availability_zone — pool segment, in which the network volume will be created, for example, ru-9a. The list of available pool segments can be viewed in the Availability Matrix.

See the detailed resource description in openstack_blockstorage_volume_v3.

4. Create a cloud server

resource "openstack_compute_instance_v2" "server_1" {
  name              = "server"
  flavor_id         = "1015"
  key_pair          = selectel_vpc_keypair_v2.keypair_1.name
  availability_zone = "ru-9a"

  network {
    port = openstack_networking_port_v2.port_1.id
  }

  lifecycle {
    ignore_changes = [image_id]
  }

  block_device {
    uuid             = openstack_blockstorage_volume_v3.volume_1.id
    source_type      = "volume"
    destination_type = "volume"
    boot_index       = 0
  }

  vendor_options {
    ignore_resize_confirmation = true
  }
}

Where:

• availability_zone — pool segment in which the cloud server will be created, for example ru-9a. The list of available pool segments can be viewed in the Availability Matrix;
• flavor_id — flavor ID. Flavors correspond to cloud server configurations and define the number of vCPUs, RAM, and the size of the local disk (optional) for the server. You can use fixed-configuration flavors. For example, 1015 is the ID for creating a server with a Standard line fixed configuration with 4 vCPUs and 16 GB of RAM in the ru-9 pool. A list of flavors is available in the table List of fixed-configuration flavors in all pools.

See the detailed description of the openstack_compute_instance_v2 resource.

5. Create a public IP address

resource "openstack_networking_floatingip_v2" "floatingip_1" {
  pool = "external-network"
}

See the detailed description of the openstack_networking_floatingip_v2 resource.

6. Assign an association between the public and private IP address of the cloud server

The public IP address will be connected to the cloud server port and associated with the private IP.

resource "openstack_networking_floatingip_associate_v2" "association_1" {
  port_id     = openstack_networking_port_v2.port_1.id
  floating_ip = openstack_networking_floatingip_v2.floatingip_1.address
}

See the detailed description of the openstack_networking_floatingip_associate_v2 resource.

6. Create a Managed Kubernetes cluster

1. Create a fault-tolerant cluster.

2. Create a node group of custom configuration with a network volume.

1. Create a fault-tolerant cluster

data "selectel_mks_kube_versions_v1" "versions" {
  project_id = selectel_vpc_project_v2.project_1.id
  region     = "ru-9"
}

resource "selectel_mks_cluster_v1" "cluster_1" {
  name                     = "high_availability_cluster"
  project_id               = selectel_vpc_project_v2.project_1.id
  region                   = "ru-9"
  kube_version             = data.selectel_mks_kube_versions_v1.versions.latest_version
  network_id               = openstack_networking_network_v2.network_1.id
  subnet_id                = openstack_networking_subnet_v2.subnet_1.id
  maintenance_window_start = "00:00:00"
}

Where region is a pool in which the cluster will be created, for example ru-9.

See the detailed description of the selectel_mks_cluster_v1 resource.

2. Create a node group of custom configuration with a network volume

  resource "selectel_mks_nodegroup_v1" "nodegroup_1" {
    cluster_id                   = selectel_mks_cluster_v1.cluster_1.id
    project_id                   = selectel_mks_cluster_v1.cluster_1.project_id
    region                       = selectel_mks_cluster_v1.cluster_1.region
    availability_zone            = "ru-9a"
    nodes_count                  = "2"
    cpus                         = 2
    ram_mb                       = 4096
    volume_gb                    = 32
    volume_type                  = "fast.ru-9a"
    install_nvidia_device_plugin = false
    labels                       = {
      "label-key0": "label-value0",
      "label-key1": "label-value1",
      "label-key2": "label-value2",
    }
  }

Where:

• availability_zone is a pool segment where the node group will be located, for example ru-9a;

• nodes_count — the number of worker nodes in the node group. The maximum number of nodes is 15;

• cpus — the number of vCPUs for each node;

• ram_mb — the amount of RAM for each node in MB;

• volume_gb — the disk size in GB;

• volume_type — the disk type in the <type>.<pool_segment> format, for example basic.ru-9a:

  • <type> — basic, universal or fast;
  • <pool_segment> — a pool segment in which the network volume will be created, for example ru-9a;

• install_nvidia_device_plugin — confirms or cancels the installation of GPU drivers and NVIDIA® Device Plugin:

  • true — for GPU flavors, it confirms the installation of GPU drivers and NVIDIA® Device Plugin;
  • false — for GPU and non-GPU flavors, it cancels the installation of GPU drivers and NVIDIA® Device Plugin. You can manually install drivers for GPU node groups.

See the detailed description of the selectel_mks_nodegroup_v1 resource.

7. Create a Managed Database cluster

1. Create a MySQL semi-sync cluster.

2. Create a user.

3. Create a database.

4. Grant the user access to the database.

1. Create a MySQL semi-sync cluster of custom configuration

  data "selectel_dbaas_datastore_type_v1" "datastore_type_1" {
    project_id = selectel_vpc_project_v2.project_1.id
    region     = "ru-9"
    filter {
      engine  = "mysql_native"
      version = "8"
    }
  }

  resource "selectel_dbaas_mysql_datastore_v1" "datastore_1" {
    name       = "datastore-1"
    project_id = selectel_vpc_project_v2.project_1.id
    region     = "ru-9"
    type_id    = data.selectel_dbaas_datastore_type_v1.datastore_type_1.datastore_types[0].id
    subnet_id  = openstack_networking_subnet_v2.subnet_1.id
    node_count = 3
    flavor {
      vcpus = 1
      ram   = 4096
      disk  = 32
    }
  }

Where:

• region — a pool, for example ru-9. The list of available pools can be found in the Availability Matrix instructions;
• filter — a filter for Managed Database types:
  • engine — a Managed Database type. For a MySQL semi-sync cluster, specify mysql_native;
  • version — a Managed Database version. The list of available versions can be found in the Versions and configurations instructions;
• nodes_count — the number of nodes. The maximum number of nodes is 6;
• flavor — a custom cluster configuration. The available values of custom configurations can be found in the Versions and configurations instructions:
  • vcpus — the number of vCPUs;
  • ram — the amount of RAM in MB;
  • disk — the disk size in GB.

See the detailed description of data sources and resources:

• selectel_dbaas_datastore_type_v1;
• selectel_dbaas_flavor_v1;
• selectel_dbaas_mysql_datastore_v1.

2. Create a user

resource "selectel_dbaas_user_v1" "user_1" {
  project_id   = selectel_vpc_project_v2.project_1.id
  region       = "ru-9"
  datastore_id = selectel_dbaas_mysql_datastore_v1.datastore_1.id
  name         = "user"
  password     = "secret"
}

Where:

• region — the pool in which the cluster is located;
• name — the user name;
• password — the user password.

See the detailed resource description at selectel_dbaas_user_v1.

3. Create a database

resource "selectel_dbaas_mysql_database_v1" "database_1" {
  project_id   = selectel_vpc_project_v2.project_1.id
  region       = "ru-9"
  datastore_id = selectel_dbaas_mysql_datastore_v1.datastore_1.id
  name         = "database_1"
}

Here region is the pool where the cluster is located.

See the detailed description of the selectel_dbaas_mysql_database_v1 resource.

4. Grant the user access to the database

resource "selectel_dbaas_grant_v1" "grant_1" {
  project_id   = selectel_vpc_project_v2.project_1.id
  region       = "ru-9"
  datastore_id = selectel_dbaas_mysql_datastore_v1.datastore_1.id
  database_id  = selectel_dbaas_mysql_database_v1.database_1.id
  user_id      = selectel_dbaas_user_v1.user_1.id
}

See a detailed description of the selectel_dbaas_grant_v1 resource.