Create an image and configure access to it in another project via Terraform

We recommend creating resources in order. If you create all resources at once, Terraform will account for dependencies between resources that you specified in the configuration file. If dependencies are not specified, resources will be created in parallel, which may lead to errors. For instance, a resource required for creating another resource might not have been created yet.

Configure providers for the source project.
Create an image.
Configure access to the image in another project.
Configure providers for the target project.
Accept the image in the target project.

Configuration files

Example file for configuring providers

terraform {
  required_providers {
    selectel  = {
      source  = "selectel/selectel"
      version = "~> 6.0"
    }
    openstack = {
      source  = "terraform-provider-openstack/openstack"
      version = "2.1.0"
    }
  }
}

provider "selectel" {
  domain_name = "123456"
  username    = "user"
  password    = "password"
  auth_region = "ru-9"
  auth_url    = "https://cloud.api.selcloud.ru/identity/v3/"
}

resource "selectel_vpc_project_v2" "project_1" {
  name = "project"
}

resource "selectel_iam_serviceuser_v1" "serviceuser_1" {
  name         = "username"
  password     = "password"
  role {
    role_name  = "member"
    scope      = "project"
    project_id = selectel_vpc_project_v2.project_1.id 
  }
}

provider "openstack" {
  auth_url    = "https://cloud.api.selcloud.ru/identity/v3"
  domain_name = "123456"
  tenant_id   = selectel_vpc_project_v2.project_1.id
  user_name   = selectel_iam_serviceuser_v1.serviceuser_1.name
  password    = selectel_iam_serviceuser_v1.serviceuser_1.password
  region      = "ru-9"
}

Example file for creating an image and configuring access to the image for other projects

resource "openstack_images_image_v2" "image_1" {
    name             = "Debian 12.10"
    container_format = "bare"
    disk_format      = "qcow2"
    visibility       = "shared"

    properties = {
        key = "value"
    }
}

resource "openstack_images_image_access_v2" "member_1" {
    image_id  = openstack_images_image_v2.image_1.id
    member_id = "bed6b6cbb86a4e2d8dc2735c2f1000e4"
}

Example file for accepting an image in the target project

data "openstack_images_image_v2" "image_1" {
    name          = "Debian 12.10"
    visibility    = "shared"
    member_status = "all"
}

resource "openstack_images_image_access_accept_v2" "member_1" {
    image_id = data.openstack_images_image_v2.image_1.id
    status   = "accepted"
}

1. Configure providers for the source project

If you have configured Selectel and OpenStack providers, skip this step.

Make sure that in the control panel you have created a service user with the member role in the Account access scope and iam.admin.
Create a directory to store configuration files and a separate file with the .tf extension to configure providers.
Add the Selectel and OpenStack providers to the file for provider configuration:
```
terraform {
  required_providers {
    selectel  = {
      source  = "selectel/selectel"
      version = "~> 7.1.0"
    }
    openstack = {
      source  = "terraform-provider-openstack/openstack"
      version = "2.1.0"
    }
  }
}
```
Here version is the provider version. The current version can be found in the Selectel documentation (in Terraform Registry and GitHub) and OpenStack (in Terraform Registry and GitHub).

For more information about products, services, and features that can be managed using providers, see the Selectel and OpenStack Providers guide.
Initialize the Selectel provider:
```
provider "selectel" {
  domain_name = "123456"
  username    = "user"
  password    = "password"
  auth_region = "ru-9"
  auth_url    = "https://cloud.api.selcloud.ru/identity/v3/"
}
```
Where:
- domain_name — Selectel account number. You can find it in the control panel in the top-right corner;
- username — name of the service user with the member role in the Account access scope and iam.admin. You can view it in the control panel: in the top menu, click IAM → Service Users section (the section is only available to the Account Owner and a user with the iam.admin role);
- password — service user password. You can view it when creating the user or change it to a new one;
- auth_region — pool for authorization, for example, ru-9. You can create resources in other pools. A list of available pools can be found in the Availability Matrix guide.
Create a project:
```
resource "selectel_vpc_project_v2" "project_1" {
  name = "project"
}
```
See a detailed description of the selectel_vpc_project_v2 resource.
Create a service user to access the project and assign them the member role in the Project access scope:
```
resource "selectel_iam_serviceuser_v1" "serviceuser_1" {
  name         = "username"
  password     = "password"
  role {
    role_name  = "member"
    scope      = "project"
    project_id = selectel_vpc_project_v2.project_1.id
  }
}
```
Where:
- username — username;
- password — user password. The password must be at least 20 characters long and include at least:
  - one uppercase and one lowercase Latin letter (A-Z, a-z);
  - one digit (0-9);
  - one special character from the ASCII Printable 7-Bit Special Characters list:
    !"#$%&'()*+,-./:;<=>?@[]^_{|}~;
- project_id — project ID. You can find it in the control panel: in the top menu, click Products and select Cloud Servers → open the projects menu → in the row of the target project, click .
See a detailed description of the selectel_iam_serviceuser_v1 resource.

Initialize the OpenStack provider:

provider "openstack" {
  auth_url    = "https://cloud.api.selcloud.ru/identity/v3"
  domain_name = "123456"
  tenant_id   = selectel_vpc_project_v2.project_1.id
  user_name   = selectel_iam_serviceuser_v1.serviceuser_1.name
  password    = selectel_iam_serviceuser_v1.serviceuser_1.password
  region      = "ru-9"
}

Where:

domain_name — Selectel account number. You can find it in the control panel in the top-right corner;
region — pool, for example, ru-9. All resources will be created in this pool. A list of available pools can be found in the Availability Matrix guide.

If you are creating resources while configuring providers, add the depends_on argument for OpenStack resources. For example, for the openstack_networking_network_v2 resource:

resource "openstack_networking_network_v2" "network_1" {
  name           = "private-network"
  admin_state_up = "true"

  depends_on = [
    selectel_vpc_project_v2.project_1,
    selectel_iam_serviceuser_v1.serviceuser_1
  ]
}

Optional: if you want to use a mirror, create a separate Terraform CLI configuration file and add the following block to it:
```
provider_installation {
  network_mirror {
    url = "https://tf-proxy.selectel.ru/mirror/v1/"
    include = ["registry.terraform.io/*/*"]
  }
  direct {
    exclude = ["registry.terraform.io/*/*"]
  }
}
```
Read more about mirror settings in the CLI Configuration File guide in the HashiCorp documentation.
Open the CLI.
Initialize the Terraform configuration in the directory:
```
terraform init
```
Verify that the configuration files are syntactically correct:
```
terraform validate
```
Format the configuration files:
```
terraform fmt
```
Check which resources will be created:
```
terraform plan
```
Apply the changes and create the resources:
```
terraform apply
```
Confirm creation — enter yes and press Enter. The created resources will appear in the control panel.
If quotas were insufficient to create the resources, increase the quotas.

2. Create an image

resource "openstack_images_image_v2" "image_1" {
    name             = "Debian 12.10"
    container_format = "bare"
    disk_format      = "qcow2"
    visibility       = "shared"

    properties = {
        key = "value"
    }
}

Where:

container_format — container format. Available values are ami, ari, aki, bare, ovf;
disk_format — image disk format. Available values are ami, ari, aki, vhd, vmdk, raw, qcow2, vdi, iso;
visibility = "shared" — the image can be added to other projects.

See the detailed description of the openstack_images_image_v2 resource.

3. Configure access to the image in the source project

resource "openstack_images_image_access_v2" "member_1" {
    image_id  = openstack_images_image_v2.image_1.id
    member_id = "bed6b6cbb86a4e2d8dc2735c2f1000e4"
}

Here member_id — the target project ID. You can view it in the control panel: from the top menu, click Products → Cloud Servers → open the project menu → in the row of the required project, click .

See the detailed description of the openstack_images_image_access_v2 resource.

4. Configure providers for the target project

Create a separate configuration file and configure providers under the account and project for which you configured access to the image.

Make sure that in the control panel you have created a service user with the member role in the Account access scope and iam.admin.
Create a directory to store configuration files and a separate file with the .tf extension to configure providers.
Add the Selectel and OpenStack providers to the file for provider configuration:
```
terraform {
  required_providers {
    selectel  = {
      source  = "selectel/selectel"
      version = "~> 7.1.0"
    }
    openstack = {
      source  = "terraform-provider-openstack/openstack"
      version = "2.1.0"
    }
  }
}
```
Here version is the provider version. The current version can be found in the Selectel documentation (in Terraform Registry and GitHub) and OpenStack (in Terraform Registry and GitHub).

For more information about products, services, and features that can be managed using providers, see the Selectel and OpenStack Providers guide.
Initialize the Selectel provider:
```
provider "selectel" {
  domain_name = "123456"
  username    = "user"
  password    = "password"
  auth_region = "ru-9"
  auth_url    = "https://cloud.api.selcloud.ru/identity/v3/"
}
```
Where:
- domain_name — Selectel account number. You can find it in the control panel in the top-right corner;
- username — name of the service user with the member role in the Account access scope and iam.admin. You can view it in the control panel: in the top menu, click IAM → Service Users section (the section is only available to the Account Owner and a user with the iam.admin role);
- password — service user password. You can view it when creating the user or change it to a new one;
- auth_region — pool for authorization, for example, ru-9. You can create resources in other pools. A list of available pools can be found in the Availability Matrix guide.
Create a project:
```
resource "selectel_vpc_project_v2" "project_1" {
  name = "project"
}
```
See a detailed description of the selectel_vpc_project_v2 resource.
Create a service user to access the project and assign them the member role in the Project access scope:
```
resource "selectel_iam_serviceuser_v1" "serviceuser_1" {
  name         = "username"
  password     = "password"
  role {
    role_name  = "member"
    scope      = "project"
    project_id = selectel_vpc_project_v2.project_1.id
  }
}
```
Where:
- username — username;
- password — user password. The password must be at least 20 characters long and include at least:
  - one uppercase and one lowercase Latin letter (A-Z, a-z);
  - one digit (0-9);
  - one special character from the ASCII Printable 7-Bit Special Characters list:
    !"#$%&'()*+,-./:;<=>?@[]^_{|}~;
- project_id — project ID. You can find it in the control panel: in the top menu, click Products and select Cloud Servers → open the projects menu → in the row of the target project, click .
See a detailed description of the selectel_iam_serviceuser_v1 resource.

Initialize the OpenStack provider:

provider "openstack" {
  auth_url    = "https://cloud.api.selcloud.ru/identity/v3"
  domain_name = "123456"
  tenant_id   = selectel_vpc_project_v2.project_1.id
  user_name   = selectel_iam_serviceuser_v1.serviceuser_1.name
  password    = selectel_iam_serviceuser_v1.serviceuser_1.password
  region      = "ru-9"
}

Where:

domain_name — Selectel account number. You can find it in the control panel in the top-right corner;
region — pool, for example, ru-9. All resources will be created in this pool. A list of available pools can be found in the Availability Matrix guide.

If you are creating resources while configuring providers, add the depends_on argument for OpenStack resources. For example, for the openstack_networking_network_v2 resource:

resource "openstack_networking_network_v2" "network_1" {
  name           = "private-network"
  admin_state_up = "true"

  depends_on = [
    selectel_vpc_project_v2.project_1,
    selectel_iam_serviceuser_v1.serviceuser_1
  ]
}

Optional: if you want to use a mirror, create a separate Terraform CLI configuration file and add the following block to it:
```
provider_installation {
  network_mirror {
    url = "https://tf-proxy.selectel.ru/mirror/v1/"
    include = ["registry.terraform.io/*/*"]
  }
  direct {
    exclude = ["registry.terraform.io/*/*"]
  }
}
```
Read more about mirror settings in the CLI Configuration File guide in the HashiCorp documentation.
Open the CLI.
Initialize the Terraform configuration in the directory:
```
terraform init
```
Verify that the configuration files are syntactically correct:
```
terraform validate
```
Format the configuration files:
```
terraform fmt
```
Check which resources will be created:
```
terraform plan
```
Apply the changes and create the resources:
```
terraform apply
```
Confirm creation — enter yes and press Enter. The created resources will appear in the control panel.
If quotas were insufficient to create the resources, increase the quotas.

5. Accept the image in the target project

data "openstack_images_image_v2" "image_1" {
    name          = "Debian 12.10"
    visibility    = "shared"
    member_status = "all"
}

resource "openstack_images_image_access_accept_v2" "member_1" {
    image_id = data.openstack_images_image_v2.image_1.id
    status   = "accepted"
}

Here status = "accepted" — the image will be accepted in the target project.

See the detailed description of the openstack_images_image_access_accept_v2 resource.