
This module allows you to deploy a Talos OS-based vSphere virtual machine with a custom configuration.

Talos OS vSphere Virtual Machine Terraform Module

This module allows you to deploy a Talos OS-based vSphere virtual machine with a custom configuration. The configuration of the virtual machine fully corresponds to the configuration of Talos OS v1.0.x.


It is strongly not recommended to use this module separately, since creating groups of virtual machines does not make a full cycle of Terraform automation (you cannot continue working with the created cluster using Terraform). To create a cluster, use ilpozzd/vsphere-cluster/talos. This module is useful in some cases when using Terragrunt. See examples.



Name Version
terraform >= 1.1.9, < 2.0.0
hashicorp/vsphere 2.1.1

vSphere Version >= 6.7u3

Required Terraform Role permissions to user in vSphere


  • Allocate space
  • Browse datastore
  • Low level file operations
  • Remove file
  • Update virtual machine files
  • Update virtual machine metadata


  • Create folder
  • Delete folder
  • Move folder
  • Rename folder


  • Assign network


  • Assign virtual machine to resource pool
  • Migrate powered off virtual machine
  • Migrate powered on virtual machine

Profile-driven storage:

  • Profile-driven storage view


  • Import
  • View OVF environment
  • vApp application configuration
  • vApp instance configuration
  • vApp managedBy configuration
  • vApp resource configuration

Virtual machine:

  • Change Configuration
  • Edit Inventory
  • Guest Operations
  • Interaction
  • Provisioning

Required objects to apply roles

Object Role Defined in
vCenter Terraform Role This object
Datacenter Read-only Role This object
Datastore Cluster Terraform Role This object and it's children
Hosts Cluster Read-only Role This object
Hosts Terraform Role This object
DPG Terraform Role This object
Folder Terraform Role This object and it's children
Resource pool Terraform Role This object and it's children


Name Version
hashicorp/vsphere 2.1.1


Name Version
ilpozzd/vm-userdata/talos 1.0.0


Name Type
vsphere_virtual_machine.this resource


Name Description Type Default Required
datacenter VMware datacenter name. string - Yes
datastores VMWare datastore(s) where all data for the virtual machine will be placed in. list(string) - Yes
hosts ESXi host(s) where the virtual machine will be created. list(string) - Yes
resource_pool VMWare resource pool where the virtual machine will be created. string - Yes
folder Folder to create the virtual machine in. string - Yes
remote_ovf_url URL to the remote Talos OS 1.0.x ovf/ova file. string - Yes
vm_count Number of virtual machines. number 1 No
num_cpus The total number of virtual processor cores to assign to the virtual machine. number 2 No
memory The amount of RAM for the virtual machine, in Mb. number 2048 No
disks A specification list for a virtual disk devices on the virtual machine. Use only first disk to Talos installation in machine_base_configuration block list - Yes
network_interfaces A specification list for a virtual NIC on the virtual machine. list - Yes
create_init_node Whether to create an initialization node. If true, the first virtual machine will be the initialization node. bool false Yes
talos_base_configuration Talos OS top-level configuration. object object No
machine_secrets Secret data that is used to create trust relationships between virtual machines. object - Yes
talos_admin_pki Base64 encoded certificate (signed by machine_secrets.ca.crt and key (in ED25519) to provide access to virtual machine trought talosctl. object {} Yes
machine_base_configuration Basic configuration of the virtual machine. object - Yes
machine_extra_configuration Extended configuration of the virtual machine. object {} No
machine_type The role of the virtual machine in the Kubernetes cluster (controlplane or worker). string - Yes
machine_cert_sans A list of alternative names of for vm_count virtual machines. list(list(string)) [] No
machine_network General network configuration of the virtual machine. object {} No
machine_network_hostnames A list of hostnames for vm_count virtual machines (if not set will be generated automaticly). list(string) [] No
machine_network_interfaces A list of network interfaces for vm_count virtual machines (if not set DHCP will be used). list [] Yes/No
cluster_secrets Secret data that is used to establish trust relationships between Kubernetes cluster nodes. object - Yes
control_plane_cluster_secrets Secret data required to establish trust relationships between components used by Control Plane nodes in the Kubernetes cluster. Required if machine_type = controlplane. object {} Yes
cluster_name The name of the cluster. string - Yes
cluster_control_plane Data to define the API endpoint address for joining a node to the Kubernetes cluster. object - Yes/No
cluster_discovery Data that sets up the discovery of nodes in the Kubernetes cluster. object object No
control_plane_cluster_configuration Data that configure the components of the Control Plane nodes in the Kubernetes cluster. object {} No
cluster_inline_manifests A list of Kuberenetes manifests whose content is represented as a string. These will get automatically deployed as part of the bootstrap. list [] No
cluster_extra_manifests A list of URLs that point to additional manifests. These will get automatically deployed as part of the bootstrap. list(string) [] No
cluster_extra_manifest_headers A map of key value pairs that will be added while fetching the cluster_extra_manifests. map(string) {} No
vmtoolsd_extra_manifest A link to talos-vmtoolsd Kubernetes manifest. string Link No

Disks Input

  label            = string
  size             = number
  eagerly_scrub    = optional(bool)
  thin_provisioned = optional(bool)

Network Interfaces Input

  name = string
  • name - Distributed Port Group (DPG) name

Talos Base Configuration Input

  version = string
  persist = bool


  version = "v1alpha1"
  persist = false

See Config section in Talos Configuration Reference for detail description.

Machine Secrets Input

  token = string
  ca = object({
    crt = string
    key = string

See MachineConfig section in Talos Configuration Reference for detail description.

Talos Admin PKI Input

  crt = optional(string)
  key = optional(string)
  • crt - Base64 encoded certificate in PEM format
  • key - Base64 encoded key in PEM format

Required if machine_type = controlplane and create_init_node = true

Machine Base Configuration

  install = object({
    disk            = string
    extraKernelArgs = optional(list(string))
    image           = string
    bootloader      = bool
    wipe            = bool
    diskSelector = optional(object({
      size    = string
      model   = string
      busPath = string
    extensions = optional(list(string))
  kubelet = optional(object({
    image      = string
    extraArgs  = optional(map(string))
    clusterDNS = optional(list(string))
    extraMounts = optional(list(object({
      destination = string
      type        = string
      source      = string
      options     = list(string)
    extraConfig = optional(map(string))
    nodeIP = optional(object({
      validSubnets = list(string)
  time = optional(object({
    disabled    = optional(bool)
    servers     = optional(list(string))
    bootTimeout = optional(string)
  features = optional(object({
    rbac = optional(bool)

See MachineConfig section in Talos Configuration Reference for detail description.

Machine Extra Configuration Input

  controlPlane = optional(object({
    controllerManager = optional(object({
      disabled = bool
    scheduler = optional(object({
      disabled = bool
  pods = optional(list(map(any)))
  disks = optional(list(object({
    device = string
    partitions = list(object({
      mountpoint = string
      size       = string
  files = optional(list(object({
    content     = string
    permissions = string
    path        = string
    op          = string
  env = optional(object({
    GRPC_GO_LOG_VERBOSITY_LEVEL = optional(string)
    GRPC_GO_LOG_SEVERITY_LEVEL  = optional(string)
    http_proxy                  = optional(string)
    https_proxy                 = optional(string)
    no_proxy                    = optional(bool)
  sysctls = optional(map(string))
  sysfs   = optional(map(string))
  registries = optional(object({
    mirrors = optional(map(object({
      endpoints = list(string)
    config = optional(map(object({
      tls = object({
        insecureSkipVerify = bool
        clientIdentity = optional(object({
          crt = string
          key = string
        ca = optional(string)
      auth = optional(object({
        username      = optional(string)
        password      = optional(string)
        auth          = optional(string)
        identityToken = optional(string)
  systemDiskEncryption = optional(map(object({
    provider = string
    keys = optional(list(object({
      static = optional(object({
        passphrase = string
      nodeID = optional(map(string))
      slot   = optional(number)
    cipher    = optional(string)
    keySize   = optional(number)
    blockSize = optional(number)
    options   = optional(list(string))
  udev = optional(object({
    rules = list(string)
  logging = optional(object({
    destinations = list(object({
      endpoint = string
      format   = string
  kernel = optional(object({
    modules = list(object({
      name = string

See MachineConfig section in Talos Configuration Reference for detail description.

Machine Network Input

  nameservers = optional(list(string))
  extraHostEntries = optional(list(object({
    ip      = string
    aliases = list(string)
  kubespan = optional(object({
    enabled = bool

See NetworkConfig section in Talos Configuration Reference for detail description.

hostname and interfaces parameters are described in separate inputs.

Machine Network Interfaces Input

  interface = string
  addresses = optional(list(string))
  routes = optional(list(object({
    network = string
    gateway = optional(string)
    source  = optional(string)
    metric  = optional(number)
  vlans = optional(list(object({
    addresses = list(string)
    routes = optional(list(object({
      network = string
      gateway = optional(string)
      source  = optional(string)
      metric  = optional(number)
    dhcp   = optional(bool)
    vlanId = number
    mtu    = number
    vip = optional(object({
      ip = string
      equinixMetal = optional(object({
        apiToken = string
      hcloud = optional(object({
        apiToken = string
  mtu = optional(number)
  bond = optional(object({
    interfaces = list(string)
    mode       = string
    lacpRate   = string
  dhcp   = optional(bool)
  ignore = optional(bool)
  dummy  = optional(bool)
  dhcpOptions = optional(object({
    routeMetric = number
    ipv4        = optional(bool)
    ipv6        = optional(bool)
  wireguard = optional(object({
    privateKey   = string
    listenPort   = number
    firewallMark = number
    peers = list(object({
      publicKey                   = string
      endpoint                    = string
      persistentKeepaliveInterval = optional(string)
      allowedIPs                  = list(string)
  vip = optional(object({
    ip = string
    equinixMetal = optional(object({
      apiToken = string
    hcloud = optional(object({
      apiToken = string

See Device section in Talos Configuration Reference for detail description.

If machine_type = controlplane and create_init_node = true, not less than one element with one static IP address required.

Cluster Secrets Input

  id     = string
  secret = string
  token  = string
  ca = object({
    crt = string
    key = string

See ClusterConfig section in Talos Configuration Reference for detail description.

Control Plane Cluster Secrets Input

  aescbcEncryptionSecret = optional(string)
  aggregatorCA = optional(object({
    crt = optional(string)
    key = optional(string)
  serviceAccount = optional(object({
    key = optional(string)
  etcd = optional(object({
    ca = object({
      crt = optional(string)
      key = optional(string)

See ClusterConfig section in Talos Configuration Reference for detail description.

Required if machine_type = controlplane.

Cluster Control Plane Input

  endpoint           = optional(string)
  localAPIServerPort = optional(number)

See ControlPlaneConfig section in Talos Configuration Reference for detail description.

Required if (create_init_node = false or (create_init_node = true and vm_count > 1)).

Cluster Discovery Input

  enabled = bool
  registries = optional(object({
    kubernetes = optional(object({
      disabled = bool
    service = optional(object({
      disabled = bool
      endpoint = string


  enabled = true

See ClusterDiscoveryConfig section in Talos Configuration Reference for detail description.

Control Plane Cluster Configuration Input

  network = optional(object({
    cni = optional(object({
      name = string
      urls = optional(list(string))
    dnsDomain      = optional(string)
    podSubnets     = optional(list(string))
    serviceSubnets = optional(list(string))
  apiServer = optional(object({
    image     = string
    extraArgs = optional(map(string))
    extraVolumes = optional(list(object({
      hostPath  = string
      mountPath = string
      readonly  = bool
    env                      = optional(map(string))
    certSANs                 = optional(list(string))
    disablePodSecurityPolicy = optional(bool)
    admissionControl = optional(list(object({
      name          = string
      configuration = map(any)
  controllerManager = optional(object({
    image     = string
    extraArgs = optional(map(string))
    extraVolumes = optional(list(object({
      hostPath  = string
      mountPath = string
      readonly  = bool
    env = optional(map(string))
  proxy = optional(object({
    disabled  = bool
    image     = optional(string)
    mode      = optional(string)
    extraArgs = optional(map(string))
  scheduler = optional(object({
    image     = string
    extraArgs = optional(map(string))
    extraVolumes = optional(list(object({
      hostPath  = string
      mountPath = string
      readonly  = bool
    env = optional(map(string))
  etcd = optional(object({
    image     = optional(string)
    extraArgs = optional(map(string))
    subnet    = optional(string)
  coreDNS = optional(object({
    disabled = bool
    image    = optional(string)
  externalCloudProvider = optional(object({
    enabled   = bool
    manifests = list(string)
  adminKubeconfig = optional(object({
    certLifetime = string
  allowSchedulingOnMasters = optional(bool)

See ClusterConfig section in Talos Configuration Reference for detail description.

Cluster Inline Manifests Input

  name     = string
  contents = string

See ClusterConfig section in Talos Configuration Reference for detail description.


Name Description Type Sensitive
default_ip_addresses List of nodes IP addresses from VMTools by default. list(string) false


Module is maintained by Ilya Pozdnov.


Apache 2 Licensed. See LICENSE for full details.