DevOps

Terraform for OpenBSD VMs on AWS, Vultr, and Proxmox

Provision OpenBSD VMs with Terraform: AWS EC2 unofficial AMIs, Vultr official images, Proxmox install, and pf firewall bootstrap.

LLuca BertonMay 5, 20261 min read

OpenBSD remains the security-first BSD of choice in 2026 for firewalls, mail, and minimal-trust services. Cloud images are scarcer than Linux — Vultr ships official OpenBSD images, AWS does not. Most teams use Proxmox or Vultr for OpenBSD, with Terraform provisioning the VMs and pf via cloud-init or provisioner "remote-exec".

Vultr (Easiest)

terraform {
  required_providers {
    vultr = { source = "vultr/vultr", version = "~> 2.21" }
  }
}
 
data "vultr_os" "openbsd" {
  filter {
    name   = "name"
    values = ["OpenBSD 7.6 x64"]
  }
}
 
resource "vultr_instance" "fw" {
  plan      = "vc2-1c-1gb"
  region    = "ewr"
  os_id     = data.vultr_os.openbsd.id
  hostname  = "openbsd-fw"
  ssh_key_ids = [vultr_ssh_key.me.id]
}

Proxmox (with Custom ISO)

resource "proxmox_virtual_environment_vm" "openbsd" {
  name      = "openbsd-fw"
  node_name = "pve1"
 
  cpu { cores = 2 }
  memory { dedicated = 2048 }
 
  disk {
    datastore_id = "local-lvm"
    interface    = "virtio0"
    size         = 16
  }
 
  cdrom {
    enabled = true
    file_id = "local:iso/OpenBSD-7.6-amd64.iso"
  }
 
  network_device { bridge = "vmbr0" }
}

pf Firewall via remote-exec

resource "null_resource" "pf" {
  triggers = { instance = vultr_instance.fw.id }
 
  connection {
    type        = "ssh"
    user        = "root"
    private_key = file("~/.ssh/id_ed25519")
    host        = vultr_instance.fw.main_ip
  }
 
  provisioner "file" {
    source      = "${path.module}/pf.conf"
    destination = "/etc/pf.conf"
  }
 
  provisioner "remote-exec" {
    inline = ["pfctl -nf /etc/pf.conf && pfctl -f /etc/pf.conf"]
  }
}

Best Practices

Don't hunt for AWS AMIs — Vultr / Proxmox / DigitalOcean are friendlier.
Pre-bake images with vmctl when running OpenBSD on KVM at scale.
Use pf.conf from version control — that's the actual security boundary.
Match release exactly: OpenBSD upgrades are manual; treat each release as a new image.

#Terraform#OpenBSD#Security#pf#Vultr

Share this article

DevOps

Terraform for NetBSD VMs and Cross-Platform Labs

Provision NetBSD VMs with Terraform on Proxmox, KVM, and Xen for cross-platform testing, embedded simulation, and portability research.

May 5, 20261 min read

Cloud Computing

AWS IAM Policy Simulator with Terraform: Test Permissions Before Deploying

Use the AWS IAM Policy Simulator to validate Terraform IAM policies before applying. Automate permission testing with Terraform data sources and avoid AccessDenied errors.

Jun 1, 20264 min read

DevOps

Terraform for Digital Provenance: C2PA Content Signing

Provision digital provenance and C2PA content signing infrastructure with Terraform: certificate authorities, signing services, ledgers, and verification APIs.

May 4, 20262 min read

Terraform

Terraform with HashiCorp Vault - Secrets Management

Integrate Terraform with HashiCorp Vault for secrets management. Read secrets, dynamic credentials, AWS/database secret engines, and AppRole authentication.

May 1, 20262 min read

Vultr (Easiest)

Proxmox (with Custom ISO)

pf Firewall via remote-exec

Best Practices

Related

Related articles

Terraform for NetBSD VMs and Cross-Platform Labs

AWS IAM Policy Simulator with Terraform: Test Permissions Before Deploying

Terraform for Digital Provenance: C2PA Content Signing

Terraform with HashiCorp Vault - Secrets Management