IaC Bazaar
Get started
CivoStatic-verified

Civo Compute Stack

Instances with network, firewall, volume, and reserved IP.

terraformAlt & Specialty Clouds#civo

Compare Virtual Machines across clouds →

civo-compute-stackterraform v1.7

Verification

Static-verified

Passed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).

Conformance

  • Static validation (fmt · validate · tflint)
  • No applicable security policies for this provider
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

civo-compute-stack

Status: static-validated, live-test pending. This module ships under live-test quarantine — it passes tofu fmt, tofu validate, and tflint, but the real apply → verify → destroy gate is deferred until a Civo cloud sandbox account is wired into the live-test lane. Treat the secure defaults as reviewed, the cloud behavior as not yet proven end-to-end.

Civo compute stack: one or more instances on a dedicated private network behind a deny-by-default firewall, with optional per-instance block storage and an optional reserved (static) public IP. Works with Terraform and OpenTofu (>= 1.6), Civo provider >= 1.0, < 2.0.

Design / secure defaults

  • Dedicated private network (civo_network) per stack instead of the Civo default network — clean isolation.
  • Deny-by-default firewall. The civo_firewall is created with create_default_rules = false, so nothing inbound is permitted until you list CIDRs. SSH (tcp/22) opens only for allowed_ssh_cidrs; the default empty list leaves SSH closed. Add app ports via extra_ingress_rules. Egress is allowed so instances can reach package mirrors.
  • Key-based access by default. write_password = false, so Civo does not generate/email a root password — supply sshkey_id. If you do enable write_password, the generated value is a sensitive output.
  • Per-instance data volume (civo_volume + civo_volume_attachment), attached at boot by default so cloud-init can format and mount it.
  • Reserved IP guard. create_reserved_ip is gated by a precondition requiring instance_count = 1, since the static IP binds to one instance — this fails fast at plan time rather than silently mis-wiring.

Usage

provider "civo" {
  region = "LON1" # token via CIVO_TOKEN
}

module "compute" {
  source = "./civo-compute-stack"

  name           = "app"
  region         = "LON1"
  instance_count = 2
  size           = "g3.small"
  disk_image     = "ubuntu-noble"

  allowed_ssh_cidrs = ["203.0.113.10/32"]
  sshkey_id         = "<your-civo-ssh-key-id>"

  volume_size_gb = 40
  tags           = ["app", "demo"]
}

Inputs

NameTypeDefaultDescription
namestringResource name prefix (required)
regionstringCivo region, e.g. LON1, NYC1 (required)
instance_countnumber1Number of instances (1-50)
sizestring"g3.small"Civo instance size code
disk_imagestring"ubuntu-noble"Boot disk image / template
sshkey_idstringnullCivo SSH key id installed at boot
initial_userstring"civo"Initial sudo user
write_passwordboolfalseGenerate + email a root password (off; prefer SSH keys)
public_ipstring"create"create, none, or move_ip_from:<id>
scriptstringnullCloud-init / bootstrap script
network_cidrstring"10.30.0.0/24"IPv4 CIDR for the private network
network_nameserverslist(string)[]Custom nameservers (empty = Civo defaults)
allowed_ssh_cidrslist(string)[]CIDRs allowed to SSH (tcp/22); empty = closed
extra_ingress_rulesmap(object){}Extra firewall ingress rules { protocol, port_range, cidr, action, label }
volume_size_gbnumbernullPer-instance data volume size; null disables
volume_attach_at_bootbooltrueAttach the volume at boot
create_reserved_ipboolfalseCreate + bind a reserved static IP (needs instance_count = 1)
tagsset(string)[]Instance tags

Outputs

NameDescription
instance_idsInstance IDs
instance_hostnamesInstance hostnames
instance_public_ipsPublic IPv4 addresses (empty when public_ip = "none")
instance_private_ipsPrivate network IPv4 addresses
instance_initial_passwordsCivo-generated passwords (sensitive, only with write_password)
network_idPrivate network ID
firewall_idFirewall ID
volume_idsData volume IDs (empty when disabled)
reserved_ipReserved static IP, or null
reserved_ip_idReserved IP ID, or null

Requirements

  • Terraform or OpenTofu >= 1.6
  • civo/civo provider >= 1.0, < 2.0
  • create_reserved_ip = true requires instance_count = 1 (enforced by a precondition).

Verification

Static-validated (tofu fmt, tofu validate, tflint). Live apply/destroy testing pending Civo sandbox availability — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial.