OpenTofu edit default profile on new project

I’m trying to do some incus server configuration through OpenTofu. In particular, I wish to create a project, some profiles and some instances. I also want to create another project and some profiles for the instances to be user generated. On both cases, I wish to define the default profile used in that project. Since the project is just created, I should be able to setup the default profile.

Sadly, since the default profile is created automatically, OpenTofu can’t define the default profile since it’s already create.

In particular, I get the following error message:

│ Error: Failed to create profile "default"                                                                                                                                                                                                  
│                                                                                                                                                                                                                                            
│   with module.services.incus_profile.default,                                                                                                                                                                                              
│   on restricted-nodes/main.tf line 27, in resource "incus_profile" "default":                                                                                                                                                              
│   27: resource "incus_profile" "default" {                                                                                                                                                                                                 
│                                                                                                                                                                                                                                            
│ Error inserting "default" into database: The profile already exists                                                                                                                                                                        

Is it possible to set up the default profile on a newly created project through OpenTofu?

I was actually talking with @maveonair about this just earlier today :slight_smile:

There’s definitely a bit of an issue here and I’m not sure how to best handle it.
Basically it’s impossible to not have a default profile, but the default profile will not exist until the project is first created.

Ideally you’d define both your incus_project and incus_profile and then because the profile will automatically appear, you’d put an import section for the incus_profile part.

But this won’t work because the import will run before anything is created, meaning before the project exists and so before the profile exists.

I think we may have to resort to somewhat black magic internally here and I’m not actually sure how easy or even feasible it is within the provider API, so really a question for @maveonair :slight_smile:

Do you think it’s possible to add some logic so that if we’re creating both an incus_project and an incus_profile within that project and with name == "default" that we internally turn this CreateProfile into an UpdateProfile, leading to the expected result even if Terraform won’t strictly speaking have been the one created the profile?

An alternative could be to extend incus project create to be able to receive the default profile as a parameter during project creation. It might be something that makes sense on the Incus side alone.

I’m not super sure if this part is possible on OpenTofu, but if a project and it’s default profile are defined, then it would create the project with that profile on creation and assume it has control on both.

There actually may be another solution which can be achieved through the incus side only. It might make sense (at least for me) since I’ve always thought of the default profile solution to be slightly hackish. And just to make sure, I mean the fact that the default profile is always present and must be called default.

An alternative could be to be able to set a particular profile as default, so a project can have a default profile or not.

In this sense, every project could still be created with a default profile called default set just to keep the current behaviour, but maybe have a flag of --no-default-profile to create a project without one (which could be set later). This would also allow users to set default profiles which are not called default and a way to make sure a project is actually clean before it’s deleted. Currently it is clean when it is used only by the default profile (which still might have something important there).

Wouldn’t this be a less hackish solution which could also improve the overall incus organization and customization?

It’s not impossible but it would require a LOT of work to get that done and would likely hit a bunch of interesting edge cases when dealing with project inheriting from the default.

Please have a look at the following pull request: Edit default profile on new project by maveonair · Pull Request #130 · lxc/terraform-provider-incus · GitHub. Looking forward to feedback :slight_smile:

1 Like