Proxmox VM Provisioning Pipeline

Proxmox VM Provisioning Pipeline with Jenkins (Infrastructure CI/CD)

I built an end-to-end infrastructure automation pipeline that provisions, secures, configures, and monitors virtual machines on Proxmox VE using modern DevOps tooling and real-world CI/CD patterns.

This project replaces a traditional “app-only” pipeline with full infrastructure lifecycle automation — from VM creation to secure access and observability — driven entirely by code.

Tech Stack
  • Terraform - Infrastructure as Code for VM provisioning on Proxmox VE
  • Jenkins - CI/CD orchestration and pipeline execution
  • Ansible - Post-provisioning configuration management
  • HashiCorp Vault - Short-lived SSH certificate authentication
  • Prometheus = Automated monitoring and metrics collection

What the Pipeline Does

Jenkins Pipeline

  • Triggers infrastructure builds on demand
  • Accepts parameters such as VM name, CPU, and memory
  • Orchestrates Terraform and Ansible stages
  • Injects credentials securely using Jenkins Credentials
  • Ensures no secrets are stored in Git

Terraform (Infrastructure as Code)

  • Provisions virtual machines on Proxmox using API tokens
  • Deploys from cloud-init enabled templates
  • Configures CPU, memory, and networking
  • Injects SSH access via cloud-init
  • Uses least-privilege API credentials
  • Marks sensitive values appropriately

Ansible Configuration

  • Applies baseline OS configuration
  • Installs Docker and Node Exporter
  • Requests Vault-signed SSH certificates
  • Configures SSH to use certificate-based authentication
  • Ensures consistent and repeatable VM configuration
Vault SSH Certificate Authority
  • Vault acts as an SSH CA
  • Eliminates long-lived static SSH keys
  • Issues short-lived certificates via AppRole
  • Improves security and access auditing
  • Designed for automated, ephemeral infrastructure

Prometheus Integration

  • Automatically registers new VMs as scrape targets
  • Uses file-based service discovery for clean updates
  • Avoids manual Prometheus configuration changes
  • Ensures new infrastructure is monitored immediately

Architecture Flow

Jenkins Pipeline → Terraform provisions VM via Proxmox API → VM boots via cloud-init → Ansible configures OS and services → Vault signs short-lived SSH certificates → Prometheus begins scraping metrics

Security Model

  • No secrets committed to GitHub
  • Jenkins Credentials manage sensitive values
  • Terraform variables marked as sensitive
  • Vault must already be unsealed or auto-unsealed
  • SSH access uses short-lived certificates instead of keys
  • .gitignore prevents state files and secrets from leaking

Why This Project Matters

This pipeline mirrors real-world infrastructure workflows used in production DevOps and platform engineering environments:

  • Infrastructure treated as code
  • CI/CD applied to servers, not just applications
  • Secure, auditable access using certificate-based SSH
  • Automated observability baked into provisioning
  • Designed to scale across many VMs and environments

It demonstrates the transition from manual VM management to fully automated, repeatable infrastructure delivery.

Repository GitHub: https://github.com/mikecozier/proxmox-terraform-ansible-jenkins-create-vm