All articles

Getting started with OpenTofu/Terraform on European Cloud OVH

Recent trade tensions between the US and EU highlight why digital sovereignty matters. European cloud alternatives like OVHcloud are relevant not just for technical or cost reasons, but for control over where your data resides and which jurisdiction governs it.

If you're using Infrastructure-as-Code with Terraform or OpenTofu on OVHcloud, setting up API credentials and getting started can be a bit tricky. This step-by-step guide shows you how to configure OVH API tokens and deploy your first Object Storage bucket on European infrastructure.

The Provider Situation (It's a Bit of a Mess)

Before we start: OVHcloud doesn't have a single, unified Terraform provider. Depending on which resources you need to manage, you'll need multiple providers:

Provider

What It Manages

ovh/ovh

OVH-specific: Kubernetes, private networks, vRack, DNS, Object Storage, databases

openstack

Compute instances, block storage, keypairs, security groups, floating IPs

hashicorp/aws

S3-compatible Object Storage operations (alternative to OVH provider)

OVHcloud's Public Cloud is built on OpenStack, but not all resources are exposed through the OpenStack API. This makes managing infrastructure-as-code a bit more complex. For this guide, we'll use the native ovh/ovh provider.

Check out this page to get more details.

What You'll Need

The OVH Terraform provider requires four authentication parameters:

  • OVH_ENDPOINT - Your OVH region (e.g., ovh-eu for Europe)

  • OVH_APPLICATION_KEY - API application identifier

  • OVH_APPLICATION_SECRET - API application secret

  • OVH_CONSUMER_KEY - API consumer token with delegated rights

You'll also need your Public Cloud Project ID. Find this in the OVH Control Panel under Project Settings.

Creating OVH API Credentials: Step-by-Step

Step 1: Navigate to the Token Creation Page

Go to the OVH API token creation page for your region:

Log in with your OVHcloud account credentials.

Step 2: Configure Your Application

Fill in the form with these details:

  • Script name: terraform-infrastructure (or any recognizable identifier)

  • Script description: Optional description of what this API token is for

  • Validity: Unlimited, or 30 days (recommended for infrastructure automation)

Step 3: Grant API Rights (The Critical Step)

This is where it gets interesting. For full Terraform functionality, you need four HTTP methods. Add each by clicking the + button. Use /* as the path for all methods:

Method

Path

Why It's Needed

GET

/*

Read resources and refresh Terraform state

POST

/*

Create new resources

PUT

/*

Update existing resources

DELETE

/*

Remove resources during cleanup

Important warnings:

  • Do NOT add PATCH - this causes an Internal Server Error in the OVH form

  • Use /* as the path - this grants access to all API endpoints. Empty paths or specific paths like /cloud/* can cause validation errors or unexpected access issues

  • The /* path grants full API access, which is standard for infrastructure automation tools

Step 4: Generate and Save Credentials

Click Create keys. You'll receive three values:

  • Application Key (AK) - Your public API identifier

  • Application Secret (AS) - Your private API secret

  • Consumer Key (CK) - Your delegated access token

Important: Save these credentials immediately - the Application Secret is only shown once!

Setting Up Your Terraform Project for OVH Cloud

Create the Directory Structure

If you want to skip right to the code, check out my GitHub repo: https://github.com/wolkwork/ovh-tofu-example

If you want some more context: keep reading!
Create a new directory for your Terraform/OpenTofu project in bash:

mkdir ovh-terraform && cd ovh-terraform

Configure Environment Variables

Create a .env file with your OVH API credentials. Important: Use export for each variable:

# .env
export OVH_ENDPOINT="ovh-eu"
export OVH_APPLICATION_KEY="your_application_key"
export OVH_APPLICATION_SECRET="your_application_secret"
export OVH_CONSUMER_KEY="your_consumer_key"
export TF_VAR_service_name="your_project_id"

Add .env to your .gitignore for security:

echo ".env" >> .gitignore

Create Terraform Configuration Files

Create the following Terraform configuration files:

provider.tf - OVH Provider Configuration

terraform {
  required_version = ">= 1.0"

  required_providers {
    ovh = {
      source  = "ovh/ovh"
      version = "~> 2.1"
    }
  }
}

provider "ovh" {
  # Credentials are automatically loaded from OVH_* environment variables
}

variables.tf - Input Variables

variable "service_name" {
  description = "Your OVH Public Cloud project ID"
  type        = string
}

storage.tf - Object Storage Resource

resource "ovh_cloud_project_storage" "bucket" {
  service_name = var.service_name
  region_name  = "GRA"  # Gravelines, France
  name         = "my-test-bucket"
}

Deploying Object Storage with OpenTofu/Terraform

Step 1: Load Environment Variables

source .env

Verify the variables are correctly loaded:

echo $OVH_ENDPOINT        # Should print: ovh-eu
echo $TF_VAR_service_name # Should print your project ID

Step 2: Initialize Terraform/OpenTofu

tofu init
# or for Terraform
terraform init

This command downloads the OVH provider and initializes your working directory.

Step 3: Generate Deployment Plan

tofu plan
# or for Terraform
terraform plan
```

You should see output like:
```
Plan: 1 to add, 0 to change, 0 to destroy.

This shows which resources will be created without actually deploying them.

Step 4: Deploy Infrastructure

tofu apply
# or for Terraform
terraform apply

Type yes when prompted for confirmation.

Step 5: Verify Deployment

Go to Public Cloud > Object Storage in the OVH Control Panel to see your new bucket.

Cleaning Up Infrastructure

To remove the deployed resources:

tofu destroy
# or for Terraform
terraform destroy

Type yes to confirm deletion.

Available OVH Cloud Regions for Object Storage

Region Code

Datacenter Location

Country

GRA

Gravelines

France

SBG

Strasbourg

France

BHS

Beauharnois

Canada

DE

Frankfurt

Germany

UK

London

United Kingdom

WAW

Warsaw

Poland

Common Problems and Solutions

"unknown endpoint ''" Error

Problem: Your environment variables aren't being exported correctly.

Solution: Make sure your .env file uses export for each variable and run source .env.

"Internal Server Error" During Token Creation

Problem: OVH API token form gives a server error.

Solution: Remove PATCH from the methods list and use /* as the path for all methods.

"This call has not been granted" Error

Problem: Your API token is missing required permissions.

Solution: Create a new token with GET, POST, PUT, and DELETE methods (all with /* as the path).

"Invalid signature" Error

Problem: Your Application Secret is incorrect or corrupted.

Solution: Verify that your OVH_APPLICATION_SECRET is copied completely and correctly without extra spaces or line breaks.

Terraform Prompts for service_name Input

Problem: The TF_VAR_service_name environment variable isn't set.

Solution: Verify with echo $TF_VAR_service_name and run source .env again if it's empty.

Security Best Practices for OVH API Credentials

  1. Never commit credentials - Always add .env to your .gitignore

  2. Use environment variables - Keep secrets out of your Terraform code

  3. Rotate credentials regularly - Create new tokens periodically and revoke old ones

  4. Use separate tokens per environment - Different credentials for development, staging, and production

  5. Implement secret management - For production: use HashiCorp Vault or similar secret management systems

  6. Limit token validity - Use time-limited tokens where possible for temporary access

Useful Resources

Getting Started with European Cloud Infrastructure

Configuring OVH API credentials for Terraform doesn't need to be complex. The key points: use four HTTP methods (GET, POST, PUT, DELETE) with /* as the path, store your credentials securely in environment variables, and test your setup with a simple Object Storage deployment.

Using Infrastructure-as-Code with OVHcloud makes your cloud infrastructure reproducible, version-controlled, and manageable. Whether you use OpenTofu or Terraform, the workflow remains the same. With OVH as a European cloud provider, you maintain control over where your data resides.

Need help setting up cloud infrastructure, data platforms, or Infrastructure-as-Code workflows on European cloud? At Wolk, we help organizations with practical cloud and data implementations where data sovereignty is central. Contact us at hello@wolk.work or follow us on LinkedIn.

Stay up to date!

Subscribe to our newsletter, de Wolkskrant, to get the latest tools, trends and tips from the industry.

Subscribe

More articles

European Cloud Providers Compared: A Hands-On Terraform Test (January 2026)

Getting started with OpenTofu/Terraform on European Cloud OVH

From Mussels to Municipalities: Taming the CBS Open Data APIs

Top 12 technologies that defined Wolk's 2025 (including a piece of wood)

The Small Data Movement: Why Your Data Stack is Probably Over-Engineered

Not All at Once! User-Friendly Rate Limiting With Redis Semaphores

Break free from the billable hours model – 4 steps to a scalable new business model

How AI Agents Work (for you): A look behind the curtain

A Quest to Find the Fastest Search Stack

Stop feeding ChatGPT your secret sauce: How to safely use AI in FoodTech