Templates
Accelerate your cloud journey with our collection of production-ready infrastructure templates, purpose-built for Open Telekom Cloud.
Whether you're launching a simple proof of concept or orchestrating a complex, multi-service architecture, these turnkey solutions empower
you to deploy with speed, consistency, and confidence. Designed around tools like Terraform, TOSCA and Open Telekom Cloud services as
Create Cloud & Resource Formation Service, each template reflects best practices and real-world expertise—helping you reduce setup time,
eliminate manual errors, and focus on delivering value. From networking and compute to storage and security,
discover a smarter way to build in the cloud.

OpenShift
This template deploys a Self-managed OpenShift Container Platform on Open Telekom Cloud with worker nodes in one availability zone. To deploy worker nodes in three availability zones, use the template OpenStack HA.

OpenShift HA
This template deploys a Self-managed OpenShift Container Platform on Open Telekom Cloud with master and worker nodes in 3 availability zones.

Bastion Host
This template demonstrates the usecase of the bastion host and the NAT gateway. The bastion host is used as a jump-host to access the private compute via the Admin Network. The private compute has the network port in the Data Network as the default port for outgoing traffic. The NAT gateway is used for SNAT outgoing traffic from the private compute.

Prometheus
This template creates a Prometheus monitoring system with Prometheus server (v2.54.1), Grafana (v11.2.2), node exporter (v1.8.2), and alertmanager (v0.27.0).

NextCloud
This template deploys NextCloud app (version 28) on Open Telekom Cloud using Object Storage and Relational Database Service as the storage back-end and the MySQL Server, respectively.

P2S VPN
Deploy and maintain Point-to-Site OpenVPN connections on Open Telekom Cloud using Terraform + Ansible. Provision VPC, ECS instance, security groups (SSH/UDP), and private DNS in one go. Automate OpenVPN/EasyRSA installation, firewall hardening, and user certificate lifecycle (create, revoke, package). Built-in backup/restore workflows ensure seamless operational continuity.

ACME
Automate ACME SSL/TLS certificate issuance and renewal on Open Telekom Cloud. Automatically provision a DNS Admin user, enforce 30-day key rotation, and orchestrate DNS-01 challenges. Support wildcard/SAN certs with ECDSA/RSA key options and configurable renewal thresholds for scalable, compliant HTTPS.

CCE
Provision a production-grade Open Telekom Cloud Container Engine (CCE) cluster with a single Terraform module. Seamlessly integrate VPC/subnets, node pools with autoscaling, and optional high availability. Customize cluster version, node flavors, storage, and addons for resilient, scalable container workloads.

CCE GPU Node Pool
Provision a production-grade CCE cluster on Open Telekom Cloud with a single Terraform module. Automate VPC/subnet setup, node pools with autoscaling, and optional multi-AZ high availability. Customize Kubernetes version, node flavors, storage classes, and addon integrations. Simplify scalable, resilient container orchestration with end-to-end infrastructure automation.

CRD Installer
Automate extraction and deployment of Kubernetes CRDs from Helm charts into your OTC cluster. Preload cert-manager, Traefik, Kyverno, Prometheus CRDs—or add custom charts—with version overrides.

CTS
Provision OTC Cloud Trace Service with a secure, encrypted OBS bucket and CTS tracker. Customize data retention (default 180 days), object prefixes, and optional trace analysis. Leverage built-in KMS key management for compliant encryption. Automate trace collection and storage with a single Terraform module.

Dedicated ELB
Deploy a dedicated ELB instance with public and private IPs (including EIP) on Open Telekom Cloud via Terraform. Automate availability zone, subnet, network, and bandwidth provisioning with selectable L4/L7 load-balancer flavors. Expose ELB ID, private/public IP outputs, and apply custom tags for seamless infrastructure governance.

Enterprise VPN Connection
Orchestrate OTC Enterprise VPN gateway and IPSec connections with Terraform. Configure IPsec tunnels (static/policy/BGP) with customizable IKE/IPsec policies, DPD, NQA, and HA modes (active-active/standby). Automate remote gateway and PSK provisioning along with multi-tunnel orchestration. Export connection details for secure, scalable on-premises connectivity.

Enterprise VPN Gateway
Automate deployment of Open Telekom Cloud Enterprise VPN gateways with Terraform. Customize gateway name, bandwidth, description, IKE/IPsec policies, BGP settings, and HA mode. Enable active-active or standby high availability for resilient connectivity. Expose gateway IDs, IP addresses, and status outputs for seamless integration.

EVS
Automate encrypted EVS volume provisioning on Open Telekom Cloud with a single Terraform module. Define multiple volumes across availability zones with custom specs (size, type, device) and unified tags. Generate and manage KMS keys by prefix, exposing a map of volume resources for seamless orchestration.

Jumphosts
Deploy a secure SSH jumphost on Open Telekom Cloud via Terraform. Automate VPC/subnet, ECS instance with boot volume, floating IP, and security group rules. Enable cloud-init customization, host key persistence, and optional KMS disk encryption. Expose public/private IPs and security group ID for seamless integration.

Keycloak SSO (OIDC)
Provision Keycloak as an OIDC SSO identity provider for Open Telekom Cloud with a single Terraform module. Automatically create a Keycloak OpenID client, default scopes, and OTC identity_provider resource with JSON-driven claim mappings for users and groups. Supports custom domain, realm, endpoint configuration and outputs the OTC SSO URL for seamless integration.

Keycloak SSO (SAML)
Provision Keycloak as an SAML SSO identity provider for Open Telekom Cloud with a single Terraform module. Automatically create a Keycloak OpenID client, default scopes, and OTC identity_provider resource with JSON-driven claim mappings for users and groups. Supports custom domain, realm, endpoint configuration and outputs the OTC SSO URL for seamless integration.

ELB
Provision scalable L4/L7 load balancers on Open Telekom Cloud with Terraform. Create listeners, pools, health monitors, and backend members with customizable protocols, ports, and session persistence. Enable SSL termination, cross-AZ deployment, autoscaling, and tagging for end-to-end traffic management.

Restricted OBS Bucket
Provision a KMS-SSE encrypted OBS bucket with a dedicated access user scoped to that bucket on OTC. Automatically create the user, group, roles, and KMS key, with optional versioning, force-destroy, and tagging. Expose bucket name plus scoped access and secret keys for secure, compliant object storage.

OBS Secrets Reader
Read JSON-formatted secrets from an encrypted OBS bucket on Open Telekom Cloud. Automatically fetch and parse your secrets file, exposing values as Terraform outputs. Works with KMS-SSE encryption and scoped IAM credentials for secure, in-Terraform secret retrieval.

OBS Secrets Writer
Automate writing JSON-formatted secrets to an encrypted OBS bucket on Open Telekom Cloud. Provision or reuse a KMS-SSE bucket with scoped IAM credentials, versioning, and force-destroy options. Serialize Terraform variables into a secrets file and upload via OBS object. Output bucket details and object path for seamless consumption by downstream modules.

Private DNS
Manage private DNS in Open Telekom Cloud with a single Terraform module. Automate creation of DNS zones, VPC zone associations, and recordsets (A, CNAME, MX, TXT, SRV). Customize TTLs, tags, and forwarding rules for secure, scalable internal name resolution.

Projects
Optimize tenant project lifecycle on Open Telekom Cloud with Terraform. Automate creation, deletion, and quota configuration—including service enablement and custom resource limits. Assign users, roles, and tags, exposing project IDs and credentials for integrated access management.

Public DNS
Manage public DNS zones on Open Telekom Cloud with a single Terraform module. Automate creation of zones, recordsets (A, AAAA, CNAME, MX, TXT, SRV), and optional reverse DNS entries. Customize TTLs, tags, and forwarding policies for resilient, high-performance domain resolution. Enable self-service domain management with minimal operational overhead.

RDS
Provision managed MySQL, PostgreSQL, or SQL Server instances on Open Telekom Cloud with Terraform. Customize engine version, compute/storage specs, HA replicas, backup retention, and KMS-encrypted volumes. Integrate monitoring, security groups, optional EIP, and output endpoints and credentials for seamless app integration.

SFS
Provision and manage Scalable File Service (SFS) volumes with KMS encryption and automated CBR backups via a single Terraform module. Create SFS Turbo shares, security groups, and backup vault/policies with customizable retention and iCal-based trigger schedules. Configure availability zone, VPC/subnet, volume size/type, and KMS key lifecycle for resilient, secure file storage.

SNAT
Provision a dedicated NAT gateway with SNAT rules to enable internet egress from your VPC subnets. Customize gateway bandwidth, size, and target networks using subnet IDs or CIDRs. Defaults to its own subnet if no networks specified and outputs the allocated EIP for seamless integration.

Encrypted Terraform Remote State
Provision an encrypted OBS bucket for Terraform remote state on Open Telekom Cloud with a single module. Encrypt the bucket using a KMS key, enforce
prevent_destroy
for immutability, and output a ready-to-use backend configuration. It streamlines secure, compliant state management at scale.
VPC/Subnet
Deploy a VPC with multiple subnets on Open Telekom Cloud using a single Terraform module. Customize your CIDR block, DNS server list, and tags uniformly across all subnets. Automatically output the VPC and subnet objects for seamless integration and scalable network foundations.

WAF
Protect web apps with OTC WAF, automating DNS CNAME record, WAF domain and certificate resources via Terraform. Configure backend server endpoints, enforce TLSv1.2 or v1.1 with customizable cipher suites, and opt-in client/server insecure modes. Leverage default or custom WAF policies for Layer-7 threat mitigation and bot protection in code-driven deployments.