---
title: "discovery.openstack | Grafana Alloy documentation"
description: "Learn about discovery.openstack"
---

# `discovery.openstack`

`discovery.openstack` discovers [OpenStack](https://docs.openstack.org/nova/latest/) Nova instances and exposes them as targets.

## Usage

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
discovery.openstack "<LABEL>" {
  role   = "<OPENSTACK_ROLE>"
  region = "<OPENSTACK_REGION>"
}
```

## Arguments

You can use the following arguments with `discovery.openstack`:

Expand table

| Name                            | Type       | Description                                                                                          | Default  | Required |
|---------------------------------|------------|------------------------------------------------------------------------------------------------------|----------|----------|
| `region`                        | `string`   | OpenStack region.                                                                                    |          | yes      |
| `role`                          | `string`   | Role of the discovered targets.                                                                      |          | yes      |
| `all_tenants`                   | `bool`     | Whether the service discovery should list all instances for all projects.                            | `false`  | no       |
| `application_credential_id`     | `string`   | OpenStack application credential ID for the Identity V2 and V3 APIs.                                 |          | no       |
| `application_credential_name`   | `string`   | OpenStack application credential name for the Identity V2 and V3 APIs.                               |          | no       |
| `application_credential_secret` | `secret`   | OpenStack application credential secret for the Identity V2 and V3 APIs.                             |          | no       |
| `availability`                  | `string`   | The availability of the endpoint to connect to.                                                      | `public` | no       |
| `domain_id`                     | `string`   | OpenStack domain ID for the Identity V2 and V3 APIs.                                                 |          | no       |
| `domain_name`                   | `string`   | OpenStack domain name for the Identity V2 and V3 APIs.                                               |          | no       |
| `identity_endpoint`             | `string`   | Specifies the HTTP endpoint that’s required to work with the Identity API of the appropriate version |          | no       |
| `password`                      | `secret`   | Password for the Identity V2 and V3 APIs.                                                            |          | no       |
| `port`                          | `int`      | The port to scrape metrics from.                                                                     | `80`     | no       |
| `project_id`                    | `string`   | OpenStack project ID for the Identity V2 and V3 APIs.                                                |          | no       |
| `project_name`                  | `string`   | OpenStack project name for the Identity V2 and V3 APIs.                                              |          | no       |
| `refresh_interval`              | `duration` | Refresh interval to re-read the instance list.                                                       | `"60s"`  | no       |
| `userid`                        | `string`   | OpenStack user ID for the Identity V2 and V3 APIs.                                                   |          | no       |
| `username`                      | `string`   | OpenStack username for the Identity V2 and V3 APIs.                                                  |          | no       |

`role` must be one of `hypervisor` or `instance`.

`all_tenants` is only relevant for the `instance` role and usually requires administrator permissions.

`application_credential_id` or `application_credential_name` fields are required if using an application credential to authenticate. Some providers allow you to create an application credential to authenticate rather than a password.

`application_credential_secret` field is required if using an application credential to authenticate.

`availability` must be one of `public`, `admin`, or `internal`.

`project_id` and `project_name` fields are optional for the Identity V2 API. Some providers allow you to specify a `project_name` instead of the `project_id` and some require both.

`username` is required if using Identity V2 API. In Identity V3, either `userid` or a combination of `username` and `domain_id` or `domain_name` are needed.

## Blocks

You can use the following block with `discovery.openstack`:

No valid configuration blocks found.

### `tls_config`

Expand table

| Name                   | Type     | Description                                              | Default | Required |
|------------------------|----------|----------------------------------------------------------|---------|----------|
| `ca_pem`               | `string` | CA PEM-encoded text to validate the server with.         |         | no       |
| `ca_file`              | `string` | CA certificate to validate the server with.              |         | no       |
| `cert_pem`             | `string` | Certificate PEM-encoded text for client authentication.  |         | no       |
| `cert_file`            | `string` | Certificate file for client authentication.              |         | no       |
| `insecure_skip_verify` | `bool`   | Disables validation of the server certificate.           |         | no       |
| `key_file`             | `string` | Key file for client authentication.                      |         | no       |
| `key_pem`              | `secret` | Key PEM-encoded text for client authentication.          |         | no       |
| `min_version`          | `string` | Minimum acceptable TLS version.                          |         | no       |
| `server_name`          | `string` | ServerName extension to indicate the name of the server. |         | no       |

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

- `ca_pem` and `ca_file`
- `cert_pem` and `cert_file`
- `key_pem` and `key_file`

When configuring client authentication, both the client certificate (using `cert_pem` or `cert_file`) and the client key (using `key_pem` or `key_file`) must be provided.

When `min_version` isn’t provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2. If `min_version` is provided, it must be set to one of the following strings:

- `"TLS10"` (TLS 1.0)
- `"TLS11"` (TLS 1.1)
- `"TLS12"` (TLS 1.2)
- `"TLS13"` (TLS 1.3)

## Exported fields

The following fields are exported and can be referenced by other components:

Expand table

| Name      | Type                | Description                                           |
|-----------|---------------------|-------------------------------------------------------|
| `targets` | `list(map(string))` | The set of targets discovered from the OpenStack API. |

### `hypervisor` role

The `hypervisor` role discovers one target per Nova hypervisor node. The target address defaults to the `host_ip` attribute of the hypervisor.

- `__meta_openstack_hypervisor_host_ip`: The hypervisor node’s IP address.
- `__meta_openstack_hypervisor_hostname`: The hypervisor node’s name.
- `__meta_openstack_hypervisor_id`: The hypervisor node’s ID.
- `__meta_openstack_hypervisor_state`: The hypervisor node’s state.
- `__meta_openstack_hypervisor_status`: The hypervisor node’s status.
- `__meta_openstack_hypervisor_type`: The hypervisor node’s type.

### `instance` role

The `instance` role discovers one target per network interface of Nova instance. The target address defaults to the private IP address of the network interface.

- `__meta_openstack_address_pool`: The pool of the private IP.
- `__meta_openstack_instance_flavor`: The flavor of the OpenStack instance, or the flavor ID if the flavor name isn’t available.
- `__meta_openstack_instance_id`: The OpenStack instance ID.
- `__meta_openstack_instance_image`: The ID of the image the OpenStack instance is using.
- `__meta_openstack_instance_name`: The OpenStack instance name.
- `__meta_openstack_instance_status`: The status of the OpenStack instance.
- `__meta_openstack_private_ip`: The private IP of the OpenStack instance.
- `__meta_openstack_project_id`: The project (tenant) owning this instance.
- `__meta_openstack_public_ip`: The public IP of the OpenStack instance.
- `__meta_openstack_tag_<key>`: Each metadata item of the instance, with any unsupported characters converted to an underscore.
- `__meta_openstack_user_id`: The user account owning the tenant.

## Component health

`discovery.openstack` is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

## Debug information

`discovery.openstack` doesn’t expose any component-specific debug information.

## Debug metrics

`discovery.openstack` doesn’t expose any component-specific debug metrics.

## Example

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
discovery.openstack "example" {
  role   = "<OPENSTACK_ROLE>"
  region = "<OPENSTACK_REGION>"
}

prometheus.scrape "demo" {
  targets    = discovery.openstack.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}
```

Replace the following:

- *`<OPENSTACK_ROLE>`* : Your OpenStack role.
- *`<OPENSTACK_REGION>`* : Your OpenStack region.
- *`<PROMETHEUS_REMOTE_WRITE_URL>`* : The URL of the Prometheus remote\_write-compatible server to send metrics to.
- *`<USERNAME>`* : The username to use for authentication to the `remote_write` API.
- *`<PASSWORD>`* : The password to use for authentication to the `remote_write` API.

## Compatible components

`discovery.openstack` has exports that can be consumed by the following components:

- Components that consume [Targets](../../../compatibility/#targets-consumers)

> Note
> 
> Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.