Mica is an open-source Terraform and OpenTofu provider for Pure Storage FlashBlade® scale-out storage arrays.
Mica is independent and is NOT affiliated with, endorsed by, or sponsored by Pure Storage, Inc.
Pure Storage®, FlashBlade®, and Purity® are registered trademarks of Pure Storage, Inc. and/or its affiliates. This project uses these names only as nominative descriptive references to identify the target system. See NOTICE for full attribution.
Mica deliberately uses different prefixes between Terraform and Pulumi:
- Terraform / OpenTofu: resources are named
flashblade_bucket,flashblade_target, etc. — the prefix describes the target system, following the convention ofaws_*,google_*,vsphere_*providers. - Pulumi: resources are exposed under the
mica:namespace (mica.NewBucket(...)in Go,mica.Bucket(...)in Python/TypeScript) — the Pulumi package name ispulumi-mica.
This asymmetry exists because the Pulumi package name is itself a published artifact (subject to trademark rules), while the Terraform resource type is a code-internal identifier (descriptive nominative use).
Terraform provider for Pure Storage FlashBlade, managing storage resources via the FlashBlade REST API v2.22.
This provider enables GitOps-driven management of FlashBlade storage: file systems, object store accounts and buckets, access policies, quotas, lifecycle rules, audit filters, QoS policies, cross-array replication, and array-level configuration — all as Terraform resources.
- Terraform >= 1.0
- Go >= 1.25 (for development only)
- FlashBlade array with REST API v2.22+ (Purity//FB 4.6.7+)
terraform {
required_providers {
flashblade = {
source = "numberly/mica"
version = "~> 2.1"
}
}
}provider "flashblade" {
endpoint = "https://flashblade.example.com"
# Option A: API token
auth = {
api_token = var.flashblade_api_token
}
# Option B: OAuth2 token exchange
# auth = {
# oauth2 = {
# client_id = var.client_id
# key_id = var.key_id
# issuer = var.issuer
# }
# }
}Environment variables: FLASHBLADE_HOST, FLASHBLADE_API_TOKEN.
| Resource | Data Source | Description |
|---|---|---|
flashblade_file_system |
✅ | NFS/SMB file system with soft-delete lifecycle |
flashblade_bucket |
✅ | S3 bucket (versioning, quota, eradication, object lock, public access) |
flashblade_object_store_account |
✅ | Object store account (S3 namespace) |
flashblade_object_store_access_key |
✅ | S3 access key pair (cross-array secret sharing) |
flashblade_object_store_user |
✅ | S3 user (CRD, no update — API limitation) |
flashblade_object_store_user_policy |
— | Associate an access policy to a user |
| Resource | Data Source | Description |
|---|---|---|
flashblade_lifecycle_rule |
✅ | Per-bucket lifecycle rule (version retention, multipart cleanup) |
flashblade_bucket_access_policy |
✅ | Per-bucket IAM-style access policy |
flashblade_bucket_access_policy_rule |
— | Rule within a bucket access policy (principals format varies by firmware) |
flashblade_bucket_audit_filter |
✅ | Per-bucket S3 audit filter (actions + prefix) |
flashblade_qos_policy |
✅ | QoS policy (bandwidth + IOPS limits) |
flashblade_qos_policy_member |
— | Assign QoS policy to file systems or realms (buckets not supported on API v2.22) |
| Resource | Data Source | Description |
|---|---|---|
flashblade_server |
✅ | FlashBlade server with DNS configuration |
flashblade_file_system_export |
✅ | File system export to a server (NFS) |
flashblade_object_store_account_export |
✅ | Object store account export to a server (S3) |
flashblade_object_store_virtual_host |
✅ | S3 virtual-hosted-style endpoint |
| Resource | Data Source | Description |
|---|---|---|
flashblade_subnet |
✅ | Layer-3 subnet on a LAG (prefix, gateway, MTU, VLAN) |
flashblade_network_interface |
✅ | Virtual IP (data, sts, egress-only, replication services) |
| — | flashblade_link_aggregation_group |
Link aggregation group status (read-only, hardware-managed) |
| Resource | Data Source | Description |
|---|---|---|
flashblade_nfs_export_policy |
✅ | NFS export policy |
flashblade_nfs_export_policy_rule |
— | Rule within an NFS export policy |
| Resource | Data Source | Description |
|---|---|---|
flashblade_smb_share_policy |
✅ | SMB share policy (file permissions) |
flashblade_smb_share_policy_rule |
— | Rule within an SMB share policy |
flashblade_smb_client_policy |
✅ | SMB client policy (auth, encryption) |
flashblade_smb_client_policy_rule |
— | Rule within an SMB client policy |
| Resource | Data Source | Description |
|---|---|---|
flashblade_object_store_access_policy |
✅ | IAM-style S3 access policy |
flashblade_object_store_access_policy_rule |
— | Rule within an S3 access policy |
flashblade_s3_export_policy |
✅ | S3 export transport-level access policy |
flashblade_s3_export_policy_rule |
— | Rule within an S3 export policy |
| Resource | Data Source | Description |
|---|---|---|
flashblade_snapshot_policy |
✅ | Snapshot schedule policy |
flashblade_snapshot_policy_rule |
— | Rule within a snapshot policy |
flashblade_network_access_policy |
✅ | Network access policy (singleton) |
flashblade_network_access_policy_rule |
— | Rule within a network access policy |
| Resource | Data Source | Description |
|---|---|---|
flashblade_quota_user |
✅ | Per-filesystem user quota |
flashblade_quota_group |
✅ | Per-filesystem group quota |
| Resource | Data Source | Description |
|---|---|---|
flashblade_array_dns |
✅ | Array DNS configuration (singleton) |
flashblade_array_ntp |
✅ | Array NTP server list (singleton) |
flashblade_array_smtp |
✅ | Array SMTP relay and alert watchers (singleton) |
flashblade_syslog_server |
✅ | Syslog server configuration |
| Resource | Data Source | Description |
|---|---|---|
flashblade_object_store_remote_credentials |
✅ | S3 credentials for cross-array replication |
flashblade_bucket_replica_link |
✅ | Bucket-to-bucket replica link (pause/resume) |
| — | flashblade_array_connection |
Array connection status (read-only) |
Total: 40 resources, 32 data sources | Full API Coverage Roadmap
Production-ready configurations showing how resources compose together:
| Workflow | Description |
|---|---|
| Object Store Setup | S3-compatible storage: account, bucket, access key |
| NFS File Share | Team shared storage with export policy |
| Multi-Protocol File System | Windows + Linux access on same FS |
| Array Admin Baseline | Day-1 DNS, NTP, SMTP configuration |
| Secured S3 Bucket | Bucket with network + access policies |
| S3 Tenant Full-Stack | Complete S3 onboarding: server → account → export → policies → key → bucket |
| Vault S3 Onboarding | Same as above + Vault for zero-secret credential management |
| S3 Bucket Replication | Bidirectional cross-array S3 replication with shared credentials |
| Bucket Advanced Features | Lifecycle rules, access policies, audit filters, QoS |
| Networking Stack | LAG, subnet, and VIP management with server attachment |
# Build
make build
# Run unit tests
make test
# Run linter
make lint
# Regenerate docs/
make docs
# Install locally for manual testing
make installThis provider covers ~61% of IaC-relevant FlashBlade API v2.22 endpoints. See ROADMAP.md for the full coverage matrix, including what's implemented, what's planned, and what's not applicable for Terraform.
Generated docs are in the docs/ directory and published to the Terraform Registry.
- Fork the repository
- Create a feature branch
- Run
make testandmake lintbefore opening a PR - Ensure
make docsproduces no diff - Update ROADMAP.md when adding new resources or data sources
Mica is licensed under the GNU General Public License v3.0.
The provider is invoked by Terraform and OpenTofu via gRPC IPC. Your Terraform configurations and infrastructure-as-code do not become subject to GPL v3 simply by using Mica — the IPC boundary is the license boundary, the same way the Linux kernel does not impose GPL on userspace programs.
If you redistribute Mica (binaries or source), you must comply with GPL v3: provide source code or a written offer to provide it, and preserve the LICENSE and NOTICE files.