# Nebius Cloud

Firefly integrates with Nebius Cloud to pull in information about your cloud resources—such as compute instances, GPU clusters, Kubernetes node groups, PostgreSQL clusters, container registries, and more—directly into your Firefly Inventory. This enables you to view, manage, and govern Nebius assets. You can use Firefly to enforce infrastructure-as-code (IaC) practices and apply policies across your Nebius environment, helping ensure compliance, visibility, and best practices at scale.

## Best Practices

1. For governance, mark your production integrations using the "Mark as Production" option during setup (or edit this setting later in the Integrations window).
2. Use a dedicated Nebius service account for Firefly's access rather than sharing with other applications.
3. Store Firefly API credentials securely using environment variables or a secrets manager.

## Integration Method

Nebius integration is performed using a Terraform module that creates the necessary IAM resources and registers the integration with Firefly.

* [Terraform Module](#using-terraform-module) Creates a service account with read access to your Nebius resources and optionally configures audit log permissions for event-driven integration.

### Using Terraform Module

The Terraform module is the recommended method for Nebius integration as it provides automated, repeatable deployment that fits into your existing IaC workflows.

#### Prerequisites

* **Terraform** >= 1.5.0 installed
* **Nebius CLI** installed and configured ([Installation Guide](https://docs.nebius.com/cli/install))
* **Firefly Credentials** (access key and secret key from Firefly console)
* IAM admin permissions in your Nebius tenant (to create service accounts and access permits)

#### Setup Procedure

1. Log in to your Nebius tenant with permissions to create IAM resources.
2. In Firefly, go to **Settings > Integrations**.
3. Select **Add New > Nebius**.
4. Enter your **Tenant ID** and **Project ID** (see [Getting Your IDs](#getting-your-ids) below).
5. (Optional) Enter an **Integration Name** to customize how this integration appears in Firefly.
6. (Optional) Select **Mark as Production** to flag this account as production in Firefly.
7. (Optional) Select **Enable Event-Driven** to enable audit log permissions for real-time event-driven scanning.
8. Click **Generate Terraform Snippet** to create the module configuration.
9. Copy the generated Terraform snippet to a new file (e.g., `main.tf`).
10. Configure Nebius authentication (see [Authentication Methods](#nebius-authentication-methods) below).
11. Run `terraform init && terraform plan && terraform apply`.
12. Once the Terraform apply completes, Firefly will automatically detect the integration and begin scanning your resources.

#### Getting Your IDs

Use the Nebius CLI to retrieve your Tenant ID and Project ID:

```bash
# Get tenant ID
nebius iam tenant list

# Get project ID (replace <tenant-id> with your tenant ID)
nebius iam project list --parent-id <tenant-id>
```

#### Nebius Authentication Methods

The Terraform module supports three authentication methods for running the onboarding:

**Option 1: Environment Variables (Recommended for CI/CD)**

Set the following environment variables before running Terraform:

```bash
export NB_SA_ID="serviceaccount-xxxxxxxxxxxx"
export NB_SA_PUBLIC_KEY_ID="publickey-xxxxxxxxxxxx"
export NB_SA_PRIVATE_KEY_FILE="/path/to/private.pem"
```

In your Terraform configuration:

```hcl
nebius_auth_method = "env"
```

**Option 2: Direct Credentials**

Specify credentials directly in the Terraform module:

```hcl
nebius_auth_method        = "service_account"
nebius_service_account_id = "serviceaccount-xxxxxxxxxxxx"
nebius_public_key_id      = "publickey-xxxxxxxxxxxx"
nebius_private_key_file   = "/path/to/private.pem"
```

**Option 3: CLI Profile (Local Development)**

Use an existing Nebius CLI profile:

```hcl
nebius_auth_method = "profile"
nebius_profile     = "myprofile"
```

#### Creating Nebius Admin Credentials

If you need to create new admin credentials for running the Terraform module:

```bash
# Create service account with admin permissions
nebius iam service-account create --name firefly-admin-sa --parent-id <project-id>

# Get service account ID
export SA_ID=$(nebius iam service-account get-by-name \
  --name firefly-admin-sa --format json | jq -r ".metadata.id")

# Add to admin group (replace <admin-group-id> with your admin group)
nebius iam group-membership create --parent-id <admin-group-id> --member-id $SA_ID

# Generate authorized key
nebius iam auth-public-key generate --service-account-id $SA_ID \
  --output ~/nebius-admin-key.json

# Extract credentials for environment variables
export NB_SA_ID=$(cat ~/nebius-admin-key.json | jq -r '.["subject-credentials"].iss')
export NB_SA_PUBLIC_KEY_ID=$(cat ~/nebius-admin-key.json | jq -r '.["subject-credentials"].kid')
cat ~/nebius-admin-key.json | jq -r '.["subject-credentials"]["private-key"]' > ~/nebius-admin.pem
export NB_SA_PRIVATE_KEY_FILE=~/nebius-admin.pem
```

#### Terraform Module Example

```hcl
module "firefly_nebius_onboarding" {
  source = "github.com/gofireflyio/firefly-nebius-onboarding?ref=main"

  # Required
  tenant_id          = "tenant-xxxxxxxxxxxx"
  project_id         = "project-xxxxxxxxxxxx"
  firefly_access_key = var.firefly_access_key
  firefly_secret_key = var.firefly_secret_key

  # Nebius Authentication - choose one method:

  # Option 1: Environment variables (default, recommended for CI/CD)
  # Set: NB_SA_ID, NB_SA_PUBLIC_KEY_ID, NB_SA_PRIVATE_KEY_FILE
  nebius_auth_method = "env"

  # Option 2: Direct credentials
  # nebius_auth_method        = "service_account"
  # nebius_service_account_id = "serviceaccount-xxxxxxxxxxxx"
  # nebius_public_key_id      = "publickey-xxxxxxxxxxxx"
  # nebius_private_key_file   = "/path/to/private.pem"

  # Option 3: CLI profile (local development)
  # nebius_auth_method = "profile"
  # nebius_profile     = "myprofile"

  # Optional
  # integration_name  = "My Nebius Integration"
  # is_prod           = true
  # enable_audit_logs = true
}
```

#### Module Variables

**Required Variables**

| Variable             | Description                                             |
| -------------------- | ------------------------------------------------------- |
| `tenant_id`          | Nebius Tenant ID                                        |
| `project_id`         | Nebius Project ID where service account will be created |
| `firefly_access_key` | Firefly access key (from Settings > Access Keys)        |
| `firefly_secret_key` | Firefly secret key                                      |

**Optional Variables**

| Variable                      | Default     | Description                                          |
| ----------------------------- | ----------- | ---------------------------------------------------- |
| `integration_name`            | Tenant name | Custom integration name in Firefly                   |
| `prefix`                      | `""`        | Prefix for created resource names                    |
| `suffix`                      | `""`        | Suffix for created resource names                    |
| `existing_service_account_id` | `null`      | Use existing service account instead of creating new |
| `existing_group_id`           | `null`      | Use existing group instead of creating new           |
| `is_prod`                     | `true`      | Mark integration as production environment           |
| `enable_audit_logs`           | `true`      | Enable audit log permissions for event-driven        |
| `skip_integration_request`    | `false`     | Skip Firefly API registration (for testing)          |

#### Created Resources

The Terraform module creates the following resources in your Nebius tenant:

| Resource         | Name                             | Description                                        |
| ---------------- | -------------------------------- | -------------------------------------------------- |
| Service Account  | `firefly-integration`            | Used by Firefly to access your environment         |
| Group            | `firefly-group`                  | Contains the service account                       |
| Group Membership | —                                | Links service account to group                     |
| Access Permit    | `viewer`                         | Read-only access on tenant for inventory discovery |
| Access Permit    | `auditlogs.audit-event-viewer`   | View audit logs (if event-driven enabled)          |
| Access Permit    | `auditlogs.audit-event-exporter` | Export audit logs (if event-driven enabled)        |
| Auth Public Key  | —                                | RSA key pair for service account authentication    |

#### IAM Permissions

The integration creates the following access permits:

* **Viewer Role** — Allows Firefly to discover and inventory all Nebius resources in your tenant, including compute instances, GPU clusters, Kubernetes resources, databases, and storage.

When event-driven integration is enabled:

* **Audit Log Viewer** — Allows reading audit log events for real-time change detection.
* **Audit Log Exporter** — Allows exporting audit log events to Firefly for processing and analysis.

#### Event-Driven Integration

When `enable_audit_logs` is set to `true` (default), the integration configures audit log permissions for real-time event-driven scanning. This enables Firefly to detect changes in your Nebius environment as they happen, providing faster drift detection and inventory updates.

## Nebius Discovery Status

To scan your integration for changes and discover new assets on-demand:

### Procedure

1. Go to **Settings > Integrations > Nebius**.
2. Find the integration you want to scan.
3. For asset changes, on the integration menu, select **Scan Assets**.
4. For IaC stacks changes, on the integration menu, select **Scan Stacks**.
5. View changes in the Inventory and/or IaC Explorer after several minutes.

## Policy Evolution

The Terraform module uses versioned policies (`policy_version` output) to track permission changes over time. When Firefly requires additional permissions in the future, you can update the module version and re-apply to get the new policy.

## Additional Resources

* [Firefly Nebius Onboarding Module](https://github.com/gofireflyio/firefly-nebius-onboarding) — GitHub repository with full documentation
* [Nebius Cloud Documentation](https://docs.nebius.com) — Official Nebius documentation
* [Nebius CLI Installation](https://docs.nebius.com/cli/install) — Guide to installing the Nebius CLI


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.firefly.ai/integrations/data-sources/nebius.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.