I have question about how to create instance in cloud and init scripts:
I have example stack for create hashicorp vault in hetzner:
provider "hcloud" {
token = var.hcloud_token
}
resource "hcloud_server" "vault" {
name = "vault-server"
image = "ubuntu-22.04"
server_type = "cx21"
location = "nbg1" # or fsn1 / hel1
ssh_keys = [var.ssh_key_name]
user_data = <<-EOF
#cloud-config
package_update: true
packages:
- unzip
- curl
runcmd:
- curl -O https://releases.hashicorp.com/vault/1.15.4/vault_1.15.4_linux_amd64.zip
- unzip vault_1.15.4_linux_amd64.zip
- mv vault /usr/local/bin/
- mkdir -p /etc/vault.d /opt/vault/data
- useradd --system --home /etc/vault.d --shell /bin/false vault
- chown -R vault:vault /etc/vault.d /opt/vault
- echo 'listener "tcp" { address = "0.0.0.0:8200" tls_disable = 1 }' > /etc/vault.d/vault.hcl
- echo 'storage "file" { path = "/opt/vault/data" }' >> /etc/vault.d/vault.hcl
- echo "[Unit]
Description=Vault service
After=network.target
[Service]
User=vault
Group=vault
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/vault.service
- systemctl daemon-reexec
- systemctl daemon-reload
- systemctl enable vault
- systemctl start vault
EOF
}
Additional I will add set firewall, backup, logs exports etc. But I dont add all scripts in this post.
Its good practice to create all in terraform? Maybe better will be:
- Create infrastructure only via terraform.
- Install vault, firewall, backups etc with ansible playbook.
What will you do?