Working with Terraform -

Figure 976. What's it all about?

“Terraform is an infrastructure as code tool that lets you build, change, and version cloud and on-prem resources safely and efficiently.”

Figure 977. Terraform resources

Figure 978. Hetzner API token

Access you cloud project using the Hetzner GUI interface.
Go to Security --> API Tokens --> Generate API token
Provide a name and hit Generate API token.
Copy the generated token's value and store it in a secure location e.g. a password manager.

Caution

The Hetzner GUI blocks future access to the token.

Figure 979. Minimal Terraform configuration

# Define Hetzner cloud provider
terraform {
  required_providers {
    hcloud = {
      source = "hetznercloud/hcloud"
    }
  }
  required_version = ">= 0.13"
}

# Configure the Hetzner Cloud API token
provider "hcloud" {
  token = "your_api_token_goes_here"
}

# Create a server
resource "hcloud_server" "helloServer" {
  name         = "hello"
  image        =  "debian-12"
  server_type  =  "cx11"   
  location     =  "nbg1"
}

Figure 980. Terraform init

$ terraform init

Initializing the backend...

Initializing provider plugins...
- Finding latest version of hetznercloud/hcloud...
- Installing hetznercloud/hcloud v1.46.1...
- Installed hetznercloud/hcloud v1.46.1 (signed by a HashiCorp partner, key ID 5219EACB3A77198B)

...
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above.  ...

Figure 981. Terraform plan

$ terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions ...
  + create

Terraform will perform the following actions:

  # hcloud_server.helloServer will be created
  + resource "hcloud_server" "helloServer" {
      + allow_deprecated_images    = false
      + backup_window              = (known after apply)
  ...
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Figure 982. Terraform apply

$ terraform apply
...
Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

hcloud_server.helloServer: Creating...
hcloud_server.helloServer: Still creating... [10s elapsed]
hcloud_server.helloServer: Creation complete after 14s [id=45822789]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Figure 983. Credentials by E-Mail

Your server "hello" was created!

You can access your server with the following credentials:
 
IPv4	128.140.108.60
IPv6	2a01:4f8:1c1c:8e3a::/64
User	root
Password	rJ3pNvJXbqMp3XNTvFdq

You will be prompted to change your password on your first login.

To improve security, we recommend that you add an SSH key when creating a server.

Figure 984. Problems: 😟

Firewall blocks ssh server access:
```
$ ssh root@128.140.108.60
ssh: connect to host 128.140.108.60 port 22: Connection refused
```
Access by Vnc console login only
IP and (initial) credentials by email 😱

Solution:

Add firewall inbound ssh access rule.
Configure ssh public key login.

Figure 985. ssh access, firewall

resource "hcloud_firewall" "sshFw" {
  name = "ssh-firewall"
  rule {
    direction = "in"
    protocol  = "tcp"
    port      = "22"
    source_ips = ["0.0.0.0/0", "::/0"]
  }
}
              ...
resource "hcloud_server" "helloServer" {
              ...
  firewall_ids = [hcloud_firewall.sshFw.id]
}

Figure 986. ssh access, public key

resource "hcloud_ssh_key" "goik" {
  name       = "goik@hdm-stuttgart.de"
  public_key = file("~/.ssh/id_ed25519.pub")
}
              ...
resource "hcloud_server" "helloServer" {
              ...
  ssh_keys     = [hcloud_ssh_key.goik.id]
}

Figure 987. Apply ssh key access

$ terraform apply

  # hcloud_firewall.sshFw will be created
  + resource "hcloud_firewall" "sshFw" {
       ...
  # hcloud_server.helloServer will be created
  + resource "hcloud_server" "helloServer" {
       ...
  # hcloud_ssh_key.goik will be created
  + resource "hcloud_ssh_key" "goik" {
       ...
Plan: 3 to add, 0 to change, 0 to destroy.
       ...
Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Figure 988. Output data details #1/2

See terraform output documentation:

File outputs.tf Result

File `outputs.tf`	Result
`output "hello_ip_addr" { value = hcloud_server.helloServer.ipv4_address description = "The server's IPv4 address" } output "hello_datacenter" { value = hcloud_server.helloServer.datacenter description = "The server's datacenter" }`	`$ terraform output hello_datacenter = "nbg1-dc3" hello_ip_addr = "159.69.152.37"`
`$ terraform output hello_ip_addr "159.69.152.37"`

output "hello_ip_addr" {
  value       = hcloud_server.helloServer.ipv4_address
  description = "The server's IPv4 address"
}

output "hello_datacenter" {
  value       = hcloud_server.helloServer.datacenter
  description = "The server's datacenter"
}

$ terraform output
hello_datacenter = "nbg1-dc3"
hello_ip_addr = "159.69.152.37"

$ terraform output hello_ip_addr
"159.69.152.37"

Figure 989. Output data details #2/2

File outputs.tf terraform output -json

File `outputs.tf`	terraform output `-json`
`output "hello_ip_addr" { value = hcloud_server.helloServer.ipv4_address description = "The server's IPv4 address" } output "hello_datacenter" { value = hcloud_server.helloServer.datacenter description = "The server's datacenter" }`	`{ "hello_datacenter": { "sensitive": false, "type": "string", "value": "nbg1-dc3" }, "hello_ip_addr": { "sensitive": false, "type": "string", "value": "159.69.152.37" } }`

output "hello_ip_addr" {
  value       = hcloud_server.helloServer.ipv4_address
  description = "The server's IPv4 address"
}

output "hello_datacenter" {
  value       = hcloud_server.helloServer.datacenter
  description = "The server's datacenter"
}

{
  "hello_datacenter": {
    "sensitive": false,
    "type": "string",
    "value": "nbg1-dc3"
  },
  "hello_ip_addr": {
    "sensitive": false,
    "type": "string",
    "value": "159.69.152.37"
  }
}

Figure 990. Problem 2: VCS and visible provider API token 😱

Versioned file main.tf:

...
provider "hcloud" { token = "xdaGfz9LmwO8SWkg ... "}
...

Solution:

Declare a variable hcloud_token in a variables.tf file
Add a non-versioned file secrets.auto.tfvars.
Optional: Provide a versioned secrets.auto.tfvars.template documenting file

Figure 991. Solution

Declaring hcloud_token in variables.tf:

variable "hcloud_token" {  # See secret.auto.tfvars
  nullable = false
  sensitive = true
}

Defining hcloud_token's value in secrets.auto.tfvars:

hcloud_token="xdaGfz9LmwO8SWkg ... "

Using hcloud_token in main.tf:

provider "hcloud" { token = var.hcloud_token }

Example in secrets.auto.tfvars.template:

hcloud_token="your_api_token_goes_here"

Figure 992. Duplicate known_hosts entry on re-creating server

$ ssh root@128.140.108.60
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!

Prev	Up	Next
Hetzner cloud administration GUI	Home	Cloud Init

Cloud provider

Working with Terraform

Caution