Terraform Modul cloud_init

Terraform module to template cloud-init user data

Disclaimer

currently only tested with Ubuntu Focal Fossa and Jammy Jellyfish

Motivation

There is a terraform-provider cloudinit, which can be used to render cloud-init data.

This module is not completely generic like cloudinit. It supports the installation of features. Some features are simple package installations or downloads of tools. Other features have more functionality.

For instance

• docker_container can be used to configure services that start docker containers.
• nginx can be used to configure nginx

If you use docker_container then docker is activated automatically.

There are more sophisticated features like vault_init in vault that automatically installs the needed features for the logic in the runcmd section for vault_init.

Technical aspects

The following cloud-init modules are used

• Package Update Upgrade Install
• Runcmd
• Write Files

The execution order in cloud-init for these modules is

• init stage
  • write-files
  • users-group
• config stage
  • runcmd
• final stage
  • package-update-upgrade-install

The consequence for the implementation in this module is that tools that are used for configuration are installed by the runcmd module even if there is a package for the tool.

Features

b2

s. B2 Command Line Tool

For input variables: s. b2.

certbot

s. certbot

For input variables: s. certbot.

comment

add comments to cloud-init user data

This can be used to change cloud-init user-data to trigger rebuild without changing relevant data.

For input variables: s. comment.

containerd

s. containerd

For input variables: s. containerd.

croc

s. croc

For input variables: s. croc.

digitalocean

s. digitalocean

For input variables: s. digitalocean.

docker

s. docker

For input variables: s. docker.

docker_container

s. docker

For input variables: s. docker_container.

duplicacy

s. duplicacy

For input variables: s. duplicacy.

encrypted packages

For input variables: s. encrypted_packages.

fail2ban

s. fail2ban

For input variables: s. fail2ban.

gettext_base

s. gettext-base

For input variables: s. gettext_base.

haproxy

s. haproxy

For input variables: s. haproxy.

jq

s. jq

For input variables: s. jq.

golang

s. golang

For input variables: s. golang.

gpg

s. gpg

For input variables: s. gpg.

hetzner

s. hetzner

For input variables: s. hetzner.

mailcow

s. mailcow

For input variables: s. mailcow.

lineinfile

s. lineinfile

For input variables: s. lineinfile.

netcat

s. netcat

For input variables: s. netcat.

network

for network configurations

This is executed first in the cloud-init runcmd module.

For input variables: s. network.

nginx

s. nginx

For input variables: s. nginx.

package

s. package

For input variables: s. package.

rke2

s. rke2

Two different cloud-init userdata can be generated

• for the 1st node
• for the other nodes

The certificates for RKE2 are fetched from a package registry and decrypted with openssl and thus have to pre pre-built. The package also has to contain templates for /etc/rancher/rke2/config.yaml:

• /root/config.yaml.node_1st.envtpl for the first node
• /root/config.yaml.node_other.envtpl for the other nodes

The Cloud-init for the 1st node waits for all nodes to become ready and then puts the created rke2.yaml modified (substitute 127.0.0.1 with the ipv4-address of the 1st node) into Hashicorp Vault.

The cert-manager cert-manager.crds.yaml is pre-installed as manifest in the 1st node.

For input variables: s. rke2.

runcmd

generic gereration of runcmd scripts

For input variables: s. runcmd.

s3cmd

s. S3cmd

For input variables: s. s3cmd.

sshd_config

s. sshd_config

For input variables: s. sshd_config.

terraform

s. terraform

For input variables: s. terraform

tool

generic installing of tools

For input variables: s. tool.

unzip

s. unzip

For input variables: s. unzip.

users

s. users

For input variables: s. users.

vault

s. vault

For input variables: s. vault.

wait_until

s. wait_until

For input variables: s. wait_until.

write_file

generic writing of files

For input variables: s. write_file.

zypper

s. zypper

For input variables: s. zypper.

terraform

Requirements

Name	Version
terraform	>= 1.3
external	~> 2.3.1

Providers

No providers.

Modules

Name	Source	Version
cloud_init_part	./modules/cloud_init_part	n/a
containerd_install_method_binary_needs_containerd_version	rhythmictech/errorcheck/terraform	~> 1.3.0
docker_install_method_binary_needs_docker_version	rhythmictech/errorcheck/terraform	~> 1.3.0
duplicacy_script	./modules/duplicacy_script	n/a
duplicacy_storage_backend_one_of	rhythmictech/errorcheck/terraform	~> 1.3.0
either_rke2_node_1st_or_rke2_node_other	rhythmictech/errorcheck/terraform	~> 1.3.0
gzip_needs_base64_encode	rhythmictech/errorcheck/terraform	~> 1.3.0
mailcow_needs_mailcow_hostname	rhythmictech/errorcheck/terraform	~> 1.3.0
not_mailcow_dovecot_master_auto_generated_needs_mailcow_dovecot_master_user_and_mailcow_dovecot_master_password	rhythmictech/errorcheck/terraform	~> 1.3.0
rke2_node_1st_needs_rke2_node_1st_rke2_role_id	rhythmictech/errorcheck/terraform	~> 1.3.0
rke2_node_1st_needs_rke2_node_1st_rke2_secret_id	rhythmictech/errorcheck/terraform	~> 1.3.0
rke2_node_1st_needs_vault_addr	rhythmictech/errorcheck/terraform	~> 1.3.0
rke2_node_needs_encrypted_package_api_header	rhythmictech/errorcheck/terraform	~> 1.3.0
rke2_node_needs_rke2_node_cert_package_url	rhythmictech/errorcheck/terraform	~> 1.3.0
rke2_node_needs_rke2_node_pre_shared_secret	rhythmictech/errorcheck/terraform	~> 1.3.0
rke2_node_needs_rke2_node_rke2_node_cert_package_secret	rhythmictech/errorcheck/terraform	~> 1.3.0
rke2_node_other_needs_rke2_node_other_node_1st_ip	rhythmictech/errorcheck/terraform	~> 1.3.0
terraform_install_method_binary_needs_terraform_version	rhythmictech/errorcheck/terraform	~> 1.3.0
vault_init_needs_jq_install_method_binary	rhythmictech/errorcheck/terraform	~> 1.3.0
vault_init_needs_vault_init_addr	rhythmictech/errorcheck/terraform	~> 1.3.0
vault_init_pgp_public_keys_needs_vault_vault_init_pgp_public_keys_num_internal_unseal_keys_plus_length_of_pgp_external_public_keys_equals_vault_key_shares	rhythmictech/errorcheck/terraform	~> 1.3.0
vault_init_vault_key_threshold_less_than_or_equal_vault_key_shares	rhythmictech/errorcheck/terraform	~> 1.3.0
vault_install_method_binary_needs_vault_version	rhythmictech/errorcheck/terraform	~> 1.3.0
vault_secure_init_json_needs_vault_init_public_key	rhythmictech/errorcheck/terraform	~> 1.3.0
vault_spread_vault_init_json_needs_vault_spread_vault_init_json_id_file	rhythmictech/errorcheck/terraform	~> 1.3.0
vault_start_needs_vault_api_addr	rhythmictech/errorcheck/terraform	~> 1.3.0
vault_tls_file_encoding_either_text_plain_or_base64	rhythmictech/errorcheck/terraform	~> 1.3.0
vault_vault_init_pgp_public_keys_num_internal_unseal_keys_less_than_or_equal_vault_key_shares	rhythmictech/errorcheck/terraform	~> 1.3.0
write_files_encoding_either_text_plain_or_base64	rhythmictech/errorcheck/terraform	~> 1.3.0

Resources

No resources.

Inputs

Name	Description	Type	Default	Required
b2	if cloud-init user data for installing the BlackBlaze CLI should be generated	bool	false	no
base64_encode	if the cloud-init user data should be base64 encoded	bool	false	no
certbot	if cloud-init user data for installing certbot should be generated	bool	false	no
certbot_automatic_renewal_cron	the cron schedule expression for certbot renewal	string	"0 */12 * * *"	no
certbot_automatic_renewal_cronjob	the cron job for certbot renewal	string	"test -x /usr/bin/certbot -a \\! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew"	no
certbot_automatic_renewal_post_hooks	the certbot automatic renewal post hook scripts	list(object({ file_name = string content = string }))	[]	no
certbot_dns_plugins	the list of certbot plugins to be installed	list(string)	[]	no
comment	if cloud-init user data with comments should be generated	bool	false	no
comments	the comments to be added to cloud-init user data this can be used to change cloud-init user-data to trigger rebuild without changing relevant data	list(string)	[]	no
containerd	if cloud-init user data for installing containerd should be generated	bool	false	no
containerd_install_method	the install method, supported methods are 'binary' - 'binary' uses containerd_version	string	"binary"	no
containerd_version	the containerd version to be installed	string	null	no
croc	if cloud-init user data for installing croc should be generated	bool	false	no
digitalocean	if cloud-init user data for making changes on a Digitalocean Droplet should be generated	bool	false	no
digitalocean_restart_journald	if the journald should be restarted (fixes missing logs)	bool	true	no
docker	if cloud-init user data for installing docker should be generated	bool	false	no
docker_container	if cloud-init user data for installing docker containers should be generated	bool	false	no
docker_container_list	the docker containers the cloud-init user data should be generated for	list(object({ name = string, // --name image = string, ports = optional(string, null), // --publish command = string, environment = optional(map(string), {}), }))	[]	no
docker_install_method	the install method, supported methods are 'apt', 'binary' - 'binary' uses docker_version and activates containerd installation	string	"apt"	no
docker_manipulate_iptables	if docker manipulate ip-tables should not be generated for cloud-init user data for docker	bool	true	no
docker_version	the docker version to be installed	string	null	no
duplicacy	if cloud-init user data for installing duplicacy should be generated	bool	false	no
duplicacy_configurations	the duplicacy configurations	list(object({ working_directory = string, // the working directory for duplicacy which is the default path for the repository to backup password = string, // the value for DUPLICACY_PASSWORD, e.g. the passphrase to encrypt the backups with before they are stored remotely script_file_directory = string, // the path where the scripts for duplicacy init, duplicacy backup, duplicacy restore and duplicacy prune are created storage_backend = string, // the storage backend, possible values are Local disk, Backblaze B2, SSH/SFTP Password, SSH/SFTP Keyfile, Onedrive b2_id = optional(string), // the value for DUPLICACY_B2_ID b2_key = optional(string), // the value for DUPLICACY_B2_KEY ssh_password = optional(string), // the value for DUPLICACY_SSH_PASSWORD ssh_passphrase = optional(string), // the value for DUPLICACY_SSH_PASSPHRASE secret_file_directory = optional(string, "/opt/duplicacy/secret"), // the path where the token and the ssh-key files are created onedrive_token_file_name = optional(string, "one-token.json"), // the filename for DUPLICACY_ONE_TOKEN ssh_key_file_name = optional(string, "id"), // the filename for DUPLICACY_SSH_KEY_FILE secret_file_content = optional(string), // the content for onedrive_token_file_name or ssh_key_file_name snapshot_id = string, // the <snapshot id> for duplicacy init storage_url = string, // the <storage url> for duplicacy init, e.g. the Duplicacy URI of where to store the backups init_script_file_name = optional(string, "init"), // the duplicacy init script file name backup_script_file_name = optional(string, "backup"), // the duplicacy backup script file name prune_script_file_name = optional(string, "prune"), // the duplicacy prune script file name restore_script_file_name = optional(string, "restore"), // the duplicacy restore script file name init_options = optional(string, "-encrypt"), // the options for duplicacy init backup_options = optional(string, ""), // the options for duplicacy backup prune_options = optional(string, "-keep 365:3650 -keep 30:365 -keep 7:30 -keep 1:7 -a"), // the options for duplicacy prune restore_options = optional(string, "-overwrite"), // the options for duplicacy restore log_file_directory = optional(string, "/opt/mailcow/duplicacy/log"), // the directory for the script log files backup_log_file_name = optional(string, "backup.log"), // the file name of the backup log file prune_log_file_name = optional(string, "prune.log"), // the file name of the prune log file restore_log_file_name = optional(string, "restore.log"), // the file name of the restore log file pre_backup_script_file_name = optional(string, "pre-backup"), // the file name of the pre backup script post_backup_script_file_name = optional(string, "post-backup"), // the file name of the post backup script pre_prune_script_file_name = optional(string, "pre-prune"), // the file name of the pre prune script post_prune_script_file_name = optional(string, "post-prune"), // the file name of the post prune script pre_restore_script_file_name = optional(string, "pre-restore"), // the file name of the pre restore script post_restore_script_file_name = optional(string, "post-restore"), // the file name of the post restore script pre_backup_script_file_content = optional(string, null), // the content for the pre backup script post_backup_script_file_content = optional(string, null), // the content for the pre backup script pre_prune_script_file_content = optional(string, null), // the content for the pre prune script post_prune_script_file_content = optional(string, null), // the content for the pre prune script pre_restore_script_file_content = optional(string, null), // the content for the pre restore script post_restore_script_file_content = optional(string, null), // the content for the pre restore script }))	[]	no
duplicacy_path	the path to install duplicacy	string	"/opt/duplicacy"	no
duplicacy_version	the duplicacy version to install	string	"3.1.0"	no
encrypted_packages	if cloud-init user data for the encrypted packages should be generated	bool	false	no
encrypted_packages_list	the encrypted packages the cloud-init user data should be generated for	list(object({ url = string // the url to get the package from api_header = string // the header to authorize getting the package secret = string // the secret to decrypt the package (openssl enc -aes-256-cbc -pbkdf2)" post_cmd = optional(string, null) // the command to be executed after the installing the package name = optional(string, "encrypted_package") // the name of the encrypted package }))	[]	no
fail2ban	if cloud-init user data for installing fail2ban should be generated	bool	false	no
fail2ban_recidive	if recidive jail install should be generated	bool	true	no
fail2ban_sshd	if sshd jail install should be generated	bool	true	no
gettext_base	if cloud-init user data for installing gettext-base should be generated	bool	false	no
golang	if cloud-init user data for installing golang should be generated	bool	false	no
golang_tools	the golang tools to be installed used as parameter for go install	list(string)	[]	no
gpg	if cloud-init user data for installing gpg should be generated	bool	false	no
gzip	if the cloud-init user data should be packed with gzip	bool	false	no
haproxy	if cloud-init user data for installing haproxy should be generated	bool	false	no
haproxy_configuration	the configuration for haproxy the string '$ipv4_public_address' can be used as placeholder for the public ipv4-address of the server (ip route get 8.8.8.8 | grep 8.8.8.8 | cut -d ' ' -f 7)	object({ global = optional( object({ configuration = string, }), { configuration = <<EOT log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets EOT } ), global_additional = optional( object({ configuration = optional(string) }), {} ) frontend = optional( list(object({ label = string, configuration = string, })), [] ), backend = optional( list(object({ label = string, configuration = string, })), [] ), defaults = optional( list(object({ configuration = string, }) ), [ { configuration = <<EOT log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http EOT }] ), listen = optional( list(object({ label = string, configuration = string, })), [] ), aggregations = optional( list(object({ label = string, configuration = string, })), [] ), cache = optional( list(object({ label = string, configuration = string, })), [] ), dynamic-update = optional(list(string), []), fcgi-app = optional( list(object({ label = string, configuration = string, })), [] ), http-errors = optional( list(object({ label = string, configuration = string, })), [] ), mailers = optional( list(object({ label = string, configuration = string, })), [] ), peers = optional( list(object({ label = string, configuration = string, })), [] ), program = optional( list(object({ label = string, configuration = string, })), [] ), resolvers = optional( list(object({ label = string, configuration = string, })), [] ), ring = optional( list(object({ label = string, configuration = string, })), [] ), userlist = optional( list(object({ label = string, configuration = string, })), [] ), })	null	no
hetzner	if cloud-init user data for making changes on a Hetzner Cloud Server should be generated	bool	false	no
hetzner_remove_fqdn_resolve	if the FQDN should be removed from the entry 127.0.1.1 ... in /etc/hosts	bool	true	no
ip_addresses	the list of ip address suffixes and the commands to compute them (s. variable ip4_address_command)	list(object({ ip_address_suffix = string computation_command = string }))	[]	no
ipv4_address_command	the command to determin the ipv4 address, other possible ways are - ip route get 8.8.8.8 | grep 8.8.8.8 | sed -E 's/.src (\S) .*/\1/' - ip addr show | grep 'inet ' | grep 'scope global' | cut -d ' ' -f6 | cut -d '/' -f 1 | head -n 1 - curl https://ifconfig.me	string	`"ip addr show	grep 'inet '
jq	if cloud-init user data for installing jq should be generated	bool	false	no
jq_install_method	the install method, supported methods are 'binary', 'packages' - 'binary' uses jq_version - 'packages' implies that jq can not be used for configuring inside cloud-init	string	"binary"	no
jq_version	the jq version to be installed	string	"1.6"	no
lineinfile	if cloud-init user data for installing lineinfile should be generated	bool	false	no
lnxrouter	if cloud-init user data for installing lnxrouter should be generated	bool	false	no
lnxrouter_arguments	- ip_address: specifies the interface ($interface in arguments) - arguments: specifies the command line arguments to start lnxrouter with, $interface will be substituted by the name of the interface bound to the ip_address (`ifconfig	grep --before-context=1 10.0.0.20	grep --only-matching "^\w*"`)	object({ ip_address = optional(string, null) arguments = string })
lnxrouter_start	if lnxrouter should be started	bool	false	no
mailcow	if cloud-init user data for installing mailcow should be generated	bool	false	no
mailcow_acme	the way the Let's Encrypt certificate ist obtained: out-the-box: The "acme-mailcow" container will try to obtain a LE certificate. certbot: The certbot cronjob will manage Let's Encrypt certificates if the Let's Encrypt certificate is obtained out-of-the-box	string	"out-of-the-box"	no
mailcow_acme_staging	if ACME staging should be used (s. https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ssl/#test-against-staging-acme-directory)	bool	false	no
mailcow_additional_san	the additional domains (SSL Certificate Subject Alternative Names), for instance autodiscover.,autoconfig.	string	null	no
mailcow_admin_password	the password for the mailcow administrator	string	null	no
mailcow_admin_user	the username of the mailcow administrator	string	null	no
mailcow_allow_admin_email_login	allows admins and domain admins to directly log into SOGo as a mailbox user, without knowing the users password	bool	false	no
mailcow_api_allow_from	list of IPs to allow API access from	list(string)	[]	no
mailcow_api_key	the API key for mailcow read-write access (allowed characters: a-z, A-Z, 0-9, -)	string	null	no
mailcow_api_key_read_only	the API key for mailcow read-only access (allowed characters: a-z, A-Z, 0-9, -)	string	null	no
mailcow_backup_path	the path for the mailcow backup	string	"/var/backups/mailcow"	no
mailcow_backup_script	the full path for the mailcow backup script	string	"/opt/mailcow/scripts/mailcow-backup.sh"	no
mailcow_branch	the branch value for mailcow (MAILCOW_BRANCH)	string	"master"	no
mailcow_certbot_post_hook_script	the full path for the mailcow certbot post-hook script	string	"/etc/letsencrypt/renewal-hooks/post/mailcow_certbot_post_hook.sh"	no
mailcow_configure_backup	if backup for mailcow should be configured for unattended backup	bool	false	no
mailcow_delete_default_admin_script	the full path for the mailcow delete admin script	string	"/root/mailcow_delete_default_admin.sh"	no
mailcow_docker_compose_project_name	the name for the mailcow docker compose project	string	null	no
mailcow_dovecot_master_auto_generated	if the dovecot master user and password should be auto-generated	bool	true	no
mailcow_dovecot_master_password	the password for the dovecot master user (DOVECOT_MASTER_PASS) if not auto-generated	string	null	no
mailcow_dovecot_master_user	the username of the dovecot master user (DOVECOT_MASTER_USER) if not auto-generated	string	null	no
mailcow_greylisting	if greylisting should be active	bool	true	no
mailcow_hostname	the host name for mailcow	string	null	no
mailcow_install_path	the install path for mailcow	string	"/opt/mailcow-dockerized"	no
mailcow_mynetworks	the list of subnetwork masks to add to mynetworks in postfix if subnetwork masks are provided at the beginning 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 is added (local)	list(string)	[]	no
mailcow_restore_script	the full path for the mailcow restore script	string	"/opt/mailcow/scripts/mailcow-restore.sh"	no
mailcow_rspamd_ip_whitelist	the list of ip adresses to be added to rspamd	list(string)	[]	no
mailcow_rspamd_ui_password	the password for the mailcow Rspamd UI	string	null	no
mailcow_set_admin_script	the full path for the mailcow set admin script	string	"/root/mailcow_set_admin.sh"	no
mailcow_set_rspamd_ui_password_script	the full path for the mailcow set Rspamd UI password script	string	"/root/mailcow_set_rspamd_ui_password.sh"	no
mailcow_submission_port	the postfix submission port (SUBMISSION_PORT in mailcow.conf)	number	null	no
mailcow_timezone	the time zone value for mailcow (MAILCOW_TZ)	string	"Europe/Berlin"	no
mailcow_version	the version to checkout default is mailcow_branch (coded in terraform)	string	null	no
netcat	if cloud-init user data for installing netcat should be generated	bool	false	no
network	if the network should be configured	bool	false	no
network_dispatcher_script_path	the path where network dispatcher scripts should placed	string	"/etc/network-dispatcher"	no
network_dispatcher_scripts	the network dispatcher scripts to be placed at network_dispatcher_script_path and executed the string '$public_interface' can be used as placeholder for the device for internet access (ip route get 8.8.8.8 | grep 8.8.8.8 | cut -d ' ' -f 5)	list(object({ script_file_name = string, script_file_content = string, }))	[]	no
network_resolved_conf_path	the path where network resolved configurations should placed	string	"/etc/systemd/resolved.conf.d/"	no
network_resolved_confs	the resolved configuration files to be placed at network_resolved_conf_path the service systemd-resolved is restarted	list(object({ conf_file_name = string, conf_file_content = string }))	[]	no
nginx	if cloud-init user data for installing nginx should be generated	bool	false	no
nginx_configuration_home	the nginx configuration home	string	"/etc/nginx"	no
nginx_confs	the extra configurations for nginx	list(object({ port = number // the port for listen server_name = string // the server_name for server_name fqdn = string // the FQDN used for include Let's Encrypt certificates: /etc/letsencrypt/live/{{ nginx_conf.FQDN }}/... conf = string // the configuration to be included in the sever stanza }))	[]	no
nginx_gnu	if the GNU Terry Pratchett header should be inserted	bool	true	no
nginx_https_conf	the nginx https configuration after server_name	string	null	no
nginx_https_map	the map stanza configuration for nginx https configuration	string	null	no
nginx_server_fqdn	the FQDN of the server for nginx server_name and Let's Encrypt certificates	string	null	no
package	if cloud-init user data for package should be generated	bool	true	no
package_reboot_if_required	if cloud-init user data for package_reboot_if_required should be generated	bool	false	no
package_update	if cloud-init user data for package_update should be generated	bool	true	no
package_upgrade	if cloud-init user data for package_upgrade should be generated	bool	true	no
packages	the list of packages to be installed	list(string)	[]	no
python3_pip	if cloud-init user data for installing python3-pip should be generated	bool	false	no
python3_pip_modules	the python modules to be installed	list(string)	[]	no
rke2	if cloud-init user data for the rke2 should be generated	bool	false	no
rke2_node_1st	if cloud-init user data for the rke2 1st node should be generated	bool	false	no
rke2_node_1st_cert_manager_crd_version	the version of cert-manager CRDs to be installed	string	"1.11.0"	no
rke2_node_1st_rke2_role_id	the role id for the app role in vault to login and get the token to put the rke2.yaml as kv into vault	string	null	no
rke2_node_1st_rke2_secret_id	the role id for the app role in vault to login and get the token to put the rke2.yaml as kv into vault	string	null	no
rke2_node_1st_vault_addr	the vault address to put the rke2.yml as kv into	string	null	no
rke2_node_1st_vault_field	the vault field used to put the rke2.yaml as kv into vault	string	"rke2_yaml"	no
rke2_node_1st_vault_mount	the vault mount used to put the rke2.yaml as kv into vault	string	"gitlab"	no
rke2_node_1st_vault_path	the vault path used to put the rke2.yaml as kv into vault	string	"rancher/kubeconfig"	no
rke2_node_cert_package_api_header	the header to authorize getting the cert-package	string	null	no
rke2_node_cert_package_secret	the secret to decrypt the cert package (openssl enc -aes-256-cbc -pbkdf2)	string	null	no
rke2_node_cert_package_url	the url to get the cert-package from	string	null	no
rke2_node_config_addendum	the addendum to the rke2 config after the lines 'token: ...' and optional 'server: ...'	string	"cni: cilium"	no
rke2_node_other	if cloud-init user data for the rke2 other nodes should be generated	bool	false	no
rke2_node_other_node_1st_ip	the ip of the 1st node for cloud-init user data for rke2 other nodes	string	null	no
rke2_node_pre_shared_secret	the pre shared secret for /etc/rancher/rke2/config.yaml	string	null	no
runcmd	if runcmd scripts should be configured	bool	false	no
runcmd_done_file	the file created when runcmd is done	string	"/root/cloud_init_runcmd_done"	no
runcmd_scripts	the runcmd scripts to be executed	list(string)	[]	no
s3cmd	if cloud-init user data for installing the S3cmd should be generated	bool	false	no
sshd_config	if cloud-init user data for managing sshd config should be generated	bool	false	no
sshd_config_passwordauthentication	value for PasswordAuthentication in /etc/sshd_config	bool	false	no
sshd_config_remove_authorized_keys	if the file /root/.ssh/authorized_keys should be deleted	bool	false	no
sshd_config_trusted_user_ca_keys	content of /etc/ssh/trusted-user-ca-keys.pem as value for TrustedUserCAKeys	string	null	no
terraform	if cloud-init user data for installing terraform should be generated	bool	false	no
terraform_install_method	the install method, supported methods are 'apt', 'binary' - 'binary' uses terraform_version	string	"apt"	no
terraform_version	the terraform version to be installed	string	null	no
tool	if cloud-init user data for installing tools should be generated	bool	false	no
tools	the list of tools that should be installed	list(object({ name = string, url = string, dest_path = optional(string, "/usr/local/bin"), }))	[]	no
unzip	if cloud-init user data for installing unzip should be generated	bool	false	no
unzip_install_method	the install method, supported methods are 'apt', 'zypper'	string	"apt"	no
user	if cloud-init user data for users should be generated	bool	true	no
users	the list of user configurations	list(object({ name = string, groups = optional(string, null), sudo = optional(string, null), ssh_authorized_keys = optional(list(string), []), passwd = optional(string, null), lock_passwd = optional(bool, true), }))	[]	no
vault	if cloud-init user data for installing vault should be generated	bool	false	no
vault_addr	the vault address (can be used as default for other features)	string	null	no
vault_api_addr	the api_addr: Specifies the address (full URL) to advertise to other Vault servers in the cluster for client redirection. This value is also used for plugin backends. This can also be provided via the environment variable VAULT_API_ADDR. In general this should be set as a full URL that points to the value of the listener address. the string '$ipv4_address' can be used as placeholder for the server ipv4-address	string	null	no
vault_bootstrap_files_path	the path where the files needed for bootstrapping are saved	string	"/root"	no
vault_chown_files	the list of files to be changed to ownership vault:vault (before starting vault)	list(string)	[]	no
vault_cluster_addr	the cluster_addr Specifies the address to advertise to other Vault servers in the cluster for request forwarding. This is a full URL, like api_addr, but Vault will ignore the scheme (all cluster members always use TLS with a private key/certificate). the string '$ipv4_address' can be used as placeholder for the server ipv4-address (determined by variable ipv4_address_command)	string	null	no
vault_config_path	the path for the vault configuration files	string	"/etc/vault.d"	no
vault_disable_mlock	the value for disable_mlock	bool	true	no
vault_helper_cmd_http_address	the vault address (http) for the helper cmds (if null the helper cmds are not installed)	string	null	no
vault_home_path	the home of the vault specific files and folders	string	"/srv/vault"	no
vault_init	if vault should be initialized	bool	true	no
vault_init_json_file_mode	the file mode for the vault init json result files	string	"640"	no
vault_init_pgp_public_keys	the definition of the usage of pgp keys for vault init note: the number of pgp_external_public_keys plus num_internal_unseal_keys has to match vault_key_shares	object({ num_internal_unseal_keys = optional(number, 1), pgp_external_public_keys = optional(list(object({ content = string, encoding = optional(string, "text/plain"), owner = optional(string, "root") group = optional(string, "root") mode = optional(string, "640") })), []) })	null	no
vault_init_public_key	the public RSA key the output of the vault initialization is encoded with (to be decryptable by the corresponding private key with rsadecrypt	string	null	no
vault_install_method	the install method, supported methods are 'apt', 'binary' - 'binary' uses vault_version	string	"apt"	no
vault_key_shares	the number of key shares	number	1	no
vault_key_threshold	the number of key shares required to reconstruct the root key (s. https://developer.hashicorp.com/vault/docs/commands/operator/init#key-threshold)	number	1	no
vault_listeners	the list of listeners the default for each (coded in terraform) - tls_cert_file is vault_tls_cert_file - tls_key_file is vault_tls_key_file - tls_client_ca_file vault_tls_client_ca_file the string '$ipv4_address' can be used as placeholder for the server ipv4-address in address and cluster_adrress	list(object({ address = string, cluster_address = optional(string, null), tls_disable = optional(bool, true), tls_cert_file = optional(string, null), tls_key_file = optional(string, null), tls_client_ca_file = optional(string, null), }))	[]	no
vault_local_addr	the vault address used for vault init, vault operator init, vault operator unseal and vault token revoke during cloud init	string	null	no
vault_log_level	the vault log level	string	"info"	no
vault_raft_leader_tls_servername	the leader_tls_servername	string	null	no
vault_raft_retry_autojoin	the auto_join values for retry_join - auto_join - auto_join_scheme - auto_join_port - computation_command_template: template to compute the node ip matching the ip of another node discover has to be installed for vault_spread_vault_init_json	object({ auto_join = string, auto_join_scheme = optional(string, null), auto_join_port = optional(number, null), ip_computation_command_template = optional(string, "ip route get $ip	grep $ip	sed -E 's/.src (\S) .*/\1/'"), })
vault_receive_vault_init_json	if the vault init json result should be received from spreading	bool	false	no
vault_remove_spread_vault_init_json_id_file	if the ssh id file used for spreading the vault init json result to the cluster should be removed after used	bool	true	no
vault_remove_vault_init_json	if the output of the vault initialization should removed <span style="color:red">ATTENTION: The output of the vault initialization is highly confidential! It is the root of the secret management in vault!"	bool	true	no
vault_revoke_root_token	if the initial root token should be revoked	bool	true	no
vault_secure_init_json	if the output of the vault initialization should secured <span style="color:red">ATTENTION: The output of the vault initialization is highly confidential! It is the root of the secret management in vault!"	bool	true	no
vault_spread_vault_init_json	if the vault init json result should be spread to the cluster	bool	false	no
vault_spread_vault_init_json_id_file	the ssh id file used for spreading the vault init json result to the cluster	string	null	no
vault_start	if vault should be started	bool	false	no
vault_storage_raft_cluster_member_this	the actual instance to be excluded for the retry_join-stanzas	string	null	no
vault_storage_raft_cluster_members	the list of cluster members for the retry_join-stanzas	list(string)	[]	no
vault_storage_raft_node_id	the node_id value for storage "raft"	string	null	no
vault_storage_raft_path	the path value for storage "raft"	string	"/srv/vault/file/raft"	no
vault_storage_raft_retry_join_api_port	the port number for the leader_api_addr in the retry_join-stanzas	number	8200	no
vault_tls_cert_file	the path of the certificate for TLS (tls_cert_file default is vault_storage_raft_leader_client_cert_file (coded in terraform)	string	null	no
vault_tls_client_ca_file	the tls_client_ca_file default is vault_storage_raft_leader_ca_cert_file (coded in terraform)	string	null	no
vault_tls_contents	the vault tls file contents tls_file has to be one of - cert - key - client_ca - storage_raft_leader_ca_cert - storage_raft_leader_client_cert - storage_raft_leader_client_key and the corresponding terraform variable is used as file_name - encoding of the content can be 'text/plain' (default) or 'base64'	list(object({ tls_file = optional(string, null), content = string, encoding = optional(string, "text/plain") owner = optional(string, "vault") group = optional(string, "vault") mode = optional(string, "640") }))	[]	no
vault_tls_files	DEPRECATED: use vault_tls_contents instead the vault tls files filename can contain the placeholders - $vault_tls_cert_file - $vault_tls_key_file - $vault_tls_client_ca_file which are replace by the corresponding terraform variables - encoding of the content can be 'text/plain' (default) or 'base64'	list(object({ file_name = string, content = string, encoding = optional(string, "text/plain") owner = optional(string, "vault") group = optional(string, "vault") mode = optional(string, "640") }))	[]	no
vault_tls_key_file	the path of the private key for the certificate for TLS (tls_key_file) default is vault_storage_raft_leader_client_key_file (coded in terraform)	string	null	no
vault_tls_storage_raft_leader_ca_cert_file	the leader_ca_cert_file default is vault_home_path/tls/client_ca.pem (coded in terraform)	string	null	no
vault_tls_storage_raft_leader_client_cert_file	the leader_client_cert_file default is vault_home_path/tls/cert.pem (coded in terraform)	string	null	no
vault_tls_storage_raft_leader_client_key_file	the leader_client_key_file default is vault_home_path/tls/key.pem (coded in terraform)	string	null	no
vault_ui	if the vault user interface should be activated	bool	false	no
vault_unseal	if vault should be unsealed	bool	false	no
vault_version	the vault version to be installed	string	null	no
vault_zipped_binary_url	the download url for vault install method 'binary' - ${vault_version} is replaced by the value for vault_version - the download has to be a zip file containing the vault binary	string	"https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_linux_amd64.zip"	no
wait_until	if cloud-init user data for installing wait_until should be generated	bool	false	no
write_file	if files should be written	bool	false	no
write_files	the files to be written - encoding of the content can be 'text/plain' (default) or 'base64'	list(object({ file_name = string, content = string, encoding = optional(string, "text/plain"), owner = optional(string, "root"), group = optional(string, "root"), mode = optional(string, "644"), }))	[]	no
zypper	if cloud-init user data for adding zypper repositories should be generated	bool	false	no
zypper_repositories	the zypper repositories that should be added	list(object({ uri = string, alias = string, }))	[ { "alias": "opensuse-oss-leap-15.5", "uri": "http://download.opensuse.org/distribution/leap/15.5/repo/oss/" } ]	no

Outputs

Name	Description
cloud_init	the cloud-init user data
ipv4_address_command	the command to determine the ipv4 address
runcmd_done_file	the file created when runcmd is done
vault	the relevant results from vault install and init