From dab689391a59180cfc9c022e1745fa02ab79385d Mon Sep 17 00:00:00 2001 From: Marcus Kammer Date: Sun, 12 Jan 2025 12:05:58 +0100 Subject: [PATCH] Update infrastructure code --- cloudinit.yml | 543 +------------------------------------------------- datasource.tf | 35 +++- main.tf | 18 +- providers.tf | 24 ++- 4 files changed, 61 insertions(+), 559 deletions(-) diff --git a/cloudinit.yml b/cloudinit.yml index 2206be1..1c0102f 100644 --- a/cloudinit.yml +++ b/cloudinit.yml @@ -1,52 +1,20 @@ #cloud-config -# Make sure to check the cloud-init logs: /var/log/cloud-init.log and /var/log/cloud-init-output.log -# Author: Marcus Kammer -# Tested: Ubuntu 22.04 -# Copyright © 2023 Marcus Kammer -# Permission is hereby granted, free of charge, to any person obtaining a copy of -# this software and associated documentation files (the “Software”), to deal in -# the Software without restriction, including without limitation the rights to -# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies -# of the Software, and to permit persons to whom the Software is furnished to do -# so, subject to the following conditions: - -# The above copyright notice and this permission notice shall be included in all -# copies or substantial portions of the Software. - -# THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -# SOFTWARE. locale: en_US.UTF-8 keyboard: layout: us + timezone: Europe/Berlin groups: - nginxgroup users: - - name: nginxuser - system: true - shell: /usr/sbin/nologin - groups: nginxgroup - sudo: null - # Create a new user named 'cl' - name: cl - # Add the user to the 'users' and 'admin' groups groups: users, admin - # Allow the user to execute any command with sudo without entering a password sudo: ALL=(ALL) NOPASSWD:ALL - # Set the user's default shell to /bin/bash shell: /bin/bash - # Add the user's public SSH key for key-based authentication ssh_authorized_keys: - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+46Y3AHPLJgz8KK61doqH3jBX2TL3TJvZsJrB9Km03 visua@xps-8930 - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHJ5qpMIKL7N3nC0GG1O4ygtkqOlQuZReoik6xGBxn marcus@XPS-13-9380.local - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6xSH5nE0uy0C0kglpp4EqrbbW2CrBeAIj+X6Sf2pd0 XPS-8930-Ubuntu_22 packages: @@ -78,562 +46,53 @@ write_files: APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"; - - path: /etc/ssh/sshd_config content: | - # Include additional configuration files from the specified directory Include /etc/ssh/sshd_config.d/*.conf - # Set the maximum number of authentication attempts allowed per connection MaxAuthTries 3 - # Specifies the file containing public keys for user authentication AuthorizedKeysFile .ssh/authorized_keys - # Disables password authentication PasswordAuthentication no - # Specifies the authentication method(s) to use (public key authentication in this case) AuthenticationMethods publickey - # Enables public key authentication PubkeyAuthentication yes - # Disables root login via SSH PermitRootLogin no - # Disables keyboard-interactive authentication KbdInteractiveAuthentication no - # Enables the Pluggable Authentication Module (PAM) for authentication UsePAM yes - # Disables agent forwarding for SSH connections AllowAgentForwarding no - # Enables TCP forwarding for SSH connections AllowTcpForwarding yes - # Disables X11 forwarding for SSH connections X11Forwarding no - # Disables printing of the message of the day (MOTD) when a user logs in PrintMotd no - # Specifies the key exchange algorithms to use KexAlgorithms curve25519-sha256@libssh.org - # Specifies the ciphers allowed for protocol version 2 Ciphers chacha20-poly1305@openssh.com - # Specifies the message authentication code (MAC) algorithms in order of preference MACs hmac-sha2-512-etm@openssh.com - # Specifies environment variables sent by the client to the server AcceptEnv LANG LC_* - # Specifies the command to use for the SFTP subsystem Subsystem sftp /usr/lib/openssh/sftp-server - # Specifies the user(s) allowed to log in via SSH (in this case, only the user "marcus") AllowUsers cl - - path: /etc/fail2ban/jail.local content: | [DEFAULT] - # Ban time (in seconds) for an IP after reaching the max number of retries. bantime = 3600 - # Time window (in seconds) in which 'maxretry' failures must occur. findtime = 600 - # Maximum number of failed login attempts before an IP gets banned. maxretry = 3 - # Ban action to use (ufw in this case). banaction = ufw [sshd] - # Enable the sshd jail. enabled = true - # Specify the port for the sshd service. port = 22 - # Path to the log file for the sshd service. logpath = /var/log/auth.log [sshd-ddos] - # Specify the filter to use (created earlier) filter = sshd - # Enable the sshd-ddos jail. enabled = true - # Specify the port for the sshd service. port = ssh - # Path to the log file for the sshd service. logpath = /var/log/auth.log - # Maximum number of failed login attempts before an IP gets banned (for DDoS protection). maxretry = 5 - # Ban time (in seconds) for an IP after reaching the max number of retries (for DDoS protection). bantime = 600 - [nginx-http-auth] - # Enable the jail - enabled = true - # Specify the filter to use (created earlier) - # filter = nginx-http-auth - # Define the action to take (using UFW) - action = ufw - # Specify the log file to monitor - logpath = /var/log/nginx/error.log - # Set the maximum number of failed attempts before banning - maxretry = 6 - # Set the ban time in seconds (1 hour) - bantime = 3600 - # Set the time window for failed attempts in seconds (10 minutes) - findtime = 600 - - - path: /etc/nginx/nginx.conf - content: | - user nginxuser; - worker_processes auto; - pid /run/nginx.pid; - include /etc/nginx/modules-enabled/*.conf; - events { - worker_connections 768; - # multi_accept on; - } - http { - ## - # Basic Settings - ## - sendfile on; - tcp_nopush on; - types_hash_max_size 2048; - # server_tokens off; - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - include /etc/nginx/mime.types; - default_type application/octet-stream; - ## - # SSL Settings - ## - ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; - ## - # Logging Settings - ## - log_format csv '$time_iso8601,$remote_addr,$remote_user,"$request",$status,$body_bytes_sent,$http_referer,"$http_user_agent"'; - access_log /var/log/nginx/access.csv csv; - error_log /var/log/nginx/error.log; - ## - # Gzip Settings - ## - gzip on; - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - ## - # Dont send nginx version number - ## - server_tokens off; - ## - # Virtual Host Configs - ## - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; - } - - # Write reverse-proxy configuration file - - path: /etc/nginx/sites-available/reverse-proxy.conf - content: | - # Listen on port 80 - server { - listen 80; - # Set your domain name - server_name survey.metalisp.dev; - # Redirect all requests to HTTPS - return 301 https://$host$request_uri; - } - - # Listen on port 443 with SSL - server { - listen 443 ssl; - # Set your domain name - server_name survey.metalisp.dev; - - # Include SSL certificate managed by Certbot - ssl_certificate /etc/letsencrypt/live/survey.metalisp.dev/fullchain.pem; - # Include SSL certificate key managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/survey.metalisp.dev/privkey.pem; - # Include SSL options provided by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; - # Include DH parameters provided by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - # Proxy settings for the location - location / { - # Set backend server address and port - proxy_pass http://localhost:8080; - # Set Host header - proxy_set_header Host $host; - # Set X-Real-IP header - proxy_set_header X-Real-IP $remote_addr; - # Set X-Forwarded-For header - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # Set X-Forwarded-Proto header - proxy_set_header X-Forwarded-Proto $scheme; - } - } - - - path: /home/cl/setup_git.sh - owner: 'cl:cl' - permissions: '0755' - defer: True - content: | - #!/bin/bash - git config --global user.email "marcus.kammer@mailbox.org" - git config --global user.name "Marcus Kammer" - git config --global init.defaultBranch main - git config --global pull.rebase true - - - path: /home/cl/setup_repos.sh - owner: 'cl:cl' - permissions: '0755' - defer: True - content: | - #!/bin/bash - # Clone the SLIME repository for a specific branch and depth - git clone https://github.com/slime/slime.git ~/slime && cd ~/slime && git checkout v2.30 - - - path: /home/cl/setup_user_all.sh - owner: 'cl:cl' - permissions: '0755' - defer: True - content: | - #!/bin/bash - /bin/bash /home/cl/setup_git.sh - /bin/bash /home/cl/setup_repos.sh - ssh-keygen -t ed25519 -C 'survey.metalisp' -f ~/.ssh/id_ed25519 -N '' - mkdir -p ~/www/survey/docs/ - - - path: /home/cl/openai_block_access.sh - owner: 'cl:cl' - permissions: '0755' - defer: True - content: | - #!/bin/bash - # Purpose: Block OpenAI ChatGPT bot CIDR - # Tested on: Debian and Ubuntu Linux - # Author: Vivek Gite {https://www.cyberciti.biz} under GPL v2.x+ - # ------------------------------------------------------------------ - file="/tmp/out.txt.$$" - wget -q -O "$file" https://openai.com/gptbot-ranges.txt 2>/dev/null - - while IFS= read -r cidr - do - sudo ufw deny proto tcp from $cidr to any port 80 - sudo ufw deny proto tcp from $cidr to any port 443 - done < "$file" - [ -f "$file" ] && rm -f "$file" - - - path: /home/cl/.tmux.conf - owner: 'cl:cl' - permissions: '0755' - defer: True - content: | - # Improve colors and set TERM correctly inside tmux - set -g default-terminal "screen-256color" - - # Set prefix key to Ctrl-a, like GNU Screen - unbind C-b - set -g prefix C-a - bind C-a send-prefix - - # Enable mouse support - set -g mouse on - - # Use Alt-arrow keys to switch panes - bind -n M-Left select-pane -L - bind -n M-Right select-pane -R - bind -n M-Up select-pane -U - bind -n M-Down select-pane -D - - # Use Alt+h/j/k/l to resize panes - bind -n M-h resize-pane -L 2 - bind -n M-j resize-pane -D 2 - bind -n M-k resize-pane -U 2 - bind -n M-l resize-pane -R 2 - - # Split panes with | and - - bind | split-window -h - bind - split-window -v - - # Reload tmux config - bind r source-file ~/.tmux.conf - - # Quick pane cycling - unbind ^A - bind ^A select-pane -t :.+ - - # Enable clipboard support on macOS - # Uncomment the line below if you are on macOS and have reattach-to-user-namespace installed - # set-option -g default-command "reattach-to-user-namespace -l $SHELL" - - # Increase history limit - set -g history-limit 50000 - - # One Dark theme specific settings - - # Status bar colors - set -g status-bg colour235 # Base background color - set -g status-fg colour137 # Base foreground color - set -g status-interval 5 - set -g status-left "#[fg=colour81]#H " # Hostname in a different color - set -g status-right "#[fg=colour137]#(date '+%Y-%m-%d %H:%M')" # Date and time - - # Active window in status bar - setw -g window-status-current-style fg=colour125,bg=colour235,bold - - # Pane border - set -g pane-border-style fg=colour238 - set -g pane-active-border-style fg=colour81 - - # Message styling - set -g message-style fg=colour166,bg=colour235 - - # Window list - pane number (current and other) - setw -g window-status-current-format "#[bold,fg=colour81]#I:#W#F" - setw -g window-status-format "#[fg=colour137]#I:#W#F" - - - path: /home/cl/access_logs.sql - owner: 'cl:cl' - defer: True - content: | - -- Set the mode to CSV to properly import CSV files - .mode csv - - -- If the table doesn't exist, create it - CREATE TABLE IF NOT EXISTS access_logs ( - timestamp TEXT, - ip_address TEXT, - remote_user TEXT, - request TEXT, - status_code INTEGER, - body_bytes_sent INTEGER, - http_referer TEXT, - http_user_agent TEXT - ); - - -- Import the data into the 'access_logs' table - .import '/var/log/nginx/access.csv' access_logs - - - path: /home/cl/pihole_set_ufw.sh - owner: 'cl:cl' - permissions: '0755' - defer: True - content: | - #!/bin/bash - # Necessary pihole ufw setup - sudo ufw allow 80/tcp - sudo ufw allow 53/tcp - sudo ufw allow 53/udp - sudo ufw allow 67/tcp - sudo ufw allow 67/udp - sudo ufw allow 546:547/udp - - - path: /etc/sbclrc - content: | - ;;; -*- lisp -*- - ;;; System-wide startup file for sbcl - - ;;; https://github.com/ghollisjr/sbcl-script - ;;; If the first user-processable command-line argument is a filename, - ;;; disable the debugger, load the file handling shebang-line and quit. - (let ((script (and (second *posix-argv*) - (probe-file (second *posix-argv*))))) - (when script - ;; Handle shebang-line - (set-dispatch-macro-character #\# #\! - (lambda (stream char arg) - (declare (ignore char arg)) - (read-line stream))) - ;; Disable debugger - (setf *invoke-debugger-hook* - (lambda (condition hook) - (declare (ignore hook)) - ;; Uncomment to get backtraces on errors - ;; (sb-debug:backtrace 20) - (format *error-output* "Error: ~A~%" condition) - (quit))) - (load script) - (quit))) - - (defun print-condition-hook (condition hook) - "This function is designed to be used as a custom debugger hook. - It prints the condition (error message), clears any remaining input, - and aborts the current operation." - ;; Ignore the hook argument since it's not used in this function. - (declare (ignore hook)) - - ;; Print the error message associated with the condition. - (princ condition) - - ;; Clear any pending input from the stream. - (clear-input) - - ;; Abort the current operation and return to the top-level. - (abort)) - - ;; Get the value of the global variable *debugger-hook*. - *debugger-hook* - - ;; Set the global variable *debugger-hook* to the custom debugger hook - ;; function 'print-condition-hook'. This function will now be called - ;; whenever an unhandled error occurs. - (setf *debugger-hook* #'print-condition-hook) - - - path: /home/cl/.sbclrc - owner: 'cl:cl' - defer: True - content: | - ;;; -*- lisp -*- - (sb-ext:set-sbcl-source-location #P"~/sbcl/") - - - path: /home/cl/lisp_01_setup_sbcl.sh - owner: 'cl:cl' - permissions: '0755' - defer: True - content: | - #!/bin/bash - # Exit on error - set -e - sudo apt update - sudo apt install -y sbcl git libzstd-dev - # Download SBCL source - # wget http://prdownloads.sourceforge.net/sbcl/sbcl-2.3.10-source.tar.bz2 - # Extract it - # tar -xjf sbcl-2.3.10-source.tar.bz2 - git clone --branch sbcl-2.4.7 git://git.code.sf.net/p/sbcl/sbcl ~/sbcl - # Change into the directory - cd sbcl - # Compile and install - sh make.sh --fancy - sudo sh install.sh - # Remove ubuntu specific sbcl - sudo apt remove sbcl -y - cd ~/ && sbcl --version - - - path: /home/cl/lisp_02_setup_quicklisp.sh - owner: 'cl:cl' - permissions: '0755' - defer: True - content: | - #!/bin/bash - # Needs to be run manually, cant be run automatically. - # If runs automatically, `quicklisp.lisp' cant be find by sbcl. - sudo apt install -y libev4 libsqlite3-dev - curl https://beta.quicklisp.org/quicklisp.lisp -o ~/quicklisp.lisp - sbcl --noinform --load quicklisp.lisp --eval "(quicklisp-quickstart:install)" --eval "(ql-util:without-prompting (ql:add-to-init-file))" --non-interactive - sbcl --noinform --eval "(ql:quickload '(:hunchentoot :spinneret))" --non-interactive - - - path: /home/cl/lisp_03_load_swank_faster.lisp - owner: 'cl:cl' - defer: True - content: | - ;;;; This Common Lisp script sets up a development environment by loading essential - ;;;; libraries for web development and data handling, including SBCL system - ;;;; libraries and external tools via Quicklisp. It concludes by saving the - ;;;; environment state to a core file for efficient reusability in future sessions. - (mapc 'require '(sb-bsd-sockets sb-posix sb-introspect sb-cltl2 asdf)) - (ql:quickload '(:hunchentoot :spinneret)) - (save-lisp-and-die "sbcl.core-for-slime") - - - path: /home/cl/lisp_03_load_swank_faster.sh - owner: 'cl:cl' - permissions: '0755' - defer: True - content: | - #!/bin/bash - sbcl --noinform --noprint --load ~/lisp_03_load_swank_faster.lisp - - - path: /home/cl/emacs_build.sh - owner: cl:cl - permissions: '0755' - defer: True - content: | - #!/bin/bash - - git clone git@git.sr.ht:~marcuskammer/emacs.d-lisp ~/.emacs.d/ - - # Update package list and install dependencies - # note to myself: libgccjit version number should be qual to gcc --version - sudo apt update - sudo apt install -y build-essential git autoconf texinfo libncurses-dev libgnutls28-dev libjansson-dev libgccjit-13-dev pkg-config zlib1g-dev libtree-sitter-dev libxml2-dev - - # Clone the Emacs repository - git clone git://git.sv.gnu.org/emacs.git ~/emacs-src && cd emacs-src - - # Check out the Emacs-29 branch (replace 'emacs-29' with the specific version if different) - git checkout emacs-29 - - # Prepare for build - ./autogen.sh - - # Configure Emacs for building without X11, without GTK, without image support, and with native compilation - - # This configuration is tailored for an Emacs build focused on performance and - # native compilation, with reduced dependency on external image libraries and - # graphical systems. It's particularly suitable if you're aiming for a - # lightweight Emacs setup, primarily for text editing and programming tasks - # without the need for image handling within Emacs. - - ./configure --without-xpm --without-jpeg --without-png --without-gif --without-tiff --without-xpm --without-rsvg --without-webp --without-lcms2 --without-cairo --without-gpm --with-json --with-native-compilation --with-tree-sitter - - # Build Emacs - make -j$(nproc) - - # If the build succeeds, install Emacs - sudo make install - - - path: home/cl/.config/systemd/user/emacs.service - owner: cl:cl - defer: True - content: | - [Unit] - Description=Emacs text editor - Documentation=info:emacs man:emacs(1) https://gnu.org/software/emacs/ - - [Service] - Type=forking - ExecStart=emacs --daemon - ExecStop=emacsclient --eval "(kill-emacs)" - Environment=SSH_AUTH_SOCK=%t/keyring/ssh - Restart=on-failure - - [Install] - WantedBy=default.target - runcmd: - # Run Certbot to obtain SSL certificates and configure Nginx - - certbot certonly --nginx -d survey.metalisp.dev --non-interactive --agree-tos --email marcus.kammer@metalisp.dev --redirect - # Add cron job for automatic certificate renewal (runs once a month) - - echo '0 0 1 * * root certbot renew --post-hook "systemctl reload nginx" >> /var/log/letsencrypt/letsencrypt-auto-renew.log' > /etc/cron.d/letsencrypt-renew - # Download DHPARAM - - # The Diffie-Hellman algorithm is used to establish a shared secret between two - # parties (typically a client and a server) over a public channel, and is a - # fundamental part of many cryptographic protocols, including HTTPS. - - # However, generating Diffie-Hellman parameters can be computationally expensive, - # so pre-generated parameters are often used. Mozilla provides such pre-generated - # parameters, and they are considered to be trustworthy. - - # The downloaded parameters are saved in a file named ssl-dhparam.pem in the - # /etc/letsencrypt directory. This file is then referenced in the configuration - # of services that use Diffie-Hellman key exchange, such as your Nginx server, to - # establish secure communications. - - # This step is part of a broader effort to set up SSL/TLS securely on your - # server, enhancing the security of your connections. - - - curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/letsencrypt/ssl-dhparam.pem - # Create a symlink for the configuration file - - ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/ - # Remove default Nginx configuration - - rm /etc/nginx/sites-enabled/default - # Reload Nginx configuration - - systemctl reload nginx - # Allow Nginx Full (HTTP and HTTPS) through the firewall - - ufw allow 'Nginx Full' - # Set UFW firewall rules - ufw default deny incoming - ufw default allow outgoing - ufw allow 22/tcp - ufw allow mosh - ufw enable - # Enable and start the fail2ban service - systemctl enable fail2ban && systemctl start fail2ban - # Restart the SSH server to apply the new configuration - systemctl restart sshd - - sudo -u cl /bin/bash /home/cl/setup_user_all.sh diff --git a/datasource.tf b/datasource.tf index 279311f..d392245 100644 --- a/datasource.tf +++ b/datasource.tf @@ -1,9 +1,32 @@ -data "aws_ami" "server_ami" { - most_recent = true - owners = ["099720109477"] +data "cloudinit_config" "config" { + gzip = true # Compress the cloud-init data to save space + base64_encode = true # Encode the data in base64 for proper transmission to EC2 - filter { - name = "name" - values = ["ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-arm64-server-*"] + part { + content_type = "text/cloud-config" # Specify that this is a cloud-config file + content = file("${path.module}/cloudinit.yml") # Read the content of the cloudinit.yml file + } +} + +data "aws_ami" "server_ami" { + most_recent = true # Get the most recent version of the AMI + owners = ["099720109477"] # This ID represents Canonical, the company behind Ubuntu + + # Filter to find Ubuntu 22.04 LTS (Jammy Jellyfish) AMIs + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"] + } + + # Ensure we're getting a hardware virtual machine (HVM) AMI + filter { + name = "virtualization-type" + values = ["hvm"] + } + + # Specify that we want an x86_64 architecture (suitable for t2.micro instances) + filter { + name = "architecture" + values = ["x86_64"] } } diff --git a/main.tf b/main.tf index d6f48b5..5a9f92f 100644 --- a/main.tf +++ b/main.tf @@ -68,14 +68,18 @@ resource "aws_key_pair" "mlsurvey_auth" { } resource "aws_instance" "dev_node" { - instance_type = "t2.micro" - ami = data.aws_ami.server_ami.id - key_name = aws_key_pair.mlsurvey_auth.id - vpc_security_group_ids = [aws_security_group.mlsurvey_sg.id] - subnet_id = aws_subnet.mlsurvey_public_subnet.id - user_data = file("userdata.tpl") - + instance_type = "t2.micro" + ami = data.aws_ami.server_ami.id + key_name = aws_key_pair.mlsurvey_auth.id + vpc_security_group_ids = [aws_security_group.mlsurvey_sg.id] + subnet_id = aws_subnet.mlsurvey_public_subnet.id + user_data = data.cloudinit_config.config.rendered + user_data_replace_on_change = true tags = { Name = "dev-node" } } + +output "dev_node_public_ip" { + value = aws_instance.dev_node.public_ip +} diff --git a/providers.tf b/providers.tf index 7755bf1..75ff040 100644 --- a/providers.tf +++ b/providers.tf @@ -1,14 +1,30 @@ +# This file configures the providers used in this Terraform configuration. +# Providers are plugins that Terraform uses to manage resources. + terraform { + # Specify the required providers and their versions required_providers { + # AWS provider for managing AWS resources aws = { - source = "hashicorp/aws" - version = "~> 4.16" + source = "hashicorp/aws" # Source of the provider + version = "~> 4.16" # Version constraint for the provider + } + # Cloud-init provider for generating cloud-init configs + cloudinit = { + source = "hashicorp/cloudinit" + version = "~> 2.2.0" } } + # Specify the required version of Terraform itself required_version = ">= 1.2.0" } +# Configure the AWS Provider provider "aws" { - region = "eu-central-1" - shared_credentials_files = ["~/.aws/credentials"] + region = "eu-central-1" # Specify the AWS region to use + shared_credentials_files = ["~/.aws/credentials"] # Path to the AWS credentials file } + +# Configure the cloudinit Provider +# No specific configuration needed for cloudinit, but declaring it here makes it available for use +provider "cloudinit" {}