π Repo: github.com/Push/terraform-aws-labs/day19
π― Goal: Understand provisioners β the last-resort tool for bootstrapping, with clear warnings and best-practice patterns.
β Youβll master:
- β
local-exec: Run commands on your laptop (e.g.,curl,echo)- β
remote-exec: Run commands on EC2 via SSH (e.g.,apt install nginx)- β
file: Copy files to/from EC2 (e.g., config templates)- β When to avoid them (and use cloud-init/AMI instead)
β Anti-Pattern:
# DON'T do this in production! provisioner "remote-exec" { inline = ["sudo apt install nginx", "sudo systemctl start nginx"] }
β Legitimate Uses:
app-v2.zip β unzip)vault read β write to /etc/secrets)curl <http://localhost:8080/health>)π‘ Golden Rule:
βIf your provisioner runs >5s β bake it into an AMI instead.β
(See Day 25: Packer + AMI pipelines)
| Provisioner | Runs On | Use Case | Risk Level |
|---|---|---|---|
local-exec |
Your laptop | curl healthcheck, echo "DNS: $IP" |
β Low |
remote-exec |
EC2 (via SSH) | One-time config, cluster join | β οΈ Medium (SSH failures) |
file |
EC2 (via SSH) | Copy configs, scripts, certs | β οΈ Medium (permissions, paths) |
β οΈ Critical Limitations:
- β Not idempotent β runs every
apply(even if no infra change)- β No drift detection β Terraform wonβt reconcile if file is modified later
- β SSH dependency β fails if keys rotate, security groups block port 22
/day19/)day19/
βββ main.tf # EC2 + provisioners
βββ scripts/
β βββ welcome.sh # π Sample script to copy
βββ terraform.tfvars # Key name, private key path
βββ TASK.md # π Your challenge (cloud-init, SSM, AMI)