Skip to content

Comments

Add modern IaC examples: Terraform, Packer, cloud-config, and CI/CD#1

Merged
chefgs merged 3 commits intomasterfrom
claude/analyze-cloud-init-iac-wicmN
Feb 23, 2026
Merged

Add modern IaC examples: Terraform, Packer, cloud-config, and CI/CD#1
chefgs merged 3 commits intomasterfrom
claude/analyze-cloud-init-iac-wicmN

Conversation

@chefgs
Copy link
Owner

@chefgs chefgs commented Feb 22, 2026

Summary

This PR adds a comprehensive modernization guide and working examples showing how the original 2012 cloud-init/Chef/Ansible patterns map to current Infrastructure as Code best practices. Includes production-ready Terraform configurations, Packer AMI building, cloud-config YAML templates, and GitHub Actions CI/CD pipelines.

Key Changes

Documentation

  • MODERNIZATION.md: Detailed guide mapping original 2012 concepts to modern equivalents:
    • Infrastructure orchestration: shell scripts → Terraform/OpenTofu
    • AMI selection: hardcoded IDs → dynamic data sources
    • cloud-init: bash scripts → cloud-config YAML modules
    • Security: SSH key pairs → IAM roles + SSM Session Manager
    • Package installation: runtime downloads → Packer pre-baked AMIs
    • Configuration management: Chef 14/Ansible → modern versions with collections
    • Secrets: hardcoded values → Parameter Store/Secrets Manager
    • CI/CD: manual execution → GitHub Actions with OIDC

Terraform Infrastructure as Code

  • main.tf: Declarative infrastructure replacing create_instance.sh:

    • Dynamic AMI resolution (Amazon Linux 2023, no hardcoded IDs)
    • IAM instance role with SSM access (replaces SSH key pairs)
    • Security group with zero inbound ports (SSM-only access)
    • Launch template with IMDSv2 enforcement
    • Auto Scaling Group for true "cattle" pattern at scale
    • SSM parameters for configuration values

  • variables.tf: Parameterized inputs replacing positional bash arguments

  • outputs.tf: Useful post-apply information (ASM name, AMI ID, SSM connection commands)

Cloud-Config YAML

  • cloud-config.yaml: Terraform templatefile version with variable substitution:

    • Declarative user/group management (replaces useradd scripts)
    • Package installation via cloud-init modules
    • Configuration file generation (replaces echo/cat >> patterns)
    • Monitoring agent setup and Ansible playbook execution
    • Idempotent by design, works across distros

  • cloud-config-standalone.yaml: Standalone version for direct AWS CLI use

Packer AMI Building

  • packer.pkr.hcl: Pre-bake AMI with all software pre-installed:
    • Dynamic base AMI resolution (same pattern as Terraform)
    • System updates, package installation, RPM building at AMI time
    • Ansible provisioner for configuration management
    • Cleanup of build artifacts
    • Manifest output for downstream automation

GitHub Actions CI/CD

  • deploy.yml: Complete infrastructure pipeline:

    • Validate: cloud-config schema check, Terraform format/validate
    • Plan: runs on every PR, posts plan as comment, uploads artifact
    • Apply: manual approval gate, runs on merge to main
    • Destroy: manual trigger only, never automatic
    • OIDC federated identity (no stored AWS credentials)

  • packer-build.yml: AMI building pipeline:

    • Triggers on Packer/Ansible config changes
    • Stores new AMI ID in SSM Parameter Store
    • Automatically picked up by next Terraform apply

Supporting Files

  • modern/README.md: Quick start guide with examples for Terraform, cloud-config, and Packer workflows

Notable Implementation Details

  • Security-first: No SSH, no port 22, no key pair management. All access via SSM Session Manager with full CloudTrail audit trail.
  • Immutable infrastructure: Packer pre-bakes everything; instances launch in seconds with zero runtime dependencies.
  • State management: Terraform tracks all resources; terraform destroy replaces manual terminate_instances.sh.
  • Declarative cloud-config: Uses YAML modules instead of bash scripts for idempotency and cross-distro compatibility.
  • Modern tooling: Terraform 1.9+, Packer 1.10+, Ansible 9+, Chef 18+, Amazon Linux 2023 (not EOL RHEL 7).
  • GitOps-ready:

https://claude.ai/code/session_011yTw5W74dhGvxs4GxEcKFq

@claude
Add modern IaC modernization guide and working examples
4d93646 
Analyses the 2012 cloud-init-sample repo and provides a comprehensive
modernization path covering every layer of the original architecture:

- MODERNIZATION.md: Full analysis mapping 2012 concepts to modern equivalents,
  migration phases, and tool reference table

- modern/terraform/: Declarative Terraform replacing create_instance.sh
  - aws_autoscaling_group + aws_launch_template (replaces run-instances loop)
  - Dynamic AMI data source (replaces hardcoded ami-28e07e50 / RHEL 7)
  - IAM Instance Profile + SSM access (replaces SSH key pairs + port 22)
  - t3.micro replacing t2.micro, Amazon Linux 2023 replacing RHEL 7 EOL

- modern/cloud-config/: YAML cloud-config replacing bash user-data scripts
  - Declarative users/groups/packages/write_files modules
  - Templatefile version (Terraform-rendered) + standalone version
  - cloud-init schema-validatable

- modern/packer/: Pre-baked AMI pipeline
  - Installs software at AMI build time (not instance boot time)
  - Immutable infrastructure pattern: AMI is the versioned artifact

- modern/.github/workflows/: CI/CD pipeline replacing manual script execution
  - deploy.yml: Plan on PR, Apply on merge (with approval gate), Destroy on demand
  - packer-build.yml: Rebuild AMI when packer/ansible config changes
  - OIDC auth to AWS (no stored credentials)

https://claude.ai/code/session_011yTw5W74dhGvxs4GxEcKFq
@claude
Add 3-part blog series on cloud-init modernization
98f0cae 
Publishable article series covering the evolution from 2012-era
shell script provisioning to modern IaC:

- Part 1: Origin story — what the repo got right (cattle pattern,
  config-as-code, decoupled orchestration)
- Part 2: The gap — what aged poorly (hardcoded AMI, bash user-data,
  SSH/port-22, no state, runtime downloads, no CI/CD)
- Part 3: The modern rebuild — Terraform, cloud-config YAML, SSM
  Session Manager, Packer, GitHub Actions with OIDC

Each part references the actual code in the repo (original and /modern).

https://claude.ai/code/session_011yTw5W74dhGvxs4GxEcKFq
@claude
Add GitHub Actions workflow for Terraform + Packer CI/CD pipeline
80bd3ba 
Adds .github/workflows/deploy.yml with:
- Validate job: terraform fmt check + cloud-config YAML schema validation
- Plan job: OIDC auth, terraform plan on every PR with output posted as PR comment
- Build AMI job: Packer build on merge to main
- Apply job: terraform apply with manual approval gate via GitHub Environments

Uses OIDC federated identity (no stored AWS credentials) and path filters
to only trigger on changes to modern/terraform, modern/cloud-config, or modern/packer.

https://claude.ai/code/session_011yTw5W74dhGvxs4GxEcKFq
@chefgs chefgs merged commit b900fdc into master Feb 23, 2026
@chefgs chefgs deleted the claude/analyze-cloud-init-iac-wicmN branch February 23, 2026 10:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chefgs @claude