🚀 Terraform Day 19: Provisioners — Bootstrapping Infrastructure with Automation

🎯 What Are Terraform Provisioners?

Provisioners are execution blocks that run during the lifecycle of a Terraform resource.

They are commonly used to:
Run scripts
Install packages
Copy files
Perform post-creation setup

Provisioners execute only when a resource is created or recreated.
Terraform remains declarative — provisioners are optional escape hatches.

🧰 Types of Terraform Provisioners

Terraform supports three main provisioners:

_1️⃣ local-exec
Runs commands on the machine where Terraform is executed.

2️⃣ remote-exec
Runs commands on the remote resource (e.g., EC2 instance) via SSH.

3️⃣ file
Copies files from local machine to remote resource over SSH._
Each has a distinct purpose and execution context.

🖥️ Local-Exec Provisioner

local-exec runs locally, not on AWS.
Example use cases:
Logging instance details
Running validation scripts
Triggering local automation

Example:
provisioner "local-exec" {
command = "echo Instance ID: ${self.id}, Public IP: ${self.public_ip}"
}
🔹 No SSH required
🔹 Runs on your laptop / CI runner
🔹 Useful for notifications or metadata handling

🖧 Remote-Exec Provisioner

remote-exec runs commands inside the EC2 instance.
Requirements:
SSH access
Key pair
Security group allowing port 22

Example:
provisioner "remote-exec" {
inline = [
"sudo yum update -y",
"echo 'Provisioned by Terraform' > /tmp/info.txt"
]
}

This is commonly used to:
Install packages
Configure services
Bootstrap servers

📁 File Provisioner

The file provisioner copies files to remote instances.
Example:
provisioner "file" {
source = "welcome.sh"
destination = "/home/ec2-user/welcome.sh"
}

Typical pattern:
Copy script using file
Execute script using remote-exec
This allows complex bootstrapping logic.

🔐 SSH & Key Pair Requirements

For remote-exec and file provisioners:
EC2 key pair must exist
Private key must have correct permissions
chmod 400 my-key.pem

Terraform connection block example:
connection {
type = "ssh"
user = "ec2-user"
private_key = file("my-key.pem")
host = self.public_ip
}
Without proper SSH setup, provisioners will fail.

🔄 Understanding Provisioner Execution Behavior

Provisioners do not run on every terraform apply.
They run only when:
A resource is created
A resource is recreated
If no changes are detected, provisioners are skipped.

⚠️ Forcing Provisioners with terraform taint

To force re-execution:
terraform taint aws_instance.example
terraform apply

This:
Marks the resource as dirty
Forces destruction and recreation
Triggers provisioners again
This highlights Terraform’s state-driven behavior.

🏁 Conclusion

Day 19 provides a clear and honest view of Terraform provisioners.

They are powerful, but must be used carefully and intentionally.
Understanding how and when they execute is critical to avoiding unexpected behavior.

This session strengthens your grasp of Terraform internals, state-driven execution, and real-world automation patterns.

Provisioners are not the default tool —
but knowing them makes you a stronger Terraform engineer.