Hetzner Load-Balanced Web Tier

hetzner-lb-web-tier

A Hetzner Cloud load-balanced web tier: a managed load balancer with health-checked services, a Let's Encrypt managed certificate, and label-selected server targets so backends auto-enroll as they scale.

Status: static-validated, live-test pending. Validated with tofu validate + tflint + checkov against the hetznercloud/hcloud provider. Not yet applied against a live Hetzner project, so it ships under live-test quarantine.

Design & secure defaults

• HTTPS-first. The default service is HTTPS:443 with an automatic HTTP→HTTPS redirect; a plan-time precondition refuses an https service that has no certificate (certificate_domain_names, existing_certificate_ids, or per-service certificate_ids).
• Delete protection on by default — set delete_protection = false for ephemeral environments so destroy works without a manual toggle.
• Label-selected targets. target_label_selector = "role=web" enrolls every matching server automatically; target_server_ids adds explicit ones.
• Private backends, optionally. Attach a network (network_id) and set use_private_ip = true to send traffic to targets over the private network; enable_public_interface = false makes the LB internal-only.
• Exactly one of location / network_zone is enforced by precondition.

Provider

hetznercloud/hcloud >= 1.0, < 2.0. Requires Terraform/OpenTofu >= 1.6.

License

Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.