LinodePlan-validated
Linode Compute Instance (production-ready)
Hardened Linode VM with cloud-init, disk encryption, reverse DNS, backups, and firewall attachment in one apply.
terraformAlt & Specialty Clouds#linode
Verification
Plan-validatedPassed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).
Conformance
- Static validation (fmt · validate · tflint)
- Security scan: findings disclosed (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live test pending (no cloud run yet)
Last verified 2026-06-28 · how we verify
Documentation
linode-instance
Hardened Linode VM with cloud-init, disk encryption, reverse DNS, backups, and
firewall attachment in one apply. Works with Terraform and OpenTofu
(>= 1.6), Linode provider >= 3.14, < 4.0.
Secure defaults:
- Local Disk Encryption (LDE) enabled by default
- Backups enabled by default
- SSH-key-first auth: keys are uploaded to the account profile
(
linode_sshkey) and authorized for root;root_passstays optional and sensitive. The provider's v3.14 rule (credentials are mandatory when an image is deployed) is enforced with a clear plan-time precondition. - Optional VPC interface as the primary NIC (with or without 1:1 NAT), Cloud
Firewall attachment (
linode_firewall_device), and PTR record (linode_rdns) - Cloud-init user data wired through the Linode Metadata service (base64-encoding handled for you)
Usage
module "web" {
source = "./linode-instance"
label = "prod-web1"
region = "us-ord"
type = "g6-standard-2"
image = "linode/ubuntu24.04"
ssh_keys = {
ops-team = file("~/.ssh/id_ed25519.pub")
}
vpc_subnet_id = module.vpc.subnets["app"].id # linode-vpc module
firewall_id = module.firewall.firewall_id # linode-firewall module
reverse_dns = "web1.example.com"
cloud_init_user_data = file("cloud-init.yaml")
tags = ["env:prod"]
}
Inputs
| Name | Type | Default | Description |
|---|---|---|---|
label | string | — | Instance label (required) |
region | string | — | Linode region, e.g. us-ord (required) |
type | string | "g6-nanode-1" | Plan type |
image | string | "linode/ubuntu24.04" | Image to deploy |
ssh_keys | map(string) | {} | label => public key; uploaded + authorized |
authorized_keys | list(string) | [] | Extra literal public keys (not uploaded) |
root_pass | string | null | Root password (sensitive, 11-128 chars) |
disk_encryption | bool | true | Local Disk Encryption (region must support LDE) |
backups_enabled | bool | true | Linode Backup service |
swap_size | number | 512 | Swap disk MB |
private_ip | bool | false | Legacy DC-private IPv4 |
watchdog_enabled | bool | true | Lassie watchdog |
cloud_init_user_data | string | null | Plain-text cloud-init (module base64-encodes) |
vpc_subnet_id | number | null | VPC subnet for the primary interface |
vpc_ipv4 | string | null | Fixed VPC address (null = auto) |
vpc_nat_1_1 | bool | true | Keep public IPv4 via 1:1 NAT on the VPC interface |
firewall_id | number | null | Cloud Firewall to attach |
reverse_dns | string | null | PTR hostname (must already resolve to the IP) |
tags | list(string) | [] | Instance tags |
Outputs
| Name | Description |
|---|---|
instance_id | Instance ID |
instance_label | Instance label |
ip_address | Primary public IPv4 |
ipv4_addresses | All IPv4 addresses |
ipv6_range | SLAAC IPv6 range |
status | Instance status |
ssh_key_ids | label => account SSH key ID |
firewall_device_id | Firewall device ID (or null) |
Requirements
- Terraform or OpenTofu
>= 1.6 linode/linodeprovider>= 3.14, < 4.0- You must supply at least one SSH key or a
root_pass(provider v3.14 auth requirement — enforced at plan time). disk_encryptionandcloud_init_user_datarequire regions with the LDE and Metadata capabilities respectively.
Verification
Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.
License
Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).