TerraformPilot

DevOps

Terraform for Fedora CoreOS: Immutable Atomic Updates

Provision Fedora CoreOS instances with Terraform: Butane / Ignition config, OSTree updates, and Kubernetes / Podman workloads.

LLuca Berton1 min read

Fedora CoreOS (FCOS) is the upstream-aligned, automatically-updating, container-focused Linux from Red Hat / Fedora. It's the foundation of OpenShift Container Platform and a fine standalone Podman host. Terraform deploys FCOS instances with Butane-generated Ignition configs.

Quick Pattern (TL;DR)

# 
data "aws_ami" "fcos" {
  most_recent = true
  owners      = ["125523088429"] # Fedora
  filter {
    name   = "name"
    values = ["fedora-coreos-*-x86_64"]
  }
}
 
resource "aws_instance" "fcos" {
  ami           = data.aws_ami.fcos.id
  instance_type = "t3.medium"
  user_data     = data.ct_config.host.rendered
}

Butane → Ignition

# 
data "ct_config" "host" {
  content = <<-EOT
    variant: fcos
    version: 1.5.0
    passwd:
      users:
        - name: core
          ssh_authorized_keys:
            - ${chomp(file("~/.ssh/id_ed25519.pub"))}
    storage:
      files:
        - path: /etc/zincati/config.d/55-updates.toml
          mode: 0644
          contents:
            inline: |
              [updates]
              strategy = "periodic"
              [updates.periodic]
              time_zone = "UTC"
              [[updates.periodic.window]]
              days = ["Sat", "Sun"]
              start_time = "03:00"
              length_minutes = 60
    systemd:
      units:
        - name: podman.socket
          enabled: true
  EOT
}

Best Practices

#
  • Pin the FCOS stream (stable / testing / next) per environment.
  • Use Zincati's update windows to avoid Friday-evening reboots.
  • Run workloads as Podman quadlets — pure FCOS pattern, no Docker.
  • Keep core user passwordless — only key-based SSH.
  • Use rpm-ostree usroverlay sparingly; remember the layer disappears on reboot.
#
#Terraform#Fedora CoreOS#FCOS#Ignition#Podman

Share this article

Related articles