Init Hetzner credentials with hyops init hetzner

Purpose: Initialise Hetzner runtime credentials so Terraform/Terragrunt stacks can run. Owner: Platform operations Trigger: First-time environment bootstrap, new workstation/runner. Impact: Without a token, Hetzner stacks cannot apply. Severity: P3 Pre-reqs: curl installed; a Hetzner Cloud API token. Rollback strategy: Remove the generated credentials file under <root>/credentials/ and re-run init.

---

Context

hyops init hetzner writes:

• Non-secret config: <root>/config/hetzner.conf
• Sensitive credentials: <root>/credentials/hetzner.credentials.tfvars (mode 0600)
• Readiness marker: <root>/meta/hetzner.ready.json

Token handling:

• Recommended: store HCLOUD_TOKEN in the runtime vault bundle.
• Alternative: export HCLOUD_TOKEN in the shell for a single command execution.
• Interactive bootstrap: run hyops init hetzner and enter token at the hidden prompt.

---

Preconditions and safety checks

• Confirm required tools exist:

  command -v curl
  

• If you plan to store HCLOUD_TOKEN in the runtime vault bundle (recommended):

  hyops vault status-verbose
  # In a fresh shell you may need to unlock once:
  hyops vault password >/dev/null
  

  Notes:

• After hyops vault bootstrap, HyOps remembers the provider command at ~/.hybridops/config/vault-password-command.

---

Steps

1) Generate the config template (first run only)

• Command:

  hyops init hetzner --env dev
  

• Expected result:

• If the config does not exist, HyOps writes a template and exits with guidance.

2) Provide the token (recommended: runtime vault)

• Action: export the token in the current shell, then store it encrypted in the per-env vault bundle.

• Commands:

  export HCLOUD_TOKEN='...'
  hyops secrets set --env dev --from-env HCLOUD_TOKEN
  

Alternative (interactive bootstrap):

hyops init hetzner --env dev

If no token is found in env/vault, HyOps prompts:

HCLOUD_TOKEN not found. Enter token (hidden):
HCLOUD_TOKEN:

If an existing token is present but invalid, HyOps prompts for replacement:

Hetzner token invalid. Enter replacement (hidden) or Ctrl+C.
HCLOUD_TOKEN:

3) Run init

• Command:

  hyops init hetzner --env dev
  

• Expected result: target=hetzner status=ready and hetzner.credentials.tfvars is written.

• Validation behavior: token is validated against Hetzner API before readiness is written.

---

Troubleshooting

ERR: Hetzner token validation failed; see evidence

• Meaning: token was accepted as input, but Hetzner API validation failed.

• Remediation:

  hyops init hetzner --env dev --force
  

  Then enter a replacement token at the hidden prompt.

not ready from hyops vault status-verbose

• Meaning: vault password provider exists but cannot decrypt in the current shell.

• Remediation:

  hyops vault password >/dev/null
  hyops vault status-verbose
  

---

Verification

• Confirm readiness marker exists:

  cat ~/.hybridops/envs/dev/meta/hetzner.ready.json
  

• Confirm credentials file exists and is protected:

  ls -la ~/.hybridops/envs/dev/credentials/hetzner.credentials.tfvars
  

---

References

• Init annex: Hetzner
• Runbook — Generate bootstrap secrets

---

Maintainer: HybridOps.Studio License: MIT-0 for code, CC-BY-4.0 for documentation