Secure, Automated Hosting for OpenClaw on Azure & Oracle Cloud.
This repository contains Infrastructure as Code (IaC) using Terraform to deploy an optimized OpenClaw instance on two cloud providers. It follows SRE Best Practices (Infrastructure as Code, Immutable Infrastructure) and leverages Free Tier resources where available.
- Azure: Tuned for Azure for Students (
Standard_B2pls_v2). - Oracle Cloud: Tuned for Always Free Tier (
VM.Standard.A1.Flex).
- One-Command Deploy: Uses a
Makefileto simplify Packer image builds and Terraform workflows. - Upcoming TUI Deployer: A Go-based Terminal User Interface is roadmapped to wrap these workflows for an interactive, wizard-like deployment experience.
- Immutable Infrastructure: Pre-bakes tools (
tmux, OpenClaw CLI) into a "Golden Image" using HashiCorp Packer for reliable, fast scaling. - Zero-Touch Provisioning: Automatically injects the secure Gateway Token via
cloud-init.
- Locked Down SSH: Restricts SSH access to your specific IP
allowed_ssh_cidr. - Secure Token: Auto-generates a cryptographically secure
GATEWAY_TOKENand injects it into the VM environment. - Granular Network Security:
- Oracle: Uses Network Security Groups (NSGs) instead of broad Security Lists for precise firewall rules.
- Azure: Uses Application Security Groups (ASGs) pattern via NSG rules.
- Encrypted State: Sensitive data (tokens) are marked
sensitivein Terraform. - Remote State (Optional): Supports storing Terraform state in Azure Storage or OCI Object Storage for safety.
- Automated Backups:
- Azure: Integrated Recovery Services Vault (Daily Backups).
- Oracle: (Manual setup recommended for Free Tier).
| Feature | Azure (Student B2pls_v2) | Oracle (Always Free A1) |
|---|---|---|
| Compute | $16.35/mo | $0.00/mo |
| Storage | $3.31/mo (64GB Disk) | $0.00/mo (50GB) |
| Network | $3.65/mo (Public IP) | $0.00/mo |
| Backup | ~$16.31/mo (Daily + Retention) | Manual/Scripts |
| Total | ~$39.62/mo* | $0.00/mo |
*Azure costs are often covered by Student Credits ($100/yr). Oracle is Always Free.
To run this project, you must first build a "Golden Image" (AMI/Custom Image) containing the pre-installed tools using HashiCorp Packer, and then deploy the infrastructure using Terraform.
- Cloud Account: Azure Subscription OR Oracle Cloud Account.
- Packer & Terraform:
brew install hashicorp/tap/packer hashicorp/tap/terraform - SSH Key:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa - (Optional) Azure CLI / OCI CLI for remote state setup.
- (Optional) DevOps Tools:
brew install tflint tfsec infracost terraform-docs - Git Hooks Engine (Husky): Requires Node.js and
pnpm. Initialize validations before contributing:npm install -g pnpm pnpm install
Run these commands from the root of the repository:
For Azure:
# Ensure ARM_* environment variables are exported (ARM_CLIENT_ID, etc.)
make build-azure
# NOTE: Copy the output image name (e.g., openclaw-ubuntu-arm64-1708535212)For Oracle: Packer needs to know where to securely boot the temporary compilation VM in your cloud. We provide this configuration declaratively via a variables file.
Copy the example file and fill in your infrastructure OCIDs:
cd packer/oracle
cp oracle.auto.pkrvars.hcl.example oracle.auto.pkrvars.hcl
nano oracle.auto.pkrvars.hcl
cd ../..(Make sure your ~/.oci/config is correctly formatted in INI as shown in the next section).
To build using the Makefile wrapper, run from the root directory:
make build-oracle
# NOTE: Copy the output image name (e.g., openclaw-ubuntu-arm64-1708535212)cd environments/dev/azure
cp terraform.tfvars.example terraform.tfvars
nano terraform.tfvars
# Set 'allowed_ssh_cidr' to your public IP
# Set 'custom_image_name' to the Packer output name from Step 1
cd ../../..cd environments/dev/oracle
cp terraform.tfvars.example terraform.tfvars
nano terraform.tfvars
# Set 'allowed_ssh_cidr' to your public IP
# Set 'custom_image_name' to the Packer output name from Step 1
cd ../../..1. Required Oracle Authentication (Native Profile):
Create an OCI INI profile at ~/.oci/config. Do not hardcode credentials into the terraform.tfvars file. Both Packer and Terraform natively read this file!
[DEFAULT]
user=ocid1.user.oc1..xxxx
fingerprint=05:ee:b8:b0...
key_file=~/Documents/DevOps/OCI/key.pem
tenancy=ocid1.tenancy.oc1..xxxx
region=us-ashburn-12. Required Infrastructure Configuration (terraform.tfvars):
compartment_ocid: The OCID where resources will be deployed.allowed_ssh_cidr: The exact IP address allowed to SSH in (e.g.,203.0.113.1/32).custom_image_name: The exact image name outputted by the Packer build step.
Store your infrastructure state in the cloud to prevent data loss.
For Azure:
make setup-state-azure # Creates Storage Account & Generates backend.conf
make init-azure # Initializes with remote backendFor Oracle:
make setup-state-oracle # Shows instructions for OCI Object Storage
# Follow instructions to create backend.conf
make init-oracle # Initializes with remote backend(You can skip this to use local state, but backing up environments/ is critical).
Run from the root directory:
Deploy to Azure:
make init-azure # If not run in step 2
make deploy-azure # Validates, Plans, and AppliesDeploy to Oracle:
make init-oracle # If not run in step 2
make deploy-oracle # Validates, Plans, and AppliesThe Makefile handles IP retrieval and SSH commands automatically.
Connect:
make ssh-azure # Connects as 'azureuser'
# OR
make ssh-oracle # Connects as 'ubuntu'Tip
Highly Recommended Workflow: Check out our Universal SSH & Tmux Master Guide to learn how to keep your processes running flawlessly even if your WiFi drops!
Configure: Inside the VM (works for both):
# 1. Verify installation
openclaw --version
# 2. Link your accounts (WhatsApp, Telegram, etc.)
# Note: Your GATEWAY_TOKEN is already set in /etc/environment
openclaw configureIf you need your secure Gateway Token for external clients:
make token-azure
# OR
make token-oracle| Target | Description |
|---|---|
build-[cloud] |
Build the Golden Image using Packer. |
deploy-[cloud] |
Deploy entire stack using Terraform. |
ssh-[cloud] |
SSH into VM. |
destroy-[cloud] |
Destroy resources. |
token-[cloud] |
Reveal the auto-generated GATEWAY_TOKEN. |
setup-state-[cloud] |
Setup Remote State Storage. |
| Target | Description | Tool Required |
|---|---|---|
make lint |
Check code style & errors. | tflint |
make security |
Scan for security vulnerabilities. | tfsec |
make cost |
Estimate monthly cloud costs. | infracost |
make docs |
Auto-generate README inputs/outputs. | terraform-docs |
openclaw-azure-iac/
βββ Makefile # Multi-cloud commands
βββ environments/ # Instantiated infrastructure environments
β βββ dev/
β βββ azure/ # Dev environment for Azure
β βββ oracle/ # Dev environment for Oracle
βββ modules/ # Reusable Terraform logic
β βββ azure-openclaw/ # Core Azure configurations
β βββ oracle-openclaw/ # Core Oracle configurations
βββ packer/ # Immutable server configurations
β βββ azure/ # Azure Packer template
β βββ oracle/ # Oracle Packer template
βββ README.md # This file
Error: 500 Internal Server Error or Out of capacity.
Cause: The Ampere A1 Free Tier is popular and sometimes regions run out of capacity.
Solution:
- Retry the deployment later (
make deploy-oracle). - Switch regions if possible (requires new account/tenancy).
- Upgrade to Pay-As-You-Go (you still get the free tier, but with higher priority).
Cause: Your IP address changed or allowed_ssh_cidr is incorrect.
Solution:
- Check your IP:
curl ifconfig.me - Update
environments/dev/[cloud]/terraform.tfvars. - Run
make deploy-[cloud]to update the Security Group rules.
MIT