✨ add Hetzner Cloud platform detection

Detect Hetzner Cloud instances via DMI sys_vendor ("Hetzner") and
resolve instance identity from the metadata service at
169.254.169.254/hetzner/v1/metadata. Wires into clouddetect and
the os cloud resource resolver.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tas50

providers/os/id/clouddetect/clouddetect.go

@@ -12,6 +12,7 @@ import (
 	"go.mondoo.com/mql/v13/providers/os/id/aws"
 	"go.mondoo.com/mql/v13/providers/os/id/azure"
 	"go.mondoo.com/mql/v13/providers/os/id/gcp"
+	"go.mondoo.com/mql/v13/providers/os/id/hetzner"
 	"go.mondoo.com/mql/v13/providers/os/id/ibm"
 	"go.mondoo.com/mql/v13/providers/os/id/vmware"
 )
@@ -34,14 +35,16 @@ var (
 	AZURE   CloudProviderType = "AZURE"
 	VMWARE  CloudProviderType = "VMWARE"
 	IBM     CloudProviderType = "IBM"
+	HETZNER CloudProviderType = "HETZNER"
 )
 
 var detectors = map[CloudProviderType]detectorFunc{
-	AWS:    aws.Detect,
-	GCP:    gcp.Detect,
-	AZURE:  azure.Detect,
-	VMWARE: vmware.Detect,
-	IBM:    ibm.Detect,
+	AWS:     aws.Detect,
+	GCP:     gcp.Detect,
+	AZURE:   azure.Detect,
+	VMWARE:  vmware.Detect,
+	IBM:     ibm.Detect,
+	HETZNER: hetzner.Detect,
 }
 
 // PlatformInfo contains platform information gathered from one of our cloud detectors.

providers/os/id/hetzner/hetzner.go

@@ -0,0 +1,61 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package hetzner
+
+import (
+	"strings"
+
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/afero"
+	"go.mondoo.com/mql/v13/providers-sdk/v1/inventory"
+	"go.mondoo.com/mql/v13/providers/os/connection/shared"
+	"go.mondoo.com/mql/v13/providers/os/id/hetznercloud"
+	"go.mondoo.com/mql/v13/providers/os/resources/smbios"
+)
+
+const (
+	hetznerIdentifierFileLinux = "/sys/class/dmi/id/sys_vendor"
+)
+
+func Detect(conn shared.Connection, pf *inventory.Platform) (string, string, []string) {
+	sysVendor := ""
+	if pf.IsFamily(inventory.FAMILY_LINUX) {
+		content, err := afero.ReadFile(conn.FileSystem(), hetznerIdentifierFileLinux)
+		if err != nil {
+			log.Debug().Err(err).Msgf("unable to read %s", hetznerIdentifierFileLinux)
+			return "", "", nil
+		}
+		sysVendor = strings.TrimSpace(string(content))
+	} else {
+		smbiosMgr, err := smbios.ResolveManager(conn, pf)
+		if err != nil {
+			log.Debug().Err(err).Msg("failed to resolve smbios manager")
+			return "", "", nil
+		}
+
+		info, err := smbiosMgr.Info()
+		if err != nil {
+			log.Debug().Err(err).Msg("failed to query smbios")
+			return "", "", nil
+		}
+		sysVendor = info.SysInfo.Vendor
+	}
+
+	if strings.Contains(sysVendor, "Hetzner") {
+		mdsvc, err := hetznercloud.Resolve(conn, pf)
+		if err != nil {
+			log.Debug().Err(err).Msg("failed to get hetzner metadata resolver")
+			return "", "", nil
+		}
+		id, err := mdsvc.Identify()
+		if err == nil {
+			return id.InstanceID, id.Hostname, nil
+		}
+		log.Debug().Err(err).
+			Strs("platform", pf.GetFamily()).
+			Msg("failed to get Hetzner platform id")
+	}
+
+	return "", "", nil
+}

providers/os/id/hetznercloud/hetznercloud.go

@@ -0,0 +1,113 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package hetznercloud
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+
+	"go.mondoo.com/mql/v13/providers-sdk/v1/inventory"
+	"go.mondoo.com/mql/v13/providers/os/connection/shared"
+	"gopkg.in/yaml.v3"
+)
+
+const (
+	metadataSvcURL = "http://169.254.169.254/hetzner/v1/metadata"
+)
+
+func MondooHetznerInstanceID(instanceID string) string {
+	return "//platformid.api.mondoo.app/runtime/hetzner/instances/" + instanceID
+}
+
+type Identity struct {
+	InstanceID string
+	Hostname   string
+	Region     string
+}
+
+type InstanceIdentifier interface {
+	Identify() (Identity, error)
+	RawMetadata() (any, error)
+}
+
+func Resolve(conn shared.Connection, pf *inventory.Platform) (InstanceIdentifier, error) {
+	if pf.IsFamily(inventory.FAMILY_UNIX) {
+		return &commandInstanceMetadata{conn, pf}, nil
+	}
+	return nil, fmt.Errorf(
+		"hetzner cloud id detector is not supported for your asset: %s %s",
+		pf.Name, pf.Version,
+	)
+}
+
+// hetznerMetadata represents the YAML structure returned by the Hetzner metadata service
+type hetznerMetadata struct {
+	InstanceID       int    `yaml:"instance-id"`
+	Hostname         string `yaml:"hostname"`
+	Region           string `yaml:"region"`
+	AvailabilityZone string `yaml:"availability-zone"`
+	LocalIPv4        string `yaml:"local-ipv4"`
+}
+
+type commandInstanceMetadata struct {
+	conn     shared.Connection
+	platform *inventory.Platform
+}
+
+func (m *commandInstanceMetadata) RawMetadata() (any, error) {
+	data, err := m.fetchMetadata()
+	if err != nil {
+		return nil, err
+	}
+
+	var rawMap map[string]any
+	if err := yaml.Unmarshal(data, &rawMap); err != nil {
+		return nil, err
+	}
+	return rawMap, nil
+}
+
+func (m *commandInstanceMetadata) Identify() (Identity, error) {
+	data, err := m.fetchMetadata()
+	if err != nil {
+		return Identity{}, err
+	}
+
+	md := hetznerMetadata{}
+	if err := yaml.Unmarshal(data, &md); err != nil {
+		return Identity{}, fmt.Errorf("failed to decode Hetzner metadata: %w", err)
+	}
+
+	if md.InstanceID == 0 {
+		return Identity{}, errors.New("hetzner metadata did not contain an instance-id")
+	}
+
+	return Identity{
+		InstanceID: MondooHetznerInstanceID(fmt.Sprintf("%d", md.InstanceID)),
+		Hostname:   md.Hostname,
+		Region:     md.Region,
+	}, nil
+}
+
+func (m *commandInstanceMetadata) fetchMetadata() ([]byte, error) {
+	cmdStr := fmt.Sprintf("curl --retry 3 --retry-delay 1 --connect-timeout 1 --retry-max-time 5 --max-time 10 --noproxy '*' %s", metadataSvcURL)
+	cmd, err := m.conn.RunCommand(cmdStr)
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := io.ReadAll(cmd.Stdout)
+	if err != nil {
+		return nil, err
+	}
+
+	content := strings.TrimSpace(string(data))
+	if content == "" {
+		return nil, errors.New("empty response from Hetzner metadata service")
+	}
+
+	return []byte(content), nil
+}

providers/os/resources/cloud/cloud.go

@@ -43,6 +43,8 @@ func Resolve(conn shared.Connection) (OSCloud, error) {
 		return &vmware{conn}, nil
 	case clouddetect.IBM:
 		return &ibm{conn}, nil
+	case clouddetect.HETZNER:
+		return &hetznerCloud{conn}, nil
 	default:
 		return &none{}, nil
 	}

providers/os/resources/cloud/hetzner.go

@@ -0,0 +1,61 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package cloud
+
+import (
+	"errors"
+
+	"github.com/rs/zerolog/log"
+	"go.mondoo.com/mql/v13/providers/os/connection/shared"
+	"go.mondoo.com/mql/v13/providers/os/id/hetznercloud"
+)
+
+const HETZNER Provider = "Hetzner"
+
+// hetznerCloud implements the OSCloud interface for Hetzner Cloud
+type hetznerCloud struct {
+	conn shared.Connection
+}
+
+func (h *hetznerCloud) Provider() Provider {
+	return HETZNER
+}
+
+func (h *hetznerCloud) Instance() (*InstanceMetadata, error) {
+	mdsvc, err := hetznercloud.Resolve(h.conn, h.conn.Asset().GetPlatform())
+	if err != nil {
+		log.Debug().Err(err).Msg("os.cloud.hetzner> failed to get metadata resolver")
+		return nil, err
+	}
+	metadata, err := mdsvc.RawMetadata()
+	if err != nil {
+		log.Debug().Err(err).Msg("os.cloud.hetzner> failed to get raw metadata")
+		return nil, err
+	}
+	if metadata == nil {
+		log.Debug().Msg("os.cloud.hetzner> no metadata found")
+		return nil, errors.New("no metadata")
+	}
+
+	instanceMd := InstanceMetadata{Metadata: metadata}
+
+	m, ok := metadata.(map[string]any)
+	if !ok {
+		return &instanceMd, errors.New("unexpected raw metadata")
+	}
+
+	if value, ok := m["hostname"]; ok {
+		if hostname, ok := value.(string); ok {
+			instanceMd.PrivateHostname = hostname
+		}
+	}
+
+	if value, ok := m["local-ipv4"]; ok {
+		if localIP, ok := value.(string); ok && localIP != "" {
+			instanceMd.PrivateIpv4 = []Ipv4Address{{IP: localIP}}
+		}
+	}
+
+	return &instanceMd, nil
+}