stefansundin / terraform-provider-ssh Goto Github PK

This provider enables SSH port forwarding in Terraform.

License: Mozilla Public License 2.0

Go 68.40% HCL 6.54% Makefile 25.06%

terraform-provider-ssh's Introduction

terraform-provider-ssh

This provider enables SSH port forwarding in Terraform. It is intended as a bandaid until it is supported in Terraform itself.

This provider does not support Terraform v0.12 yet. There were some changes made that makes the upgrade non-trivial.

Example

See main.tf.

Installation

On Linux:

mkdir -p terraform.d/plugins/linux_amd64
wget https://github.com/stefansundin/terraform-provider-ssh/releases/download/v0.0.4/terraform-provider-ssh_v0.0.4_linux_amd64.zip
unzip terraform-provider-ssh_v0.0.4_linux_amd64.zip -d terraform.d/plugins/linux_amd64
rm terraform-provider-ssh_v0.0.4_linux_amd64.zip
terraform init

On Mac:

mkdir -p terraform.d/plugins/darwin_amd64
wget https://github.com/stefansundin/terraform-provider-ssh/releases/download/v0.0.4/terraform-provider-ssh_v0.0.4_darwin_amd64.zip
unzip terraform-provider-ssh_v0.0.4_darwin_amd64.zip -d terraform.d/plugins/darwin_amd64
rm terraform-provider-ssh_v0.0.4_darwin_amd64.zip
terraform init

Applying an output file

Note that there is a gotcha when trying to apply a generated plan output file (see issue #1). In this case, the SSH tunnels will not be automatically opened.

As a workaround, before you apply, run the companion program terraform-open-ssh-tunnels on the plan file first in order to reopen the SSH tunnels. Download from the releases.

Because of this commit, only the SSH agent is currently supported in this program. Let me know if you can think of a good fix for this.

TODO

Support another hop (ProxyJump-like behavior)
Note that the Windows binary is completely untested!

terraform-provider-ssh's People

Contributors

Stargazers

Watchers

Forkers

lemaral donparapidos neodino mirnujatom bendrucker nexusix truthbk binlabnet jeyaram kwri andrewchubatiuk

terraform-provider-ssh's Issues

Version bump

Hey. How about version bump, for example to 0.1. At the moment, terraform shows provider version 0.0, and this a bit confusing.

Support CertificateFile

Our bastion host verifies certificate in addition to SSH key.For example, to establish a SSH tunnel to a private Postgres DB server via bastion, we'll run

ssh -N -o CertificateFile=~/.ssh/cert.pub -L 5432:pg.foo.com:5432 [email protected]

I'd love to see a certificate_file option in the tunnel data source. Certificate is supported in the underlying Go lib golang.org/x/crypto/ssh. I would appreciate an assessment on whether this feature is relatively easy to implement. If so, I can spend time working on it with some general directions from project owner(s).

first terraform apply works, but subsequent plans or applys fail

First off, thanks for making this provider, I've been wanting to have this functionality in terraform for a while.

I'm trying to use this module to maintain keys in a consul cluster that sits behind a jumpbox. It works great the first time, but when attempting to run terraform plan or terraform apply a second time, terraform crashes.

terraform version info:

$ terraform version
Terraform v0.11.5
+ provider.consul v1.0.0
+ provider.local v1.1.0
+ provider.ssh (unversioned)

Here's what I'm seeing:

$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.local_file.jumpbox_private_key: Refreshing state...
data.local_file.confs[3]: Refreshing state...
data.local_file.confs[0]: Refreshing state...
data.local_file.confs[1]: Refreshing state...
data.local_file.apps[2]: Refreshing state...
data.local_file.apps[1]: Refreshing state...
data.local_file.confs[2]: Refreshing state...
data.local_file.apps[0]: Refreshing state...
data.ssh_tunnel.consul: Refreshing state...
consul_key_prefix.confs: Refreshing state... (ID: nginx/3/confs/)
consul_key_prefix.apps: Refreshing state... (ID: nginx/3/apps/)

------------------------------------------------------------------------

Error: Error running plan: 1 error(s) occurred:

* module.ssh.provider.ssh: connection is shut down


panic: read tcp 127.0.0.1:57681->127.0.0.1:57684: read: connection reset by peer
2018-03-21T16:25:07.639-0700 [DEBUG] plugin.terraform-provider-ssh:
2018-03-21T16:25:07.639-0700 [DEBUG] plugin.terraform-provider-ssh: goroutine 76 [running]:
2018-03-21T16:25:07.639-0700 [DEBUG] plugin.terraform-provider-ssh: main.dataSourceSSHTunnelRead.func1.1(0xc420010ff0, 0x1fa4f20, 0xc42016b020, 0x1fa4fe0, 0xc4202f80c8)
2018-03-21T16:25:07.639-0700 [DEBUG] plugin.terraform-provider-ssh:     /Users/tomwganem/go/src/github.com/stefansundin/terraform-provider-ssh/data_source_ssh_tunnel.go:153 +0x114
2018-03-21T16:25:07.639-0700 [DEBUG] plugin.terraform-provider-ssh: created by main.dataSourceSSHTunnelRead.func1
2018-03-21T16:25:07.639-0700 [DEBUG] plugin.terraform-provider-ssh:     /Users/tomwganem/go/src/github.com/stefansundin/terraform-provider-ssh/data_source_ssh_tunnel.go:150 +0xcc
2018/03/21 16:25:07 [DEBUG] Attaching resource state to "data.local_file.apps": &terraform.ResourceState{Type:"local_file", Dependencies:[]string{}, Primary:(*terraform.InstanceState)(0xc420422dc0), Deposed:[]*terraform.InstanceState{}, Provider:"provider.local", mu:sync.Mutex{state:0, sema:0x0}}
2018/03/21 16:25:07 [DEBUG] Attaching resource state to "data.local_file.jumpbox_private_key": &terraform.ResourceState{Type:"local_file", Dependencies:[]string{}, Primary:(*terraform.InstanceState)(0xc420422d20), Deposed:[]*terraform.InstanceState{}, Provider:"provider.local", mu:sync.Mutex{state:0, sema:0x0}}
2018/03/21 16:25:07 [DEBUG] Attaching resource state to "module.ssh.data.ssh_tunnel.consul": &terraform.ResourceState{Type:"ssh_tunnel", Dependencies:[]string{}, Primary:(*terraform.InstanceState)(0xc420423590), Deposed:[]*terraform.InstanceState{}, Provider:"module.ssh.provider.ssh", mu:sync.Mutex{state:0, sema:0x0}}
2018/03/21 16:25:07 [DEBUG] Attaching resource state to "module.confs.data.local_file.confs": &terraform.ResourceState{Type:"local_file", Dependencies:[]string{}, Primary:(*terraform.InstanceState)(0xc420423090), Deposed:[]*terraform.InstanceState{}, Provider:"provider.local", mu:sync.Mutex{state:0, sema:0x0}}
2018/03/21 16:25:07 [DEBUG] Attaching resource state to "module.consul.consul_key_prefix.confs": &terraform.ResourceState{Type:"consul_key_prefix", Dependencies:[]string{}, Primary:(*terraform.InstanceState)(0xc420423450), Deposed:[]*terraform.InstanceState{}, Provider:"module.consul.provider.consul", mu:sync.Mutex{state:0, sema:0x0}}
2018/03/21 16:25:07 [TRACE] Graph after step *terraform.AttachStateTransformer:

Terraform 0.12 support

I noticed the note in the readme:

This provider does not support Terraform v0.12 yet. There were some changes made that makes the upgrade non-trivial.

Could you share what parts of the upgrade you believe will be nontrivial? This provider would help us out a lot at @TakeScoop, happy to work on the upgrade and support future maintenance!

Plan generated, apply failed

Tunnel on local port is not recreated if using plan/apply approach with dedicated plan file.

$ terraform plan -out=terraform.tfplan
...
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  + module.app_core_de.mysql_database.this
      id:                    <computed>
      default_character_set: "utf8"
      default_collation:     "utf8_general_ci"
      name:                  "stage_whatever"

  + module.app_core_de.mysql_grant.this
      id:                    <computed>
      database:              "stage_whatever"
      grant:                 "false"
      host:                  "%"
      privileges.#:          "1"
      privileges.2914988887: "ALL"
      user:                  "stage_whatever"

  + module.app_core_de.mysql_user.this
      id:                    <computed>
      host:                  "%"
      plaintext_password:    <sensitive>
      user:                  "stage_whatever"


Plan: 3 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

This plan was saved to: terraform.tfplan

When you run apply, local port is already released.
Fails with static and ephemeral local ports binding.

$ terraform apply terraform.tfplan
...
Error: Error applying plan:

1 error(s) occurred:

* provider.mysql: dial tcp 127.0.0.1:49876: getsockopt: connection refused

Run time versions:

$ terraform version
Terraform v0.11.0
+ provider.aws v1.3.1
+ provider.mysql v1.0.0
+ provider.null v1.0.0
+ provider.random v1.0.0
+ provider.ssh (unversioned)
+ provider.template v1.0.0

Support socket forwarding

openssh can forward remote sockets:
https://medium.com/@dperny/forwarding-the-docker-socket-over-ssh-e6567cfab160

(this describes just a docker use case but works for every unix socket)

Possible to hop twice?

Is there any way to use this provider for two hop proxies? Basically I need to ssh first to a bastion in a public subnet then to another node in a private subnet in order to access a resource. This is the manual equivalent:

//see: https://superuser.com/questions/96489/an-ssh-tunnel-via-multiple-hops
Tunnel from localhost to host1 and from host1 to host2:

ssh -L 9999:localhost:9999 host1 ssh -L 9999:localhost:1234 -N host2

This will open a tunnel from localhost to host1 and another tunnel from host1 to host2. However the port 9999 to host2:1234 can be used by anyone on host1. This may or may not be a problem.

Connection refused errors sometimes

Hello!

I'm using your plugin and expect to see "connection refused" or "unexpected EOF" sometimes. It means that it can be 5 successful executions and then 1 or two failed, or it can fails for 5 times and than 1 have passed.

It also reproduced for both local and CI server.
How should I debug following behaviour to provide you with needed info?
I'm using terraform 0.11.14 & provider ssh 0.0.3(but it also related to 0.0.2)
I'm using ssh provider to get my EKS-cluster through bastion instance.

Log from CI - ci-log.txt

If private_key is not specified, try to use of SSH-Agent for authentication

http://blog.ralch.com/tutorial/golang-ssh-connection/