4

I'm very new to terraform so maybe this is not a great question. But I'm running through [this Amazon EC2 example] and at one point it tries to SSH to the machine, I assume to install nginx. This is always bombing out for me, and I just see repeated attempts to login to the server.

It has occurred to me that perhaps this is because on this first login attempt SSH is asking for me to trust the remote machine and add it to the known_hosts file. There's no point at which I am (visibly) prompted for this.

So now I wonder, exactly how does terraform handle known_hosts. I cloned down the repo and grepped through it for known_hosts, but found nothing.

Randy L
  • 147
  • 1
  • 8
  • Terraform will repeatedly try to SSH into the machine until it either succeeds or it times out. Depending on how your image in configured, it may take a while for the SSH server to become available, but the most common cause of this issue is that the instance's security groups are not permitting the connection on port 22. If Terraform is SSHing via the instance's public IP address and you're trying to provision from outside of your VPC you'll need to explicitly allow the incoming connection from your provisioning host on port 22. – Martin Atkins Nov 22 '15 at 22:37
  • To more directly answer your question: Terraform does not run the 'ssh' command directly, but rather it uses an SSH library written in Go to open SSH connections. This SSH library does not directly pay attention to OpenSSH options, and will by default just accept any host key unless the calling application provides a checking function. As far as I can tell from Terraform's source code, it does not provide such a function. – Martin Atkins Nov 22 '15 at 22:41

2 Answers2

7

Terraform does not run the ssh command line tool nor use OpenSSH as a library. Instead, it uses an alternative SSH client implementation written in Go.

By default this SSH client does not do any host verification, and Terraform does not override this default. Thus it is not necessary to verify the host id as you would on the first connection with ssh. This SSH client library does not consider the OpenSSH configuration files, so setting options there regarding host checking will have no effect.

Terraform repeatedly tries to connect to the remote host until either it succeeds or until it hits a timeout. There are two common causes for timeouts:

  • The security group rules for the target instance to not permit connections on TCP port 22 from the host where Terraform is running. This can be addressed by adding a new ingress rule to one of the instance's security groups.
  • Terraform is attempting to use the public IP address when the security groups expect private, or vice-versa. The connection block can be used to tell Terraform how to connect. For the public IP address use ${self.public_ip}, or for the private IP address use ${self.private_ip}, where public_ip and private_ip are both attributes of the aws_instance resource type.

Note that when Terraform connects to an instance's public IP address the security group must permit SSH connections from the public IP address of the host where Terraform is running (which might actually be the address of a NAT gateway) while for connecting to the private IP address the security group must permit either the private IP of the Terraform host (assuming it's running on an EC2 instance) or of the VPN gateway that is being used to tunnel to the private IP address from outside of EC2.

Martin Atkins
  • 2,188
  • 18
  • 19
1

Most probable it is using the following ssh option:

-o 'StrictHostKeyChecking no'

Is the way to bypass the check. I would add it as a comment more than an answer, but I just can't

ignivs
  • 449
  • 5
  • 11