terraform-provider-dokku icon indicating copy to clipboard operation
terraform-provider-dokku copied to clipboard

Published 20 hours ago verified publisher icon aaronstillwell

Ssh known_hosts file not found when using Terraform Cloud backend

Open lipelix opened this issue 2 years ago • 9 comments

I'm trying to run terraform with Terraform Cloud backend -

  backend "remote" {
    hostname     = "app.terraform.io"
    ...

unfortunately I'm getting error about missing known_hosts. It is understandable because there is no such file when terraform is run by agent in terraform cloud backend.

╷
│ Error: Could not establish SSH connection: ssh: handshake failed: open /home/tfc-agent/.tfc-agent/component/terraform/runs/run-F92BB72MnVEjm9oF/.ssh/known_hosts: no such file or directory
│ 
│   with provider["registry.terraform.io/aaronstillwell/dokku"],
│   on main.tf line 29, in provider "dokku":
│   29: provider "dokku" {
│

On my local machine this works because there is known_host but on remote this is problem - thus I'm not able automate deployment which is main issue which I wanted to resolve by using this provider 😢.

Issue is coming from underlining library here -> https://github.com/melbahja/goph/blob/0ae87d82dd767ce23ab243a5e8a969cd98c2c417/hosts.go#L120 return fmt.Sprintf("%s/.ssh/known_hosts", home), err

Way how ty bypass this It should be possible to disable check of known_hosts completely with flag (similar to fail_on_untested_version) - e.g. VerifyHost function should pass always when flag is set.

More bulletproof solution It would be better to use environment variables as much as possible instead of relying on hardcoded file paths (and os.UserHomeDir() will not save us)

Anyway thanks for your work, I appreciate it 🙏.

lipelix avatar Jan 02 '23 16:01 lipelix

Thanks for your contribution @lipelix!

I've never used hashicorp cloud so am unfamiliar with the constraints of operating terraform in their environment.

Happy to provide a configuration option to disable verifying the host as you've suggested, that definitely seems like a quick fix.

Could you please elaborate more on what you see as a "more bulletproof" solution? Note that the provider can already be configured via environment variables e.g DOKKU_FAIL_ON_UNTESTED_VERSION would be read for the fail_on_untested_version attribute. https://github.com/aaronstillwell/terraform-provider-dokku/blob/3c07bb89d73010a47bbd33332e9ddf4854054e7d/dokku/provider.go#L44

aaronstillwell avatar Jan 02 '23 17:01 aaronstillwell

Any updates on this? I was super excited to find and use this, but I'm also trying out the free Terraform Cloud (and liking it a lot) and also encountered this.

Would it be possible to release a new version with a skip_known_hosts_check config option?

pawelad avatar Mar 19 '23 15:03 pawelad

Yep @pawelad I can investigate a patch update v0.4.4 including tests against dokku v0.30.x and this additional config option

aaronstillwell avatar Mar 19 '23 18:03 aaronstillwell

Great, thank you! 😊

Let me know if I can help.

pawelad avatar Mar 19 '23 18:03 pawelad

@pawelad please consider using the new config option introduced in v0.4.4 https://github.com/aaronstillwell/terraform-provider-dokku/releases/tag/v0.4.4

I'm going to leave this issue open for feedback. I do not use terraform cloud and didn't see a clear and easy way to write an acceptance test for this feature. It seems fine locally but would appreciate your confirmation.

aaronstillwell avatar Mar 19 '23 19:03 aaronstillwell

Thank you for such a quick reply and release!

But actually, I haven't fully thought this through 😅

I still need to provide the SSH key to setup the dokku provider, but I'm not sure where that will be inside the Terraform Cloud worker. There are docs for adding SSH keys, but for "Cloning Modules", so I'm not sure if it's going to be useful here.

One option I can think of right now would be to allow passing in the SSH key inline, as an alternative to passing the SSH key path, but I'm not sure about other implications.

pawelad avatar Mar 19 '23 21:03 pawelad

@lipelix any insight you can share with us here?

aaronstillwell avatar Mar 20 '23 07:03 aaronstillwell

Looking at it some more, the official dokku GitHub Action (which by definition runs in a non-local environment) uses the "explicitly pass the SSH key" workflow I described above:

https://dokku.com/docs/deployment/continuous-integration/github-actions/ https://github.com/dokku/github-action

Would you be open to adding ssh_key_inline as an alternative to ssh_cert config value? If yes, should I open a new issue?

pawelad avatar Mar 20 '23 11:03 pawelad

Looking at it some more, the official dokku GitHub Action (which by definition runs in a non-local environment) uses the "explicitly pass the SSH key" workflow I described above:

https://dokku.com/docs/deployment/continuous-integration/github-actions/ https://github.com/dokku/github-action

Would you be open to adding ssh_key_inline as an alternative to ssh_cert config value? If yes, should I open a new issue?

This will be good feature

m7mdcc avatar Jun 06 '23 15:06 m7mdcc

Came across this after coming back to this project for the first time in a long time, created #16

aaronstillwell avatar Sep 08 '24 11:09 aaronstillwell