terraform icon indicating copy to clipboard operation
terraform copied to clipboard
verified publisher icon hashicorp

[WIP] proposal for multi-bastion support using ssh_config parsing

Open RomanManz opened this issue 5 years ago • 3 comments

This proposal relates to https://github.com/hashicorp/terraform/issues/14523. It attempts to achieve the multi-bastion support by adding the possibility to specify a ssh_config file. It uses two environment variables TF_USE_SSH_CONFIG and TF_SSH_CONFIG in order to enable the feature and to (optionally) override the ssh_config location. Pls. see the updates in website/docs/provisioners/connection.html.markdown for the limitations. Pros:

  • Small change.
  • Good reuse of the modules, since the feature can be dynamically enabled/disabled.

Cons:

  • The ssh_config file can be very complex and therefore it can be a source for lots of discussions.
  • This may easily outweigh the benefit.

Having that said, it is clear, that the very first question should be if this is really an option that is worth considering. Regarding the parsing of the ssh_config file, at the moment an external parser is used, adding another dependency. This adds to the question above. Of course if the overall direction looks okay, thinking about implementing a dedicated ssh_config parser would be obvious, but clearly makes the change much larger (even if a partial-only support would be sufficient).

Example

templates.tf (sorry for the interpolation-only syntax, working on it):

variable "remote_user" { default = "foobarbaz" }  
variable "private_key" { default = "~/.ssh/bastiondemo" }  
variable "ip" { default = "127.0.0.1" }  
resource "null_resource" "bastion-test" {  
  provisioner "remote-exec" {  
    inline = [  
      "id",  
      "sleep 10",   
      "echo good bye"  
    ]  
    connection {  
      user = "${var.remote_user}"  
      host = "${var.ip}"  
      private_key = "${file("${var.private_key}")}"  
    }  
  }  
}

Example ssh config (~/.ssh/config.tf.bastiondemo):

IdentityFile ~/.ssh/bastiondemo
Host 127.0.0.1
ProxyJump [email protected],[email protected],[email protected]
Host 127.0.0.3
ProxyJump [email protected]

Output:

$ TF_USE_SSH_CONFIG=yes TF_SSH_CONFIG=~/.ssh/config.tf.bastiondemo ~/workspace/golang/bin/terraform apply --auto-approve
null_resource.bastion-test: Refreshing state... [id=4719087466182994447]
null_resource.bastion-test: Destroying... [id=4719087466182994447]
null_resource.bastion-test: Destruction complete after 0s
null_resource.bastion-test: Creating...
null_resource.bastion-test: Provisioning with 'remote-exec'...
null_resource.bastion-test (remote-exec): Connecting to remote host via SSH...
null_resource.bastion-test (remote-exec):   Host: 127.0.0.1
null_resource.bastion-test (remote-exec):   User: foobarbaz
null_resource.bastion-test (remote-exec):   Password: false
null_resource.bastion-test (remote-exec):   Private key: true
null_resource.bastion-test (remote-exec):   Certificate: false
null_resource.bastion-test (remote-exec):   SSH Agent: true
null_resource.bastion-test (remote-exec):   Checking Host Key: false
null_resource.bastion-test (remote-exec): Using configured bastion host...
null_resource.bastion-test (remote-exec):   Host: 127.0.0.2
null_resource.bastion-test (remote-exec):   User: foo
null_resource.bastion-test (remote-exec):   Password: false
null_resource.bastion-test (remote-exec):   Private key: true
null_resource.bastion-test (remote-exec):   Certificate: false
null_resource.bastion-test (remote-exec):   SSH Agent: false
null_resource.bastion-test (remote-exec):   Checking Host Key: false
null_resource.bastion-test (remote-exec): Using configured bastion host...
null_resource.bastion-test (remote-exec):   Host: 127.0.0.3
null_resource.bastion-test (remote-exec):   User: bar
null_resource.bastion-test (remote-exec):   Password: false
null_resource.bastion-test (remote-exec):   Private key: true
null_resource.bastion-test (remote-exec):   Certificate: false
null_resource.bastion-test (remote-exec):   SSH Agent: false
null_resource.bastion-test (remote-exec):   Checking Host Key: false
null_resource.bastion-test (remote-exec): Using configured bastion host...
null_resource.bastion-test (remote-exec):   Host: 127.0.0.5
null_resource.bastion-test (remote-exec):   User: foobar
null_resource.bastion-test (remote-exec):   Password: false
null_resource.bastion-test (remote-exec):   Private key: true
null_resource.bastion-test (remote-exec):   Certificate: false
null_resource.bastion-test (remote-exec):   SSH Agent: false
null_resource.bastion-test (remote-exec):   Checking Host Key: false
null_resource.bastion-test (remote-exec): Using configured bastion host...
null_resource.bastion-test (remote-exec):   Host: 127.0.0.4
null_resource.bastion-test (remote-exec):   User: baz
null_resource.bastion-test (remote-exec):   Password: false
null_resource.bastion-test (remote-exec):   Private key: true
null_resource.bastion-test (remote-exec):   Certificate: false
null_resource.bastion-test (remote-exec):   SSH Agent: false
null_resource.bastion-test (remote-exec):   Checking Host Key: false
null_resource.bastion-test (remote-exec): Connected!
null_resource.bastion-test (remote-exec): uid=1005(foobarbaz) gid=985(users) groups=985(users)
null_resource.bastion-test: Still creating... [10s elapsed]
null_resource.bastion-test (remote-exec): good bye
null_resource.bastion-test: Creation complete after 11s [id=6924485873513024711]

Warning: Interpolation-only expressions are deprecated

  on templates.tf line 12, in resource "null_resource" "bastion-test":
  12:       user = "${var.remote_user}"

Terraform 0.11 and earlier required all non-constant expressions to be
provided via interpolation syntax, but this pattern is now deprecated. To
silence this warning, remove the "${ sequence from the start and the }"
sequence from the end of this expression, leaving just the inner expression.

Template interpolation syntax is still used to construct strings from
expressions when the template includes multiple interpolation sequences or a
mixture of literal strings and interpolations. This deprecation applies only
to templates that consist entirely of a single interpolation sequence.

(and 2 more similar warnings elsewhere)


Apply complete! Resources: 1 added, 0 changed, 1 destroyed.

RomanManz avatar Aug 22 '20 23:08 RomanManz

CLA assistant check
All committers have signed the CLA.

hashicorp-cla avatar Aug 22 '20 23:08 hashicorp-cla

This proposition is AWSOME ! This is mandatory today with the complexity and needed security of our infrastructure !

Is it planned to be merged ?

jadjay avatar Dec 08 '20 10:12 jadjay

Changelog Warning

Currently this PR would target a v1.13 release. Please add a changelog entry for in the .changes/v1.13 folder, or discuss which release you'd like to target with your reviewer. If you believe this change does not need a changelog entry, please add the 'no-changelog-needed' label.

github-actions[bot] avatar May 19 '25 14:05 github-actions[bot]