search

AndrewChubatiuk / terraform-provider-ssh

This provider enables SSH port forwarding in Terraform.
Mozilla Public License 2.0
8 stars 9 forks source link

SSH Tunnel seems to close early on a refreshing state #7

Closed CWDN closed 2 years ago

CWDN commented 2 years ago

Hi, thanks for this provider has really helped us be able to manage our DB from terraform as we access our DB via a jumpbox/bastion. However running into an issue now that the resources are in terraform state it doesn't seem to be able to refresh.

Let me know if there's anything else you need.

Terraform Version

Terraform v1.1.9
on linux_amd64
+ provider registry.terraform.io/andrewchubatiuk/ssh v0.1.5
+ provider registry.terraform.io/hashicorp/aws v4.15.1
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/paynetworx/mysql v1.12.7

Affected Resource(s)

Terraform Configuration Files

data.tf

data "ssh_tunnel" "db_bastion" {
  user = var.ssh_user
  auth {
    private_key {
      content = data.local_sensitive_file.ssh_key.content
    }
  }
  server {
    host = "*******"
    port = 22
  }

  local {
    host = "127.0.0.1"
  }

  remote {
    host = aws_rds_cluster.cluster.endpoint
    port = aws_rds_cluster.cluster.port
  }
}

data "local_sensitive_file" "ssh_key" {
    filename = "/root/.ssh/${var.ssh_key_name}"
}

main.tf

provider "mysql" {
  endpoint = data.ssh_tunnel.db_bastion.local.0.address
  username = "my-user"
  password = data.aws_kms_secrets.database.plaintext["master_password"]
}

resource "mysql_user" "root_user" {
  user               = "my-user"
  host               = "%"
 plaintext_password = data.aws_kms_secrets.database.plaintext["master_password"]
}

resource "mysql_grant" "root_forced_ssl" {
  user       = "my-user"
  host       = "%"
  database   = "*"
  privileges = ["USAGE"]
  tls_option = "SSL"
}

Debug Output

https://gist.github.com/CWDN/006389f6056d2a594aa2b349c647c190

I've had to remove certain bits as they are sensitive to the company I work for.

Expected Behavior

Ran a terraform plan and expected to see no changes needed for the infrastructure and the plan to complete.

Actual Behavior

The plan hangs and eventually get a couldn't connect to the tunnel:

Error: Could not connect to server: dial tcp 127.0.0.1:39223: connect: connection refused
│ 
│ 
╵
╷
│ Error: Could not connect to server: dial tcp 127.0.0.1:39223: connect: connection refused
│ 
│   with mysql_user.root_user,
│   on mysql.tf line 7, in resource "mysql_user" "root_user":
│    7: resource "mysql_user" "root_user" {
│ 
╵
│

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. Create a mysql user and grant through an SSH tunnel.
  2. Run after terraform plan.
  3. See hang

Important Factoids

We use an EC2 instance for a jumpbox which then allows us to connect to an Aurora MySQL instance.

It was successful when creating the resources and there was no existing state. However now there's state it doesn't seem to be able to refresh.

Furthermore didn't seem to be able to import the user as I got the same hanging issue.

I did look at the running processes/open ports and there was nothing there so I'm assuming the SSH tunnel is closing early.

CWDN commented 2 years ago

Okay worked this out, it was due to me enabling enforced SSL on MySQL user it was MySQL rejecting the request as it wasn't being done of TLS. Nothing to do with your module.