Open sean-freeman opened 1 year ago
Hi, in Ansible it is possible to define almost any Ansible setting using (magic) variables, which is why we chose to use this 1-to-1 mapping implementation and why variables
(in ansible_host
and ansible_group
resources) is named variables
, since you don't necessarily have to pass in/define only Ansible connection settings. With this explanation aside, it wouldn't be possible to rename variables
to connection
since the word connection
is a reserved word used by Terraform provisioners and ansible_host
and ansible_group
are not provisioners but resources. At most, we could rename it to something like connection_settings
or connection_setup
instead.
Hi @anazobec
I understand the principle behind variables
implementation for both Terraform Resources ansible_host
and ansible_group
. This is a flexible approach that allows the 1-to-1 mapping, that makes sense.
However, I would encourage further design research for _(connection_settings
or connection_setup
as you suggested)_ dynamically generating the Ansible connection settings.
To be verbose about the intent behind this GH Issue....
Terraform Resource "null_resource" with provisioner "remote-exec".... connection:
- Target Host
- OS User
- IP
- Private Key PEM as string... [NOT using Private Key PEM
file path
as string]- Bastion Host
- OS User
- IP
- Private Key PEM as string... [NOT using Private Key PEM
file path
as string]
Terraform Resource ansible_host or ansible_group.... variables:
- Target Host
- OS User
- IP
- Private Key
file path
as string [UNSECURE, requires PEM file on Terraform execution host]- Bastion Host
- OS User
- IP
- Private Key
file path
as string [UNSECURE, requires PEM file on Terraform execution host]
The private key contents should be ephemeral / in-memory during the Terraform execution for security purposes. The user should not have to output the SSH Private Key PEM file contents to the Terraform execution host, before any Ansible Inventory can be built for an Ansible Playbook execution.
@anazobec any further update please?
@tima seems like a critical functional hole with security implications, is anybody looking at this?
@65156 It has been ignored, and it breaks all potential usage of this Terraform Provider with any 'runner' implementations (e.g. Terraform Cloud/Enterprise, Spacelift, Env0, Azure DevOps Pipelines, IBM Cloud Schematics etc etc) for calling Terraform > Ansible. Only @mandar242 is committing code for the past 12 months.
Hi @sean-freeman . Thank you for the detailed information about the use case in this ticket, the examples are super helpful. You're right, running this provider in another pipeline is not a deployment scenario that is currently optimized for in this provider.
We are continuing to expand our support of Terraform based workflows with Ansible, so while contributions in this particular repo have been slower in the last few months we are still investing in this area overall. @tima is at configmgmt camp this week (where he presented on orchestrating Terraform with Ansible earlier today https://cfp.cfgmgmtcamp.org/2024/talk/KQHVVK/), I'd like him to chime in on this one when he gets back.
ansible_host: add to inventory without using private key files
TL;DR = The Terraform Provider for Ansible, is not using similar developer best practice measures as available with Terraform Provisioners. See SSH Connection documentation > https://developer.hashicorp.com/terraform/language/resources/provisioners/connection
Problem
Using this Terraform Provider for Ansible, still requires an SSH Private Key on the Terraform execution host's filesystem (e.g. in
/tmp
); the private key contents should be ephemeral to Terraform / in-memory during the Terraform execution for security purposes.When defining the
ansible_host
, it should have the correct args to generate an Ansible Inventory - similar to ansible.builtin.add_host moduleSee code snippets below for:
Standard Ansible Inventory file
Sample file of Problem
Suggestion for Terraform Resource structure of ansible_host