search

dmacvicar / terraform-provider-libvirt

Terraform provider to provision infrastructure with Linux's KVM using libvirt
Apache License 2.0
1.6k stars 459 forks source link

SSH Key Auth not working on Terraform Cloud #1011

Open jseparovic opened 1 year ago

jseparovic commented 1 year ago

System Information

Terraform Cloud

Description of Issue/Question

When trying to configure SSH Key authentication using Terraform Cloud, plan fails with the following error:

Error: failed to dial libvirt: could not configure SSH authentication methods
image

When using ssh password authentication the plan works no problem.

Are there any examples of how to use SSH keys with Terraform Cloud?

Setup

https://github.com/jseparovic/terraform-cloud-test/blob/main/main.tf

terraform {
  required_providers {
    libvirt = {
      source = "dmacvicar/libvirt"
      version = "0.7.1"
    }
  }
}

variable "private_key" {
  description = "Private Key to use in SSH Connection"
  type        = string
}

variable "password" {
  description = "Password to use in SSH Connection"
  type        = string
}

variable "target_host" {
  description = "The target host"
  type        = string
}

variable "key_file" {
  description = "The private key file"
  type        = string
  default     = "terraform_id_rsa"
}

resource "local_sensitive_file" "private_key" {
  content = var.private_key
  filename = var.key_file
  file_permission = "0600"
}

provider "libvirt" {
  #uri   = "qemu+ssh://root:${var.password}@${var.target_host}/system?sshauth=ssh-password&no_verify=1"
  uri   = "qemu+ssh://root@${var.target_host}/system?sshauth=privkey&keyfile=${var.key_file}&no_verify=1"
}

resource "libvirt_volume" "vm-image" {
  name   = "vm-image"
  source = "/images/vm-image.qcow2"
}

resource "libvirt_volume" "remotehost-qcow2" {
  name     = "remotehost-qcow2"
  format   = "qcow2"
  size     = 17179869184
  base_volume_id = libvirt_volume.vm-image.id
}

resource "libvirt_domain" "remotehost-domain" {
  provider = libvirt
  name     = "vm-a"
  memory   = "8192"
  vcpu     = 4

  disk {
    volume_id = libvirt_volume.remotehost-qcow2.id
  }
}

Steps to Reproduce Issue

jseparovic commented 1 year ago

After adding DEBUG logs to terraform cloud I can see that the key file is not found. [ERROR] Failed to read ssh key: open terraform_id_rsa: no such file or directory

So it looks like the plan fails because it is validating a file that does not yet exist. Is there some way to prevent this check? As the file will be created in the run.

jseparovic commented 1 year ago

Looks like the only way to make this work is to put the private key in the git repo linked to the Terraform Cloud workspace. Not ideal, I would much rather using a sensitive variable directly in Terraform Cloud.

This does work now after adding the key to .ssh/id_rsa in my git repo

provider "libvirt" {
  uri   = "qemu+ssh://root@${var.target_host}/system?sshauth=privkey&keyfile=${path.module}/.ssh/id_rsa&no_verify=1"
}

There has to be a better way... I'd probably choose a long root password over this.

scabala commented 2 months ago

Hi @jseparovic could you check if this also happens when running Terraform locally? Also, could you check using latest provider version?

bashfulrobot commented 1 month ago

I am running into this as I was migrating my state to TF cloud. When I run local, works without issue.

scabala commented 1 month ago

Hi @bashfulrobot what paths are you using for the keys? Also, is the key password protected?

bashfulrobot commented 1 month ago

Just the default ~/.ssh/id_* files.

They do have a password that is cached in my keychain. I had been using this setup for months.

scabala commented 1 month ago

Password protection might be an issue here. I do not know if there's any possibility to provide password in Terraform Cloud - I highly doubt it.