search

equinix / terraform-equinix-metal-anthos-on-baremetal

Terraform module for quick deployment of baremetal Anthos on Equinix Metal
https://registry.terraform.io/modules/equinix/anthos-on-baremetal
Apache License 2.0
25 stars 24 forks source link

Terraform script error for Google Anthos Baremetal Setup #29

Closed rameshn-git closed 3 years ago

rameshn-git commented 3 years ago

Get a error during ssh key creation, line 35 of the main.tf terraform script

line 35: "resource "metal_ssh_key" "ssh_pub_key" {"

i get a "error: not found". I noticed though that there is a public key created in packet in my project and a private key in my .ssh folder. But because of the error the script fails at this point

displague commented 3 years ago

Thanks for reporting this, @rameshn-git.

A few questions:

rameshn-git commented 3 years ago

Hi Marques, I used git clone to download git clone https://github.com/equinix/terraform-metal-anthos-on-baremetal.gitand I am just doing a terraform apply --auto-approve per intsructions in the readme.md on the site

rameshn-git commented 3 years ago
  • Did you pull this project down through git cione or are you using it from the Terraform module interface (terraform init -from-module)?

git clone https://github.com/equinix/terraform-metal-anthos-on-baremetal.git

  • Which version? v0.3.0 is latest

version of what? i am using what i got from the clone that i pulled just in last few days

  • Which OS are you running this from?

It is google linux based on debian

  • What local path did you clone to and how are you running the command (I'm wondering if there may be characters in the directory name that the project is not handling). Is this a local volume?

/usr/local/google/home/nagarajanra/baremetal/node-preparation/terraform/packet/terraform-metal-anthos-on-baremetal

  • Are you embedding this project as a Terraform module?

No

c0dyhi11 commented 3 years ago

@rameshn-git

I'm unsure why this would happen.

This line is uploading the public key that is already generated...

Possibly an API bug? Is this consistent? Or have you tried again?

rameshn-git commented 3 years ago

yes, that was my impression as well. And strangely it does upload the public key to packet as i can see it in packet but then it errors out .. if run it again, it then complains that key already exists :)

c0dyhi11 commented 3 years ago

@rameshn-git Did you ever find a resolution to this? Have you tried running this code from a GCE VM maybe?

rameshn-git commented 3 years ago

No, kind of abandoned it for the moment as i got busy with something else. i am using a cloudtop in GCP at the moment

c0dyhi11 commented 3 years ago

@rameshn-git I think we had someone else hit this as well. The issue seems to be a change in the way SSH keys are created for projects. And I guess you need to be an Admin on the Equinix Metal project in order to "Read" these keys. But anyone can create them. I think we can change this ssh key to be a user ssh key rather than a project ssh key.

c0dyhi11 commented 3 years ago

@displague This seems like a bug in the terraform provider or the Equinix Metal API. We need an non-admin user "Collaborator" to be able to generate and ssh-key on the fly and upload it to Equinix Metal. This used to work... Something has changed. Can you escalate this please?

c0dyhi11 commented 3 years ago 
2021/01/22 23:34:00 [DEBUG] metal_ssh_key.ssh_pub_key: applying the planned Create change
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: 2021/01/22 23:34:00 [DEBUG] POST https://api.equinix.com/metal/v1/ssh-keys
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: 2021/01/22 23:34:00 [DEBUG] Equinix Metal API Request Details:
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: ---[ REQUEST ]---------------------------------------
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: POST /metal/v1/ssh-keys HTTP/1.1
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: Host: api.equinix.com
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: User-Agent: packngo/0.5.1
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: Connection: close
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: Content-Length: 781
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: Accept: application/json
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: Content-Type: application/json
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: X-Auth-Token: #### REMOVED #####
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: X-Consumer-Token: #### REMOVED #####
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: Accept-Encoding: gzip
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: 
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: {
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0:  "label": "anthos-cluster-bot02",
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0:  "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDKjfvVEyZTsvROjVVpMIN87lK6G2F1j0Ld2+lzBrUiCH7B6xtseNXSWdgGIUAiIfdqdxSZZvd32Oi2BsHmacwzgottgdLyy6csQzNpTICgSBmmGA/uMsJRwPAKuvHH+PVZo+WWYDgxTUd0TvM0LQSFiBaXaye5XtmlhquQhzTpd4gyQj83CmkahJrr/560P+jlXO93FQ30eUd7mP9PSIhJuxJYfiMq/LWIpSSus3M/30++4Ykrgene5+LMWkHjWeI8GnWekcxv+rYJBKcs0w83aOTVdOhdmY6tuPHMwextHJ6OWAl2+AUFZcN/61nMDEj68i5Pp82GeLIH7YhPqUb0Dc0xVMKHjox2otFl7ZXvayxbxduIS8ZWxA34Nfyw9UK4XqbpLmzd5z5+zTIdLicVLEiQl1VEoydp0b5Kq/A72EpSYH4f6IVNpWVC9mEim19bpDCKUS1xcQbaFelWZ8RkAbnshcuvlRROA3kzdo8OBhqMpgs60yJARK9tfPz8sFd+TGByh4q317UYzYISlW8K1QX5ky1WftpKhSIvZk/FLHoOOLgw9+f8V7aAKdEqbB1iZc8wb86NcZo9x6rIFSt40338vr7YdPJdTm3hD3iPuFdeTTHOwWisuLp5scFL0zkQ2VGzkjxaF/1rcQn8sx57cUA1qCgUZOA9Txik7UH5Qw=="
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: }
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: 
2021-01-22T23:34:00.127Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: -----------------------------------------------------
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: 2021/01/22 23:34:00 [DEBUG] Equinix Metal API Response Details:
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: ---[ RESPONSE ]--------------------------------------
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: HTTP/1.1 404 Not Found
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: Connection: close
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: Cache-Control: no-cache
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: Content-Type: application/json; charset=utf-8
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: Date: Fri, 22 Jan 2021 23:34:00 GMT
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: Server: nginx/1.19.0
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: Strict-Transport-Security: max-age=15724800; includeSubDomains
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: Vary: Accept-Encoding
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: X-Request-Id: 0e4a59c6b45aa23e132a9e00d6acfea9
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: 
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: {
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0:  "errors": [
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0:   "Not found"
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0:  ]
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: }
2021-01-22T23:34:00.202Z [DEBUG] plugin.terraform-provider-metal_v1.0.0: -----------------------------------------------------
2021/01/22 23:34:00 [DEBUG] metal_ssh_key.ssh_pub_key: apply errored, but we're indicating that via the Error pointer rather than returning it: Not found

Above is the Terraform Debug information for this transaction.

displague commented 3 years ago

The issue with managing SSH keys with a Project API key is noted here https://github.com/packethost/terraform-provider-packet/issues/287 (I'll move that issue over to the metal project Updated: GH does not allow for transferring issues across orgs).

This has also been discussed here:

The short answer is to use a user API key because project API keys have this limitation and a few others. I think the key used by this project will need to use the BGP session management endpoints, and those will not succeed with a project API key.

c0dyhi11 commented 3 years ago

This is not an API key. This is an SSH key. And Collaborator users can't create or change BGP on their project. So this must be done using and existing project, and that is already documented.

displague commented 3 years ago

The Metal API endpoint that allows for SSH keys to be associated with a project returns a 404, despite creating the SSH key. The 404 is only returned when the Metal API was accessed with a "Project API key" rather than a "User API key".

You should find that a Metal project Collaborator can perform all of these API actions (manage BGP, manage SSH keys) without error using a User API key (https://console.equinix.com/users/{id}/api-keys) rather than a Project API key (https://console.equinix.com/projects/{id}/settings/api-keys).

c0dyhi11 commented 3 years ago

@displague You are correct. We should make it more clear that they need a "User API Key" we had a member of our team run it this way... And there are no issues.

@rameshn-git Please generate and use a "User API Key" by clicking on your profile on the top right "Hello, <name>" and choosing "API Keys"

If you use that API key this should all work fine. Also double check that you have enabled BGP on your project. And that you did not set a password for BGP peering.

displague commented 3 years ago

On the Equinix Metal API side, we are investigating the "404" problem.

Depending on how this is resolved we may be able to try again with Project API keys. I expect we may run into CCM problems with project keys, but I'm not certain.

rameshn-git commented 3 years ago

@c0dyhi11 thanks for digging into this. will review

displague commented 3 years ago

Provisioning a project SSH key with a project API key now succeeds. , the Equinix Metal API now returns a 201 instead of 404. The project SSH key can also be safely read and destroyed with a project API key.

Please reopen this @rameshn-git if you encounter the same problem. If you encounter a different error when using a project API key (as I suspect you may), please open a new issue.

Thanks again for identifying this problem!