search

hashicorp / terraform-aws-consul

A Terraform Module for how to run Consul on AWS using Terraform and Packer
Apache License 2.0
399 stars 482 forks source link

Could not find consul command. Aborting. #210

Closed krishanhettihewa closed 3 years ago

krishanhettihewa commented 3 years ago

Today I just happened to noticed, though consul-install is successful ran, checking the version of the consul might fail, if we call this module remotely, such as by using Packer.

The reason is, when command executed it just executed from the currently login user (E.g ubuntu). There is a possibility that normal user like ubuntu (None sudo user), might not have permissions to execute /opt/consul/bin/consul. Even Though we have the softlink which points /usr/local/bin/consul > /opt/consul/bin/consul, due to lack of permissions to the /opt/consul/bin/consul the command get failed and because of this EXIT status get 1.

This is might happen most probably, if we use hardened base image. I have noticed it works well when using general ubuntu base image, but not working when we uses our hardened base image.

if command -v consul; then log_info "Consul install complete!"; else log_info "Could not find consul command. Aborting."; exit 1; fi

https://github.com/hashicorp/terraform-aws-consul/blob/ae88203ccb739ad67448812025b6788a5737f607/modules/install-consul/install-consul#L303

brikis98 commented 3 years ago

Ah, interesting. So do we need a sudo in that command?

krishanhettihewa commented 3 years ago

Thanks for the response @brikis98. Yes I hope so. it works well, with sudo permissions.

brikis98 commented 3 years ago

OK, would you be up for a quick PR to make that change?

yardbirdsax commented 3 years ago

@brikis98 @krishanhettihewa I fixed this in the PR linked above, albeit in a slightly different way, which was to grant read / execute access to everyone on the Consul binary install path. This way the script works as intended (I tested it while calling it with Packer) and also if someone logs in to an instance as a different user they can still execute the Consul binary for troubleshooting / admin purposes.

yardbirdsax commented 3 years ago

Actually please hold, there might be another issue.

yardbirdsax commented 3 years ago

Okay we're good now. I ended up going the sudo route after all. I was having to tweak all sorts of permissions to get it working and in the end I didn't want to assume that those permissions should be there on someone's hardened image. This way the script works and it's left up to the user to determine the correct permissions for their needs.