Open salecharohit opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
Hey @salecharohit 👋 Thank you for taking the time to raise this! I took a look around to try to determine what was going on here and stumbled across this comment from a previous, similar issue. As mentioned in that comment, I notice that you're not supplying the security_groups
, so perhaps that is the cause of your issue?
I did also note that in a later comment on the same thread, someone mentioned that http_endpoint
being set to disabled
may cause issues, though I've been unable to find any supporting documentation on the AWS side that would indicate that.
Regardless, this doesn't appear to be a bug with the provider, but rather a configuration issue. We try to keep the Issues section of this repository scoped to bugs and feature requests, and ask that questions be raised in one of the community resources, such as the AWS Provider forum. You may have better luck raising this there. I'll leave this open for now, in case you have any follow up questions before we close this out in favor of one of those resources.
Hi @justinretzolk security group has been provided you can view this debug log https://gist.github.com/salecharohit/c3c7dfb5d024bcdb950b2858c639e555 security group is being creted on port 22. As mentioned in the issue , if I comment out
metadata_options {
http_endpoint = "disabled"
}
everything works absolutely fine. So the proble is with this specific configuration which is somehow interfering with the SSH authentication.
Hey @justinretzolk any update on this ? Do you need more information ?
Hey @justinretzolk you can replicate this issue by simply executing this project I created https://github.com/salecharohit/my-cloud-desktop by uncommenting these lines https://github.com/salecharohit/my-cloud-desktop/blob/aba1e2c950961d3b022e1d99a04ed2b5700dc234/ec2.tf#L53 What I fail to understand is how come SSH access is being interefered with http_endpoints being disabled.
https://stackoverflow.com/questions/65035324/unable-to-ssh-into-aws-ec2-instance-with-instance-metadata-turned-off there is also a SO question on this same issue.
Hey @salecharohit 👋 Thank you for the additional information! At this point, I believe that we have all of the information that we'll need in order to look into this. Unfortunately I can't provide an ETA on when this will be looked into due to the potential of shifting priorities. We prioritize by count of :+1: reactions and a few other things (more information on our prioritization guide if you're interested).
HI @justinretzolk do have a look here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#configure-IMDS-new-instances--turn-off-instance-metadata one of my friends shared this. It seems you cannot fix this.
Terraform Core Version
v1.3.7
AWS Provider Version
4.54.0
Affected Resource(s)
Expected Behavior
Terraform Apply should work through fine and remote_exec should connect and execute
Actual Behavior
Throws an error as shown which is an SSH error when remote_exec tries to connect.
However, If I disable the following lines , it all works smoothly, terraform apply works and remote_exec connects and executes the script.
Additonally, the SSH key generated is unable to connect and throws the same error.
Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
terraform init terraform apply
Debug Output
https://gist.github.com/salecharohit/c3c7dfb5d024bcdb950b2858c639e555
Panic Output
No response
Important Factoids
I need to build a bastion host with IMDS disabled by default as a security requirement and hence I need to use the following metadata configuration in the
aws_instance
resourceWhat I fail to understand is why or rather how is this step/feature interfering with SSH communications ? Why does remote_exec need to contact IMDS service when all it really needs is an SSH private key which is being provided.
References
Other similar issues I looked at prior to filing this error https://github.com/hashicorp/terraform/issues/31146 https://github.com/hashicorp/terraform/issues/27768
https://github.com/hashicorp/terraform/issues/32754 issue was reported here earlier and was asked to redirect
Would you like to implement a fix?
No