search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.57k stars 9.54k forks source link

Add Certificate Authentication for WinRM connection. #23096

Open pateljin opened 5 years ago

pateljin commented 5 years ago

Reading from existing provisioner docs , WinRM only work with user and password type authentication.

it would be nice if terraform can allow authenticating using client certificate based auth which winrm supports. this link is just for reference from Microsoft (https://docs.microsoft.com/en-us/windows/win32/winrm/authentication-for-remote-connections#client-certificate-based-authentication)

Current Terraform Version

Terraform v0.11.11
+ provider.external v1.2.0
+ provider.local v1.4.0
+ provider.null v2.1.0
+ provider.random v2.1.0

Use-cases

to have password less authentication with WinRM just like ssh private_key.

this also solves the issue where if someone change user's password, which on Windows OS is quite normal, having certificate based authentication can still allow terraform to manage resources via WinRM.

Attempted Solutions

Nothing comes in mind to use passwordless auth for WinRM via terraform.

one way to solve is to install openssh service on Windows OS and use normal SSH connection instead of WinRM.

Proposal

if certificate based auth is allowed via connection block for WinRM , it might looks like below

resource "null_resource" "test" {
    connection {
            type         = "winrm"
            timeout      = "10m"
            user         = "${var.admin_user}"
            private_cert = "${file(/path/to/cert.pfx)}"
            host         = "${var.ipv4}"
            port         = 5986
            https        = true
            insecure     = true
        } 

        provisioner "remote-exec" {
            inline = [
                "powershell.exe -ExecutionPolicy Bypass -File c:\\script.ps1 -markFinish"
            ]
        }    
}

my goal is password less auth so skipping cert_password attr, but that can be included for completeness, as pfx certs can be password protected.

References

https://cloudbase.it/windows-without-passwords-in-openstack/

not related to terraform or solution, but above link has quick setup on how to setup WinRM for cert based auth and how to use that from linux system.

pateljin commented 4 years ago

anyone else interested in getting this feature ?