search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.32k stars 9.49k forks source link

Terraform provisioner connection - support for OpenSSH agent on Windows #35608

Open jexnator opened 1 month ago

jexnator commented 1 month ago

Terraform Version

Terraform v1.9.4

Use Cases

Terraform's Provisioner Connection block on Windows currently only supports Pageant (PuTTY's SSH agent) for SSH agent forwarding using remote-exec. However, with the further development of OpenSSH as by default pre-installed SSH tool on Windows 10/11, it would be a nice-to-have to support the OpenSSH SSH agent in addition to Pageant.

Background

I've created a small automation tool to help admins keep the hosting environment for WordPress on AWS Lightsail up to date. More information can be found in this GitHub repository.

The tool currently works perfectly on Unix-based systems (I use macOS) with SSH-agent forwarding via OpenSSH. It would be great if Windows users could also utilize the tool without having to adapt the setup specifically to Pageant.

Attempted Solutions

  1. Manual SSH Command via PowerShell (Successful):

    When running the following sequence in PowerShell on Windows, SSH agent forwarding with OpenSSH works as expected:

    # Add the key to the OpenSSH SSH agent
ssh-add C://path/to/key

# Connect to Host A
ssh -A bitnami@<host_A_ip>

# From Host A, connect to Host B and export the wordpress database for migration
ssh -A bitnami@<host_B_ip> "cd /opt/bitnami/wordpress && sudo wp --allow-root db export --quiet /tmp/exported-wp-sql.sql > /dev/null"

    This process succeeds using OpenSSH (v9.5.0.0) in PowerShell (v7.4.4).

  2. Remote Provisioner in Terraform (Failure):

    When attempting the same with Terraform's remote-exec provisioner, it fails as only Pageant is supported:

    # Add the key to the OpenSSH SSH agent
ssh-add C://path/to/key
    resource "null_resource" "example" {
 connection {
   type        = "ssh"
   user        = "bitnami"
   private_key = file("C://path/to/key")
   host        = var.host_A_ip
   agent       = true # Pageant
 }

 provisioner "remote-exec" {
   inline = [
     "ssh -A bitnami@<host_B_ip> 'cd /opt/bitnami/wordpress && sudo wp --allow-root db export --quiet /tmp/exported-wp-sql.sql > /dev/null'"
   ]
 }
}

    Error Output:

    null_resource.remote_exec: Error: permission denied (publickey)

Proposal

Allow Terraform on Windows to support OpenSSH as an SSH agent, similar to how it functions on Unix-based systems. This would remove the dependency on Pageant and and would provide a uniform approach across operating systems.

Example:

connection {
    type        = "ssh"
    user        = "bitnami"
    private_key = file("C://path/to/key")
    host        = var.host_A_ip
    agent       = true # Support OpenSSH agent in addition to Pageant.
  }

References

N/A

jbardin commented 3 weeks ago

Hi @jexnator,

Thanks for filing the issue! I think this is a result of how the upstream github.com/xanzy/ssh-agent sets up a connection to pageant. While the windows usage of the OpenSSH agent is a little more in line with the standard implementation, it may still not be directly accessible via the usual methods (https://github.com/golang/go/issues/61383).

crw commented 3 weeks ago

Thanks for this feature request! If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions.

Please note that provisioners are effectively deprecated, however upvoting issues such as this can help make a case for working on it. Thanks again!