Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] proposal for multi-bastion support using ssh_config parsing #25967

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[WIP] proposal for multi-bastion support using ssh_config parsing #25967

wants to merge 1 commit into from

Conversation

RomanManz
Copy link

This proposal relates to #14523.
It attempts to achieve the multi-bastion support by adding the possibility to specify a ssh_config file. It uses two environment variables TF_USE_SSH_CONFIG and TF_SSH_CONFIG in order to enable the feature and to (optionally) override the ssh_config location. Pls. see the updates in website/docs/provisioners/connection.html.markdown for the limitations.
Pros:

  • Small change.
  • Good reuse of the modules, since the feature can be dynamically enabled/disabled.

Cons:

  • The ssh_config file can be very complex and therefore it can be a source for lots of discussions.
  • This may easily outweigh the benefit.

Having that said, it is clear, that the very first question should be if this is really an option that is worth considering.
Regarding the parsing of the ssh_config file, at the moment an external parser is used, adding another dependency. This adds to the question above. Of course if the overall direction looks okay, thinking about implementing a dedicated ssh_config parser would be obvious, but clearly makes the change much larger (even if a partial-only support would be sufficient).

Example

templates.tf (sorry for the interpolation-only syntax, working on it):

variable "remote_user" { default = "foobarbaz" }  
variable "private_key" { default = "~/.ssh/bastiondemo" }  
variable "ip" { default = "127.0.0.1" }  
resource "null_resource" "bastion-test" {  
  provisioner "remote-exec" {  
    inline = [  
      "id",  
      "sleep 10",   
      "echo good bye"  
    ]  
    connection {  
      user = "${var.remote_user}"  
      host = "${var.ip}"  
      private_key = "${file("${var.private_key}")}"  
    }  
  }  
}

Example ssh config (~/.ssh/config.tf.bastiondemo):

IdentityFile ~/.ssh/bastiondemo
Host 127.0.0.1
ProxyJump [email protected],[email protected],[email protected]
Host 127.0.0.3
ProxyJump [email protected]

Output:

$ TF_USE_SSH_CONFIG=yes TF_SSH_CONFIG=~/.ssh/config.tf.bastiondemo ~/workspace/golang/bin/terraform apply --auto-approve
null_resource.bastion-test: Refreshing state... [id=4719087466182994447]
null_resource.bastion-test: Destroying... [id=4719087466182994447]
null_resource.bastion-test: Destruction complete after 0s
null_resource.bastion-test: Creating...
null_resource.bastion-test: Provisioning with 'remote-exec'...
null_resource.bastion-test (remote-exec): Connecting to remote host via SSH...
null_resource.bastion-test (remote-exec):   Host: 127.0.0.1
null_resource.bastion-test (remote-exec):   User: foobarbaz
null_resource.bastion-test (remote-exec):   Password: false
null_resource.bastion-test (remote-exec):   Private key: true
null_resource.bastion-test (remote-exec):   Certificate: false
null_resource.bastion-test (remote-exec):   SSH Agent: true
null_resource.bastion-test (remote-exec):   Checking Host Key: false
null_resource.bastion-test (remote-exec): Using configured bastion host...
null_resource.bastion-test (remote-exec):   Host: 127.0.0.2
null_resource.bastion-test (remote-exec):   User: foo
null_resource.bastion-test (remote-exec):   Password: false
null_resource.bastion-test (remote-exec):   Private key: true
null_resource.bastion-test (remote-exec):   Certificate: false
null_resource.bastion-test (remote-exec):   SSH Agent: false
null_resource.bastion-test (remote-exec):   Checking Host Key: false
null_resource.bastion-test (remote-exec): Using configured bastion host...
null_resource.bastion-test (remote-exec):   Host: 127.0.0.3
null_resource.bastion-test (remote-exec):   User: bar
null_resource.bastion-test (remote-exec):   Password: false
null_resource.bastion-test (remote-exec):   Private key: true
null_resource.bastion-test (remote-exec):   Certificate: false
null_resource.bastion-test (remote-exec):   SSH Agent: false
null_resource.bastion-test (remote-exec):   Checking Host Key: false
null_resource.bastion-test (remote-exec): Using configured bastion host...
null_resource.bastion-test (remote-exec):   Host: 127.0.0.5
null_resource.bastion-test (remote-exec):   User: foobar
null_resource.bastion-test (remote-exec):   Password: false
null_resource.bastion-test (remote-exec):   Private key: true
null_resource.bastion-test (remote-exec):   Certificate: false
null_resource.bastion-test (remote-exec):   SSH Agent: false
null_resource.bastion-test (remote-exec):   Checking Host Key: false
null_resource.bastion-test (remote-exec): Using configured bastion host...
null_resource.bastion-test (remote-exec):   Host: 127.0.0.4
null_resource.bastion-test (remote-exec):   User: baz
null_resource.bastion-test (remote-exec):   Password: false
null_resource.bastion-test (remote-exec):   Private key: true
null_resource.bastion-test (remote-exec):   Certificate: false
null_resource.bastion-test (remote-exec):   SSH Agent: false
null_resource.bastion-test (remote-exec):   Checking Host Key: false
null_resource.bastion-test (remote-exec): Connected!
null_resource.bastion-test (remote-exec): uid=1005(foobarbaz) gid=985(users) groups=985(users)
null_resource.bastion-test: Still creating... [10s elapsed]
null_resource.bastion-test (remote-exec): good bye
null_resource.bastion-test: Creation complete after 11s [id=6924485873513024711]

Warning: Interpolation-only expressions are deprecated

  on templates.tf line 12, in resource "null_resource" "bastion-test":
  12:       user = "${var.remote_user}"

Terraform 0.11 and earlier required all non-constant expressions to be
provided via interpolation syntax, but this pattern is now deprecated. To
silence this warning, remove the "${ sequence from the start and the }"
sequence from the end of this expression, leaving just the inner expression.

Template interpolation syntax is still used to construct strings from
expressions when the template includes multiple interpolation sequences or a
mixture of literal strings and interpolations. This deprecation applies only
to templates that consist entirely of a single interpolation sequence.

(and 2 more similar warnings elsewhere)


Apply complete! Resources: 1 added, 0 changed, 1 destroyed.

@hashicorp-cla
Copy link

hashicorp-cla commented Aug 22, 2020
edited
Loading

CLA assistant check
All committers have signed the CLA.

@jadjay
Copy link

jadjay commented Dec 8, 2020

This proposition is AWSOME !
This is mandatory today with the complexity and needed security of our infrastructure !

Is it planned to be merged ?

Base automatically changed from master to main February 24, 2021 18:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@RomanManz @hashicorp-cla @jadjay @pselle