Skip to content

Instantly share code, notes, and snippets.

@toshimaru

toshimaru/terraform-ssh-remote-exec.tf

Last active August 19, 2023 08:09
Show Gist options
  • Save toshimaru/89bf5ab2d3c2c359f07bcdfc835154bb to your computer and use it in GitHub Desktop.
Save toshimaru/89bf5ab2d3c2c359f07bcdfc835154bb to your computer and use it in GitHub Desktop.
Download ZIP
How to connect to server via SSH and use remote-exec provisioner.
Raw
terraform-ssh-remote-exec.tf
resource "digitalocean_droplet" "web" {
image = "ubuntu-16-04-x64"
name = "web-1"
region = "sgp1"
size = "512mb"
ssh_keys = [12345]
connection {
type = "ssh"
user = "root"
private_key = "${file("~/.ssh/id_rsa")}"
}
provisioner "remote-exec" {
inline = [
]
}
}
@javavenkats5
Copy link

Nice.

@jonatasfreitasv
Copy link

thx

@scheung38
Copy link

Hi @toshimaru although for AWS but not sure why

Error: Error applying plan:

1 error(s) occurred:

  • aws_instance.example: timeout - last error: dial tcp 63.35.183.138:22: i/o timeout
resource "aws_instance" "example" {
  ami = "${lookup(var.aws_amis, var.aws_region)}"
  instance_type = "t2.micro"
 
  connection {
    type = "ssh"
    user = "root" // "ec2-user"?
    private_key = "${file("~/.ssh/terraform")}"
    timeout = "2m"
//    agent = false . // true?
  }

  provisioner "remote-exec" {
    inline = [
    ]
  }
}

@mkempster
Copy link

Error: Error applying plan:

1 error(s) occurred:

* aws_instance.example: timeout - last error: dial tcp 63.35.183.138:22: i/o timeout

I needed a security-group that allowed ingress on port 22 in to the ec2 instance that was created.

resource "aws_security_group" "port_22_ingress_globally_accessible" {
    name = "port_22_ingress_globally_accessible"

    ingress { 
        from_port = 22    
        to_port = 22
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"] // global access! Don't do this for real.
    }
}

I suppose the proper way to do this outside of a learning context is to add a bastion host and ssh through it to your ec2 instance. Terraform seems to have built-in support for using bastion hosts in the remote-exec provisioner, but I can't find a module to create the bastion host. Looks like we're on our own for that task.

@NikosSpanos
Copy link

@mkempster I have the same issue with you. And part of the solution was to open ssh traffic to all the internet. A not very secure aware move as you also wrote. Have you found any other alternative to that?

@BertCatsburg
Copy link

2 years late to the party,

Following up on mkempster's code:

data "http" "icanhazip" {
  url = "https://icanhazip.com/"

  request_headers = {
    Accept = "text/*"
  }
}

# The IP Address of my laptop. Pass it to the Security Group ingress-rule, to restict SSH Access to the Instance
variable "my_ip" {
	type = string
	default = chomp(data.http.icanhazip.response_body)
}

resource "aws_security_group" "port_22_ingress_globally_accessible" {
    name = "port_22_ingress_globally_accessible"

    ingress { 
        from_port = 22    
        to_port = 22
        protocol = "tcp"
        cidr_blocks = [var.my_ip] // IP of my own laptop
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment