Running provisioners in private VPC

[Graham Taylor]

I have terraform provisioning a private VPC in AWS. 

This has a front bastion server which acts as the SSH gateway to the private instances.

The actual creation of the instances works fine but you run into problems when trying to run provisioners. Because the SSH port is not open publicly we are currently uploading shell scripts to the bastion and then running the provisioner there (which SSHs to the relevant private instance and runs some commands).

This is similar to what is described in these posts - 

http://airpair.com/aws/posts/ntiered-aws-docker-terraform-guide

http://tech.riywo.com/blog/2014/12/25/terraform-module-for-mesos-plus-ceph-cluster-and-packer-template/

This also means we have trouble adopting other providers easily, e.g the docker one https://www.terraform.io/docs/providers/docker/index.html (because the docker TCP connection would not be exposed from a private instance to my machine (where terraform is running)

Additionally we cannot use things such as the user_data field (unless I am doing something wrong) to provision using cloud-init scripts as well. Also, the actually provisioning itself is a bit cumbersome (upload scripts to baston, run provisioner from private instance to ssh to baston which runs a script which sshs again and runs some command) and is not particularly clear when you read the terraform code itself.

I'm wondering if anyone else is dealing with these issues in a bit of a nicer way than this?

If we were using pure SSH here we could set up a proxycommand in our ssh config file (e.g.) - 

Host bastion

  User ubuntu

  IdentityFile ~/.ssh/ec2.pem

Host private_instance

  User ubuntu

  ProxyCommand ssh bastion nc %h %p

This would mean we could access the private instance directly from my machine via the bastion (via ssh private_instance), though this is not currently supported by terraform. Anyone have any other ideas how to make this a bit easier?

[Graham Taylor]

Doing a bit more thinking around this you could do something like - 

Provision bastion

Run local-exec from bastion provisioning (to provision ssh config file) 

provision private instances (these depend on bastion, and would use the connection set up in the ssh config file to connect)

which might work?

Otherwise if https://github.com/hashicorp/terraform/blob/8ee6a037483cff74cece5345035e896cc59d4bb2/helper/ssh/provisioner.go supported setting arbitrary SSH options then we could just do something like 

connection {

    user         = "ubuntu"

    key_file    = "${var.key_file}"

    host         = "${private_instance.private_ip}"

    options    = "ProxyCommand=ssh ubuntu@${bastion.public_ip} -W %h:%p'

[Paul Hinze]

Hi Graham,

I'm working on this feature this week!

I made https://github.com/hashicorp/terraform/issues/1709 so you can track my progress.

Paul

--
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To post to this group, send email to terrafo...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/76e1ebce-93a3-4c22-9fc1-f540c2eab62a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.