local IP address
1,300 views
Skip to first unread message
Nik Trevallyn-Jones
May 17, 2017, 11:39:34 AM5/17/17
to Terraform
I am trying to configure an AWS security group only allows SSH access from the host running the terraform (in order to run provisioners).
I haven't managed to find a variable interpolation that returns the local host IP address.
I realise many users will be running terraform from inside a firewall, and so would need to know the public address of their local NAT gateway.
Is there a provisioner/datasource that can resolve this?
Cheers!
Nik
I haven't managed to find a variable interpolation that returns the local host IP address.
I realise many users will be running terraform from inside a firewall, and so would need to know the public address of their local NAT gateway.
Is there a provisioner/datasource that can resolve this?
Cheers!
Nik
Nik Trevallyn-Jones
May 17, 2017, 11:42:37 AM5/17/17
to Terraform
Oops - incorrect terminology:
"Is there a provisioner/datasource that can resolve this?"
should have been: "Is there a provider/datasource that can resolve this?"
Andrew Langhorn
May 17, 2017, 12:43:01 PM5/17/17
to terrafo...@googlegroups.com
How about the HTTP data source, to something like icanhazip.com?
So, something like:
data "http" "icanhazip" {
url = "http://icanhazip.com"
}
And, then, to use it...
resource "aws_security_group_rule" "ssh" {
source_ip = "${data.http.icanhazip.body}"
}
(or similar)
The great thing about icanhazip.com is that it just returns your public IP in the body, and nothing else, and meets the requirements for a HTTP data source (must be return a HTTP 200, and returns text/plain which should be accepted).
Andrew
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/8fa3381c-8e38-41a1-ad9a-7b1408d09854%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Nik Trevallyn-Jones
May 17, 2017, 6:12:14 PM5/17/17
to Terraform, andrew....@thoughtworks.com
That is such an elegant solution.
I was hunting for a website which just returned the address - although I was resigned to having to call a ReST API and decode JSON... :)
I have the lookup working, and outputting the correct value - I'm just struggling a bit to use the value in a security_group.
I'll post back to confirm I have it working.
Thank you so much!
Cheers!
Nik
I was hunting for a website which just returned the address - although I was resigned to having to call a ReST API and decode JSON... :)
I have the lookup working, and outputting the correct value - I'm just struggling a bit to use the value in a security_group.
I'll post back to confirm I have it working.
Thank you so much!
Cheers!
Nik
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
Nik Trevallyn-Jones
May 17, 2017, 6:26:46 PM5/17/17
to Terraform, andrew....@thoughtworks.com
Unfortunately, all my efforts to use tge resolved value in an aws_security_group body results in the security_group becoming invalid with no error message:
# existential question: who am I?
data "http" "whoami" {
url = "http://icanhazip.com"
}
resource "aws_security_group" "config" {
name = "terraform_config"
description = "Used in the terraform provisioning process"
vpc_id = "${aws_vpc.nuodb-domain.id}"
# SSH access from the terraform host only
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["${data.http.whoami.body}/32"]
# cidr_blocks = ["${var.local_public_ip}"]
}
# outbound internet access
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
terraform apply ...
data.http.whoami: Refreshing state...
Error running plan: 1 error(s) occurred:
* aws_instance.controller: 1 error(s) occurred:
* aws_instance.controller: Resource 'aws_security_group.config' not found for variable 'aws_security_group.config.id'
If I change back to ${var.local_public_ip} which equals "0.0.0.0/0", then the security_group is valid again.
I have an output variable which outputs ${data.http.whoami.body} and the value is correct there.
Has anyone any thoughts?
Cheers!
Nik
# existential question: who am I?
data "http" "whoami" {
url = "http://icanhazip.com"
}
resource "aws_security_group" "config" {
name = "terraform_config"
description = "Used in the terraform provisioning process"
vpc_id = "${aws_vpc.nuodb-domain.id}"
# SSH access from the terraform host only
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["${data.http.whoami.body}/32"]
# cidr_blocks = ["${var.local_public_ip}"]
}
# outbound internet access
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
terraform apply ...
data.http.whoami: Refreshing state...
Error running plan: 1 error(s) occurred:
* aws_instance.controller: 1 error(s) occurred:
* aws_instance.controller: Resource 'aws_security_group.config' not found for variable 'aws_security_group.config.id'
If I change back to ${var.local_public_ip} which equals "0.0.0.0/0", then the security_group is valid again.
I have an output variable which outputs ${data.http.whoami.body} and the value is correct there.
Has anyone any thoughts?
Cheers!
Nik
Andrew Langhorn
May 17, 2017, 7:33:02 PM5/17/17
to Nik Trevallyn-Jones, Terraform
Hi Nik,
When testing my thought out (which, admittedly, I hadn't tried above, but glad you found it elegant), I'm getting an error which I think is also what you might be seeing here.
The cidr_blocks parameter to aws_security_group takes a valid CIDR, whereas icanhazip.com doesn't return one, which is a little unfortunate. A possible reason that your local_public_ip variable works is that you're specifying the value as a CIDR.
I'm going to have a hunt around and see if I can find any interpolators to help concat the "/32" and the returned IP together. Unfortunately, my usage of concat so far hasn't led me to believe that concat is the one :(
A
Andrew Langhorn
May 17, 2017, 7:53:27 PM5/17/17
to Andrew Langhorn, Nik Trevallyn-Jones, Terraform
Hi Nik,
I have this working now using Terraform 0.9.5. It seems that icanhazip.com returns the body with an extraneous newline at the end, so when Terraform gets that, and when you try to add a /32 CIDR notation to the address, it ends up trying to split the entire string over two lines.
We can use chomp on the data resource to get rid of the new line. I have this working as follows:
provider "aws" {region = "eu-west-1"}data "http" "ip" {url = "http://icanhazip.com"}resource "aws_security_group" "ssh" {name = "ssh"
ingress {from_port = 22to_port = 22
protocol = "-1"cidr_blocks = ["${chomp(data.http.ip.body)}/32"]}}
That validates and plans successfully for me, using 0.9.5.
How does that fare for you? Does it resolve your issue?
Andrew
Nik Trevallyn-Jones
May 17, 2017, 10:35:56 PM5/17/17
to Terraform, andrew....@thoughtworks.com, nikt...@gmail.com
That got it sorted!
I would have thought that my setting the output variable would have shown me the trailing newline, but maybe the output var logic does some form of trim() on the value?
My next step would have been to enable debug logging, and try to sort it out, but tracking down a trailing newline could have been difficult - and you nailed it.
Thank you once again - an elegant solution which also works - a double-win! :)
Cheers!
Nik
I would have thought that my setting the output variable would have shown me the trailing newline, but maybe the output var logic does some form of trim() on the value?
My next step would have been to enable debug logging, and try to sort it out, but tracking down a trailing newline could have been difficult - and you nailed it.
Thank you once again - an elegant solution which also works - a double-win! :)
Cheers!
Nik
Andrew Langhorn
May 18, 2017, 4:19:00 AM5/18/17
to terrafo...@googlegroups.com, andrew....@thoughtworks.com, nikt...@gmail.com
Awesome. Glad that works!
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/832dc6c3-2a2c-42c9-b02f-83c9a633e63b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Sent on the move
Reply all
Reply to author
Forward
0 new messages