File provisioner fails w/o sudo privileges

3,780 views
Skip to first unread message

Andrew Langhorn

unread,
Jul 22, 2015, 11:07:31 AM7/22/15
to Terraform
Hi,

I'm using a number of provisioners to walk through:
  1. copying data in to a folder locally (data/) using a local-exec
  2. create a new directory at /srv/puppet on a Terraform-instantiated EC2 instance using a remote-exec
  3. copy the entire local data/ directory to /srv/puppet remotely using a remote-exec
  4. delete the data/ directory locally to clean things up
Here are the provisioners I'm using, in order:

  provisioner "local-exec" {
    command = "sudo mkdir -p data/ && sudo rsync -av ../* data/ --exclude '.*' --exclude 'vendor/' --exclude '*.lock'"
  }
  provisioner "remote-exec" {
    inline = "sudo mkdir -p /srv/puppet"
  }
  provisioner "file" {
    source = "data/"
    destination = "/srv/puppet"
  }
  provisioner "local-exec" {
    command = "sudo rm -rf data/*"
  }

My connection block specifies the use of the 'ubuntu' user, since that's the default user in the AMIs I'm using to instantiate my EC2 instance. The first two provisioners work flawlessly, however the file provisioner breaks down when it tries to create directories under /srv/puppet remotely, claiming 'permission denied'.

I've played for a few minutes and worked out that it would work if I were able to preface the underlying SCP command that's occurring with `sudo`. Using the previous remote-exec to add the `ubuntu` user to the `sudo` group (`sudo adduser ubuntu sudo`) complains that the `ubuntu` user is already in the sudo group, so that doesn't help me much.

One idea I had was to create a user in a remote-exec before the file provisioner occurs, but that's not really that nice on a number of fronts. Ideally, there would be a way to ensure that the file provisioner runs with sudo privileges, or similar.

I'd be grateful for any pointers or advice on this one!

Cheers,

Andrew

Andrew Langhorn

unread,
Jul 23, 2015, 10:12:53 AM7/23/15
to Terraform, andrew....@digital.cabinet-office.gov.uk
I thought this may have been to do with the AMI that I'm using requiring a TTY, but it appears not to be as there's no Defaults entry in /etc/sudoers referencing that. Bit stumped on this one, so if anyone has any ideas (and would like eternal gratefulness bestowed upon them!), now's your time to shine :)

Else, more digging for me...

Paul Hinze

unread,
Jul 23, 2015, 11:35:14 AM7/23/15
to terrafo...@googlegroups.com
Hi Andrew,

Thanks for the clear explanation of the issue you're hitting!

I've played for a few minutes and worked out that it would work if I were able to preface the underlying SCP command that's occurring with `sudo`.

I don't think this would work, since `sudo scp local/path remote-host:remote/path` would just run the _local_ scp process as root - it does not affect the permissions on the remote side.

There's not really an underlying command for "scp with sudo on the remote side", so I think you'll need to just adjust the permissions on the directory to allow the ubuntu user to get the files up there, then fixup the ownership afterwards. Something like this:

  provisioner "remote-exec" {
    inline = "sudo mkdir -p /srv/puppet && sudo chown ubuntu: /srv/puppet"
  }
  provisioner "file" {
    source = "data/"
    destination = "/srv/puppet"
  }
  provisioner "remote-exec" {
    command = "sudo chown -R root: /srv/puppet"
  }

Hope this helps! Let me know if you have any further questions,

Paul

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/e5555bfc-fb8e-47ae-bb80-61c7c58a4e94%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Andrew Langhorn

unread,
Jul 28, 2015, 8:52:42 AM7/28/15
to <terraform-tool@googlegroups.com>
Hi Paul,

Sorry for the delay - this message hit Gmail's spam filter :(

In the end, I did just modify the directory permissions in a remote-exec before the file occurs, which works fine for what I need it for.

:)

A

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAJpeNAMZAJmuP-NrfpWa3iQ-OP0LrWFP47onB0YuG_Nzp73Hyg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.



--
Andrew Langhorn
Web Operations
Government Digital Service

a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH
Reply all
Reply to author
Forward
0 new messages