azurerm provider: Connecting to remote host via SSH remote exec timeout

[tobias...@gmail.com]

• Windows 10 64 Bit
• Terraform v0.11.2

I am trying to remote execute a command on an Azure VM just for testing Terraform.

The example for VM generation is from the original Terraform documentation and I have added the remote-exec provisioner.

I'll get a timeout after some minutes. The same problem is after I setup the specific connection settings (host, username, password). I have no error message except the timeout at the end.

I don't understand why it's not working

azurerm_virtual_machine.tftest: Still creating... (2m50s elapsed)
azurerm_virtual_machine.tftest: Provisioning with 'remote-exec'...
azurerm_virtual_machine.tftest (remote-exec): Connecting to remote host via SSH.
..
azurerm_virtual_machine.tftest (remote-exec):   Host:
azurerm_virtual_machine.tftest (remote-exec):   User: root
azurerm_virtual_machine.tftest (remote-exec):   Password: false
azurerm_virtual_machine.tftest (remote-exec):   Private key: false
azurerm_virtual_machine.tftest (remote-exec):   SSH Agent: false
azurerm_virtual_machine.tftest (remote-exec): Connecting to remote host via SSH.
..
azurerm_virtual_machine.tftest (remote-exec):   Host:
azurerm_virtual_machine.tftest (remote-exec):   User: root
azurerm_virtual_machine.tftest (remote-exec):   Password: false
azurerm_virtual_machine.tftest (remote-exec):   Private key: false
azurerm_virtual_machine.tftest (remote-exec):   SSH Agent: false
azurerm_virtual_machine.tftest (remote-exec): Connecting to remote host via SSH.
..
azurerm_virtual_machine.tftest (remote-exec):   Host:
azurerm_virtual_machine.tftest (remote-exec):   User: root
azurerm_virtual_machine.tftest (remote-exec):   Password: false
azurerm_virtual_machine.tftest (remote-exec):   Private key: false
azurerm_virtual_machine.tftest (remote-exec):   SSH Agent: false
azurerm_virtual_machine.tftest: Still creating... (3m0s elapsed)
azurerm_virtual_machine.tftest (remote-exec): Connecting to remote host via SSH.

Error: Error applying plan:

1 error(s) occurred:

* azurerm_virtual_machine.tftest: 1 error(s) occurred:

* timeout

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

terraform {
  backend "azurerm" {
    storage_account_name = "asfd-something"
    container_name       = "terraform-state"
    key                  = "prod.terraform.tfstate"
	access_key           = "==DELETED=="
  }
}



resource "azurerm_resource_group" "tftest" {
  name     = "tftest"
  location = "West Europe"

  tags {
    environment = "Production"
  }
}
  
resource "azurerm_virtual_network" "tftest" {
  name                = "tftest"
  address_space       = ["10.254.0.0/28"]
  location            = "${azurerm_resource_group.tftest.location}"
  resource_group_name = "${azurerm_resource_group.tftest.name}"
}

resource "azurerm_subnet" "tftest" {
  name                 = "tftest"
  resource_group_name  = "${azurerm_resource_group.tftest.name}"
  virtual_network_name = "${azurerm_virtual_network.tftest.name}"
  address_prefix       = "10.254.0.0/28"
}

resource "azurerm_network_interface" "tftest" {
  name                = "tftest"
  location            = "${azurerm_resource_group.tftest.location}"
  resource_group_name = "${azurerm_resource_group.tftest.name}"

  ip_configuration {
    name                          = "testconfiguration1"
    subnet_id                     = "${azurerm_subnet.tftest.id}"
    private_ip_address_allocation = "dynamic"
  }
}

resource "azurerm_managed_disk" "tftest" {
  name                 = "datadisk_existing"
  location             = "${azurerm_resource_group.tftest.location}"
  resource_group_name  = "${azurerm_resource_group.tftest.name}"
  storage_account_type = "Standard_LRS"
  create_option        = "Empty"
  disk_size_gb         = "5"
}

resource "azurerm_virtual_machine" "tftest" {
  name                  = "vmplus"
  location              = "${azurerm_resource_group.tftest.location}"
  resource_group_name   = "${azurerm_resource_group.tftest.name}"
  network_interface_ids = ["${azurerm_network_interface.tftest.id}"]
  vm_size               = "Standard_A0"
  

  provisioner "remote-exec" {
    inline = [
      "whoami",
    ]
	
 connection {
      type     = "ssh"
  }
}
  
   storage_image_reference {
    publisher = "Canonical"
    offer     = "UbuntuServer"
    sku       = "16.04-LTS"
    version   = "latest"
  }

  storage_os_disk {
    name              = "osdisk"
    caching           = "ReadWrite"
    create_option     = "FromImage"
    managed_disk_type = "Standard_LRS"
  }


  storage_data_disk {
    name            = "${azurerm_managed_disk.tftest.name}"
    managed_disk_id = "${azurerm_managed_disk.tftest.id}"
    create_option   = "Attach"
    lun             = 1
    disk_size_gb    = "${azurerm_managed_disk.tftest.disk_size_gb}"
  }

  os_profile {
    computer_name  = "tfhostname"
    admin_username = "testadmin"
    admin_password = "Password1234!"
  }

  os_profile_linux_config {
    disable_password_authentication = false
  }

  tags {
    environment = "staging"
  }
}

[Andrew Hodgson]

Hi,

 

A few things here:

 

• You need to give the machine a public IP if you want to connect to it remotely;
• You need to allow inbound port 22 in an ACL on your subnet;
• You need to specify your password as part of your SSH connection.

 

Hope this helps.

Andrew.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/8d11cd97-91f8-44bc-af9f-7545706f9d4f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rob Coward]

You need to put a bit more inside the  

 connection {

     type     = "ssh"

  }

You’ve not specified a password or a private key file, so how do you expect it to authenticate ?

Perhaps try:

 connection {

     type     = “ssh”

     host     = “${azurerm_network_interface.tftest.private_ip_address}”  (or work out your public ip if not running terraform locally)

     user     = “root”

     private_key = “${file(‘~/.ssh/id_rsa')"

  }

Regards,

Rob Coward

rob.c...@devops-consultants.co.uk 

[Tobias Köck]

Hi

On 07.03.2018 19:32, Rob Coward wrote:
> You need to put a bit more inside the  
>> ||connection {
>> type = "ssh"
>> |}|
> You’ve not specified a password or a private key file, so how do you
> expect it to authenticate ?

I did try to add the real host, user and password attributes with the
same result. I didn't add a private key though.

> Perhaps try:
>
>> ||connection {
>> type = “ssh”
>> host = “${azurerm_network_interface.tftest.private_ip_address}” (or work out your public ip if not running terraform locally)
>> user = “root”
>> private_key = “${file(‘~/.ssh/id_rsa')"
>> |}|

I am wondering. Do I really need a public ip for every VM as the other
guy suggested? I don't want to make private node vms public by exposing
them to the Internet.

- How does that work logically?
- Does the terraform exe on the source system try to login directly with
SSH? If yes how can I bootstrap Azure cloud VMs which are behind NSGs
and shouldn't be accessible from the outside?
- My mental model was that Terraform tries to login via Azure CLI
function inside the resource group.

Greetings,
Tobias

[Andrew Hodgson]

Tobias Köck wrote:

>I am wondering. Do I really need a public ip for every VM as the other guy suggested? I don't want to make private node vms public by exposing them to the Internet.

That's fine, you can use private IP addresses but Terraform will need to connect directly to the machine via SSH, so not using the Azure CLI to do this. So if you run Terraform from another machine inside the VNet that will work, or if you have direct access to that VNet via VPN etc.

You have a couple of options, provision a bastion host where you can log in remotely and run Terraform, or use Azure virtual machine extensions instead of provisioners in Terraform.

Thanks.
Andrew.

[tobias...@gmail.com]

Sounds great.

Guys, thanks for the advice.