Windows aws_instance with Chef Provisioner

[Vendoran]

Hello,

Any help would be greatly appreciated.

I have a working terraform plan for ubuntu:

resource "aws_instance" "chef-workflow-environment-node" {
    ami = "${var.ec2_ami_id}"
    instance_type = "${var.ec2_instance_type}"
    tags {
        Name = "${var.aws_resource_prefix}-${var.chef_cookbook}-${var.chef_environment}",
        UAI = "${var.ec2_uai_tag}"
    }
    key_name = "${var.ec2_keypair_name}"
    vpc_security_group_ids = "${var.vpc_security_groups}"
    subnet_id = "${var.vpc_subnet}"
    provisioner "chef"  {
        environment = "${var.chef_environment}"
        run_list = ["delivery-base::default"]
        node_name = "${var.chef_cookbook}-${var.chef_environment}"
        server_url = "${var.chef_server_url}"
        fetch_chef_certificates = true
        recreate_client = true
        user_name = "${var.chef_user_name}"
        user_key = "${file("chef_user_key.pem")}"
        connection {
            type = "${var.ec2_connection_type}"
            user = "${var.ec2_login_user}"
            private_key = "${file("aws_ssh_key.pem")}"
            timeout = "3600s"
        }
    }
    provisioner "local-exec" {
        command = "knife vault refresh ge_acl acl_user -M client"
    }
    provisioner "remote-exec" {
        inline = [
        "${var.tf_remote_exec}chef-client -r 'recipe[delivery-base::default],recipe[${var.chef_cookbook}::default']"
        ]
        connection {
            type = "${var.ec2_connection_type}"
            user = "${var.ec2_login_user}"
            private_key = "${file("aws_ssh_key.pem")}"
        }
    }
}


However trying to spin up a windows with the same plans fails.  It does not connect for the provisioner.  It appears as if terraform does not have the ability pull the Windows Admin password and also cannot use the private_key, like test kitchen ec2 driver.

So I've been attempting to submit user_data to create a new user and still have had no success.
data "template_file" "init" {
  template = "${file("user_data.ps1")}"
  vars {
    ec2_login_user_winrm = "${var.ec2_login_user_winrm}"
    ec2_login_user_pw_winrm = "${var.ec2_login_user_pw_winrm}"
  }
}

    user_data = "${data.template_file.init.rendered}"
    provisioner "chef"  {
        environment = "${var.chef_environment}"
        run_list = ["delivery-base::default"]
        node_name = "${var.chef_cookbook}-${var.chef_environment}"
        server_url = "${var.chef_server_url}"
        fetch_chef_certificates = true
        recreate_client = true
        user_name = "${var.chef_user_name}"
        user_key = "${file("chef_user_key.pem")}"
        os_type = "windows"
        connection {
            type = "${var.ec2_connection_type}"
            user = "${var.ec2_login_user_winrm}"
            password = "${var.ec2_login_user_pw_winrm}"
            timeout = "3600s"
        }

user_data.ps1:
<powershell>
net user ${ec2_login_user_winrm} ${ec2_login_user_pw_winrm} /add
net localgroup administrators  ${ec2_login_user_winrm} /add
net localgroup WinRMRemoteWMIUsers__ ${ec2_login_user_winrm} /add
</powershell>

I've also tried adding these lines to test which I saw in other posts in this group:
winrm quickconfig -q
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="300"}'
winrm set winrm/config '@{MaxTimeoutms="3600000"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'

netsh advfirewall firewall add rule name="WinRM 5985" protocol=TCP dir=in localport=5985 action=allow
netsh advfirewall firewall add rule name="WinRM 5986" protocol=TCP dir=in localport=5986 action=allow

net stop winrm
sc.exe config winrm start= auto
net start winrm

Any help/assistance would be greatly appreciated!

Thanks,

--Aaron

[Sander van Harmelen]

Can you telnet to the newly created Windows machine on port 5985? As that is the first step to confirm… 

Sander

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/ac9dfea7-fbd8-43e0-9bf7-9aaffebbd307%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Vendoran]

I was using Matt Wrock's steps - http://www.hurryupandwait.io/blog/understanding-and-troubleshooting-winrm-connection-and-authentication-a-thrill-seekers-guide-to-adventure?rq=winrm

and both 

$ nc -z -w1 <IP or host name> 5985;echo $?

and 

Test-WSMan -ComputerName <IP or host name>

came back good.

[Sander van Harmelen]

So what’s your error output/logs?

Sander

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/f224380d-555b-4743-af6d-2477f02e661b%40googlegroups.com.

[Andrew Hodgson]

Hi,

Do your security groups allow WinRM from the host running Terraform?

Also you will need to enable WinRM as it is off by default.

Thanks.
Andrew.
________________________________________
From: terrafo...@googlegroups.com [terrafo...@googlegroups.com] on behalf of Sander van Harmelen [san...@xanzy.io]
Sent: 12 January 2017 16:35
To: terrafo...@googlegroups.com
Subject: Re: [terraform] Windows aws_instance with Chef Provisioner

So what’s your error output/logs?

Sander

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/ac9dfea7-fbd8-43e0-9bf7-9aaffebbd307%40googlegroups.com<https://groups.google.com/d/msgid/terraform-tool/ac9dfea7-fbd8-43e0-9bf7-9aaffebbd307%40googlegroups.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.


--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com<mailto:terraform-too...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/f224380d-555b-4743-af6d-2477f02e661b%40googlegroups.com<https://groups.google.com/d/msgid/terraform-tool/f224380d-555b-4743-af6d-2477f02e661b%40googlegroups.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.


--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com<mailto:terraform-too...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/F7D970E6-28CD-4B56-8221-893842D55B79%40xanzy.io<https://groups.google.com/d/msgid/terraform-tool/F7D970E6-28CD-4B56-8221-893842D55B79%40xanzy.io?utm_medium=email&utm_source=footer>.

[Vendoran]

It eventually times out with:

Error applying plan

1 error(s) occured:

* http error 401 

[Vendoran]

yes security group allows 5985 and 5986.  I have tried turning on WinRm with these comamnds:

WinRM quickconfig -q

Enable-PSRemoting

netsh advfirewall firewall add rule name="WinRM-HTTP" dir=in localport=5985 protocol=TCP action=allow

netsh advfirewall firewall add rule name="WinRM-HTTPS" dir=in localport=5986 protocol=TCP action=allow

winrm set winrm/config/client/auth '@{Basic="true"}'

winrm set winrm/config/service/auth '@{Basic="true"}'

[Sander van Harmelen]

Hi Aeron,

Your a bit sparse on details. If you want some more help, consider adding console output/logs of both a failed TF run and your WinRM test commands would give me/people some more insights and feeling of what could be going on. Additionally a small but complete TF config that you use to test with is needed to make any kind of judgements about possible errors issues in your approach.

Since you claim your WinRM commands are working OK, it would indicate that WinRM is configured correctly and you networking/firewall allows you to connect to port 5985 from the machine you run TF. So without more info/details it’s pretty hard to give additional advice.

Chees,

Sander

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/72b0cd0a-927a-4eff-896c-24351255f96a%40googlegroups.com.

[Vendoran]

Sander,

I'm happy to provide whatever details you need.

the 401 error is the only error that I'm seeing returned to the console.  I have the timeout at 3600s and it will show this repeatedly:

Connecting to remote host via WinRM...

Host: <IP_address>

Port: 5985

User: ChefAutomate

Password: true

HTTPS: false

Insecure: false

CACert: false

it eventually times out and throws the 401. Console is not returning any other error.

Terraform is running from a linux host and I'm not exactly sure how to specifically test the WinRM authentication from there (I can ssh into it), however I have tested it from a windows host within the same subnet and am able to issue the below successfully.

Enter-PSSession -Computer $Computer -Credential $Credential

Get-Date

Exit-PSSession

The AMI that I'm using in AWS is built to be used by Chef and as such already has winrm configured OOB.  Just by creating one the local Admin can connect with an Enter-PSSession, however since TF can't get the admin password I created a new user/password combo to use with TF within the user_data.

The entire TF plan and execution is being executed within the scope of a build_cookbook within Chef Automate.  

[Sander van Harmelen]

I think the next best step is to:

1. While TF is in the loop to trying to get connected to the new box, use this tool (https://github.com/masterzen/winrm-cli) to manually connect to the same box with the expected username/password. Do this from the same box as from which you are running TF.

2. Provide a simple short (but complete) TF config that can be used to reply your problem. So it would be needed that you have used the config yourself to verify that this config does indeed trigger your problem

The tool is a Go tool which you need to compile yourself for the OS type/arch. Let me know if that is a problem, then I can do that for you. The code the tool uses to connect is the exact same code that TF uses to connect to WinRM, but then just in the form of a CLI tool.

Sander

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/3dfd7919-7a94-40ed-a33f-f328ca737035%40googlegroups.com.

[Vendoran]

Sander,

Thanks for your continued assistance - here is where I am at

I have run this on the windows destination

net user ChefAutomate P@ssw0rd1 /add

net localgroup administrators  ChefAutomate /add

net localgroup WinRMRemoteWMIUsers__ ChefAutomate /add

winrm set winrm/config/service/Auth '@{Basic="true"}'

winrm set winrm/config/service '@{AllowUnencrypted="true"}'

winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'

winrm set winrm/config/client/auth '@{Basic="true"}'

winrm set winrm/config '@{MaxTimeoutms="3600000"}'

winrm set winrm/config/client '@{AllowUnencrypted="true"}'

set-item wsman:\localhost\Client\TrustedHosts -value *

netsh advfirewall firewall add rule name="WinRM 5985" protocol=TCP dir=in localport=5985 action=allow

netsh advfirewall firewall add rule name="WinRM 5986" protocol=TCP dir=in localport=5986 action=allow

and I am able to successfully run a remote PoSH command from a windows machine via: Enter-PSSession -Computer $Computer -Credential $Credential 

However using https://github.com/masterzen/winrm-cli from an ubuntu machine via: winrm -hostname "ip address" -username "ChefAutomate" -password "P@ssword1" -insecure "true" 

Fails with `http response error: 401 - invalid content type.

All 3 machines are in the same AWS VPC, region, Security Group and subnet

Searching I saw this https://github.com/hashicorp/terraform/issues/7367 and this https://github.com/hashicorp/terraform/issues/2918, however I've already run those, so I'm not sure what is going on.  

Regarding the config, my OP had the code that is running.

Thanks again!

[Vendoran]

Following up I found this example and it worked - https://github.com/dhoer/terraform_examples/tree/master/aws-winrm-instance :)

Thanks,

--Aaron

[Sander van Harmelen]

Check, cool you got it working now!

Cheers,

Sander

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/f72f2c8b-b357-4c99-abdb-4726ef8f15df%40googlegroups.com.