Azure - Endpoints for Windows machines does not open ports on Windows Firewall

[Iain Black]

Hi all,

Not sure this is a terraform problem as I can use Vagrant and the vagrant-azure plugin to get things working on Windows. But, I am trying to create a VM Instance and then do a Chef run, but terraform times out connecting to the machine. The endpoints I need open are provided (RDP and 5986 for HTTPS winrm, I also added 5985 for fun) but the windows firewall has these ports still closed apart from RDP. This means I cannot connect to the machine. Could anyone share an example config that creates a windows VM and does any kind of simple remote-command. I'm a bit stumped!

I'm trying to do something like this but no combination works as far as i can tell.

resource "azure_instance" "VM1" {
    connection {
      type = "winrm"
      timeout = "10m"
      https = "true"
      insecure = "true"
      port = "5986"
    }
    depends_on = ["azure_storage_container.default"]
    name = "${var.machine_name}"
    hosted_service_name = "${var.hosted_service}"
    image = "Windows Server 2012 R2 Datacenter, June 2015"
    size = "Basic_A1"
    storage_service_name = "${var.storage_service}"
    location = "${var.location}"
    username = "${var.azure_username}"
    password = "${var.azure_password}"
    time_zone = "${var.timezone}"
    endpoint {
        name = "RDP"
        protocol = "tcp"
        public_port = 3389
        private_port = 3389
    }
    endpoint {
        name = "WinRM"
        protocol = "tcp"
        public_port = 5985
        private_port = 5985
    }
    endpoint {
        name = "PowerShell"
        protocol = "tcp"
        public_port = 5986
        private_port = 5986
    }

Many thanks
Iain

[Sander van Harmelen]

Hi Iain,

I don’t think using HTTPS will work for you as using certificates together with newly created machines is kind of difficult (certs need to match the new host name for example).

Maybe you could have a look at this page to get a better understanding about your options: https://github.com/masterzen/winrm/blob/master/README.md

Sander

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/9c5e3f16-b3cb-43db-973a-994db34d429b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Iain Black]

Thanks for the reply! But, i really don't need certificates. I'm eager to get working any way possible! I'm not too familiar with WinRM, but it seems like at minimum I cannot even connect to the port that is listening in the windows instance by default, 5985. If I go with that, the windows firewall rule for the public profile only allows connections from the same subnet. So, I cannot use it from a remote system. Even if it did work, it wont allow an unencrypted connection anyway without changing winrm allowunencrypted parameter (as far as I know). If I try to use port 5986 it seems the service is not even running on the instance, so cannot get to it without a manual winrm config command. Short of creating a VM with winrm already enabled I'm not sure what to do. Am I being incredibly dumb here?

MY SYSTEM RUNNING TERRAFORM - THIS TIMES OUT
azure_instance.VM1 (remote-exec):   Host: 40.113.119.53
azure_instance.VM1 (remote-exec):   Port: 5986
azure_instance.VM1 (remote-exec):   User: azureuser
azure_instance.VM1 (remote-exec):   Password: true
azure_instance.VM1 (remote-exec):   HTTPS: true
azure_instance.VM1 (remote-exec):   Insecure: true
azure_instance.VM1 (remote-exec):   CACert: false
←[0m←[0mazure_instance.VM1 (remote-exec): Connecting to remote host via WinRM...

OPEN PORTS ON AZURE VM - No listening 5986 port by default, just 5985
C:\Users\azureuser>netstat -an | findstr 598
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING
  TCP    [::]:5985              [::]:0                 LISTENING

[Iain Black]

Sorry, I see what you mean about certificates now. I guess what i'm fearing is that it seems like Azure Windows instances can be created but provisioners cannot be run as there is no way to connect to the remote host using the Microsoft provided instances? I'm really just looking to see one example where someone managed to run a remote-exec command after the creation but I can't seem to find one :(  Only linux examples seem to manage this, and via ssh.

Thanks
Iain

[Sander van Harmelen]

Have no fear, we have a couple of setups tested against Azure so I can comfirm it can work ;)

So you confirmed that WinRM is listening on port 5985 on your newly created VM. Did you also try a “telnet your.public.azure.ip 5985” to test if you can connect to the port from the machine running TF?

And did you check if your newly created VM has the correct WinRM settings for allowing unencrypted HTTP traffic?

Sander

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/31d16bd8-827a-4afa-8333-dc556edae92d%40googlegroups.com.

[Iain Black]

That's what I want to hear :)

I have tried the telnet command while testing. It can never connect to port 5985 or 5986 when terraform creates the VM, even with the endpoint ports open, the trouble seems to be partly the windows firewall. The 5985 port is only open on the public profile from a local subnet, so I cant get to it remotely. The private profile is open but closed from access from a remote IP also, as expected. Unencrypted setting is disabled on the VM. The winrm HTTPS service is not created or active either, port 5986 not listening, so inaccessible. Basically, the end result is a machine that is not available for remote access. Any telnet on ports 5985/5986 fails :(  RDP is fine!

Now, interestingly, if I create a VM from the gallery using the azure WebGUI, port 5986 is open. And I can connect to it using telnet. So, by default it works. It just 'seems' to be something in how terraform creates the VM. It doesnt open the port on the windows firewall correctly.

Any ideas? I really cant use terraform to create a VM and then have to remotely enable winrm. It stops the follow-up chef run happening etc...

Cheers

Iain

[Sander van Harmelen]

I'll have a look tomorrow to see if I can find a config that worked for us when we were testing with Azure...

But in any case you will have to tweak and upload an image of your own with the correct settings to be able to connect (e.g. set to allow unencrypted traffic).

So the only thing I can help you with, is getting to the point that you can connect using telnet to port 5985 (assuming something is listening of course).

From there it's just a matter of using a well prepared image...

Sander

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/2a239937-0850-4f66-b25b-aff60192e5c0%40googlegroups.com.

[Sander van Harmelen]

Hi Iain,

So I took some time to look at this today and could reproduce your issue. But it turns out this is not related to Terraform or Azure, but with the image you are using. If you use a standard (not WinRM prepared) Windows image you will not get this to work. The problem is the Windows Firewalls fault rules…

There are 2 rules defined for incoming WinRM traffic:

Now you see that the difference in these rules is the profile they are assigned to. The rule used for this kind of public traffic is of course the one assigned to the Public profile. If you have a look at this rule you’ll see that it only allows traffic from it's local subnet:

So if you change that to your own public IP or to “Any IP address” you can connect without any problem. If I’m not mistaking (you should double check) using a security group would also be a solution as that will NAT incoming traffic (again not tested, so not sure about that one).

So it comes down to having a prepared image that has the needed WinRM tweaks and correct firewall settings. After that the floor is yours :)

Cheers,

Sander

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/57184B4C-8B2D-45ED-BBA8-CC7A032F7071%40xanzy.io.

[Iain Black]

Sorry for the delay. Many thanks for looking into this. I'll look to create some preprepared images that have the port enabled so we can use terraform. I'm a bit mystified as to how vagrant and the vagrant-azure plugin can do a chef-run on a freshly deployed azure image though. Surely it would have the same restrictions? Thanks so much for looking into this though!

Cheers

Iain

You received this message because you are subscribed to a topic in the Google Groups "Terraform" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/terraform-tool/wCvlMkE-Nww/unsubscribe.
To unsubscribe from this group and all its topics, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/FA6CEEB3-8B3B-47E6-A372-FCB53B32E445%40xanzy.io.

[Sander van Harmelen]

Maybe they do use a security group? Or add/tweak some other parts of the stack? Not sure without having a look at the internals...

Sander

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/9D87DD5A-7F4C-4E92-B619-1362B940B272%40gmail.com.

[Aman Sharma]

Sorry to open this year old post, but I had a similar issue. I'm trying to provision AWS Windows instances, but Terraform times out when trying to connect to the instance. I'm guessing it's because winRM isn't configured by default on the Windows instance, like Sander mentioned here. A few weeks ago, I was trying to use Chef Provisioning to do the same thing and ran into this problem. I resolved that by passing this user data that configured winRM to Chef Provisioning: 

"<powershell>\nwinrm quickconfig -q\nwinrm set winrm/config/winrs '@{MaxMemoryPerShellMB=\"300\"}'\nwinrm set winrm/config '@{MaxTimeoutms=\"1800000\"}'\nwinrm set winrm/config/service '@{AllowUnencrypted=\"true\"}'\nwinrm set winrm/config/service/auth '@{Basic=\"true\"}'\n\nnetsh advfirewall firewall add rule name=\"WinRM 5985\" protocol=TCP dir=in localport=5985 action=allow\nnetsh advfirewall firewall add rule name=\"WinRM 5986\" protocol=TCP dir=in localport=5986 action=allow\n\nnet stop winrm\nsc config winrm start=auto\nnet start winrm\ncscript C:\\Windows\\System32\\Scregedit.wsf /au 1\n</powershell>"

With this, I was able to provision Windows instances. However, if I pass this same user data in Terraform, it doesn't work and it times out again. I also specified a security group that permits RDP connections, but that didn't help. Does anyone have an idea of how I should proceed from here?

[Andrew Hodgson]

Hi,

 

Not sure on how Azure does this but with AWS I need to set the admin password as part of the user data script if I want to use a provisioner.  Your script does everything else though, in my setup I just open port 5985 in the Windows firewall and security group.  I am trying though to remove WinRM from my systems and provision everything through user data.

 

Andrew.

 

From: terrafo...@googlegroups.com [mailto:terrafo...@googlegroups.com] On Behalf Of Aman Sharma
Sent: 02 May 2016 18:19
To: Terraform <terrafo...@googlegroups.com>
Subject: Re: [terraform] Azure - Endpoints for Windows machines does not open ports on Windows Firewall

 

Sorry to open this year old post, but I had a similar issue. I'm trying to provision AWS Windows instances, but Terraform times out when trying to connect to the instance. I'm guessing it's because winRM isn't configured by default on the Windows instance, like Sander mentioned here. A few weeks ago, I was trying to use Chef Provisioning to do the same thing and ran into this problem. I resolved that by passing this user data that configured winRM to Chef Provisioning: 

 

"<powershell>\nwinrm quickconfig -q\nwinrm set winrm/config/winrs '@{MaxMemoryPerShellMB=\"300\"}'\nwinrm set winrm/config '@{MaxTimeoutms=\"1800000\"}'\nwinrm set winrm/config/service '@{AllowUnencrypted=\"true\"}'\nwinrm set winrm/config/service/auth '@{Basic=\"true\"}'\n\nnetsh advfirewall firewall add rule name=\"WinRM 5985\" protocol=TCP dir=in localport=5985 action=allow\nnetsh advfirewall firewall add rule name=\"WinRM 5986\" protocol=TCP dir=in localport=5986 action=allow\n\nnet stop winrm\nsc config winrm start=auto\nnet start winrm\ncscript C:\\Windows\\System32\\Scregedit.wsf /au 1\n</powershell>"

With this, I was able to provision Windows instances. However, if I pass this same user data in Terraform, it doesn't work and it times out again. I also specified a security group that permits RDP connections, but that didn't help. Does anyone have an idea of how I should proceed from here?

On Friday, August 28, 2015 at 2:35:32 PM UTC-5, Sander van Harmelen wrote:

Maybe they do use a security group? Or add/tweak some other parts of the stack? Not sure without having a look at the internals...

Sander

 

On 28/08/2015, at 20:50 , Iain Black <iaing...@gmail.com> wrote:

 

Sorry for the delay. Many thanks for looking into this. I'll look to create some preprepared images that have the port enabled so we can use terraform. I'm a bit mystified as to how vagrant and the vagrant-azure plugin can do a chef-run on a freshly deployed azure image though. Surely it would have the same restrictions? Thanks so much for looking into this though!

Cheers

Iain

On 21 Aug 2015, at 11:06, Sander van Harmelen <san...@xanzy.io> wrote:

Hi Iain,

 

So I took some time to look at this today and could reproduce your issue. But it turns out this is not related to Terraform or Azure, but with the image you are using. If you use a standard (not WinRM prepared) Windows image you will not get this to work. The problem is the Windows Firewalls fault rules…

 

There are 2 rules defined for incoming WinRM traffic:

 

 

Now you see that the difference in these rules is the profile they are assigned to. The rule used for this kind of public traffic is of course the one assigned to the Public profile. If you have a look at this rule you’ll see that it only allows traffic from it's local subnet:

 

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/67b715d8-bbe7-4a08-8e2a-9194105d45f6%40googlegroups.com.

[Aman Sharma]

Thanks for your response! Unfortunately, I'm rather new to this, and I would really appreciate some more help. How would I set the admin password and what would I set it to? At the moment, when I run the script, Terraform times out and repeatedly displays this: 

aws_instance.instance2 (chef): Connecting to remote host via WinRM...

aws_instance.instance2 (chef):   Host: 54.173.97.234

aws_instance.instance2 (chef):   Port: 5985

aws_instance.instance2 (chef):   User: Administrator

aws_instance.instance2 (chef):   Password: false

aws_instance.instance2 (chef):   HTTPS: false

aws_instance.instance2 (chef):   Insecure: false

aws_instance.instance2 (chef):   CACert: false

Error applying plan:

I'm guessing the "Password: false" line is indicating that I need to set the admin password? Also, how do you open port 5985 in the Windows firewall and security group? Do I just create a new security group in EC2 and include "security_groups = ["security_group_name"] ", line in the Terraform code or is it something else?

Thanks again

[Andrew Hodgson]

Hi,

This is a rough and ready example. From this example you will get a machine in AWS with the relevant WinRM settings, and some cookbooks copied into C:\Windows\Temp using the WinRM. Chef will get installed but not actually ran.

I used this setup on some machines I provisioned in AWS, and it works, all be it the WinRM connections are very slow, so I am moving away from WinRM.

Andrew.

# variables.tf - variable declarations.
variable "management_ips" {
default = "10.0.0.0/8"
description = "allowed management addresses"
}

variable "management_password" {
default = ChangeMe123"
description = "Windows Admin Password"
}

# Templates.tf - template definitions.
resource "template_file" "user_data" {
template = "${file("templates/userdata.ps1")}"
vars {
password = "${var.management_password}"
}
}

# machine.tf - your instance definition
resource "aws_instance" "machine" {
ami = "ami-9ebb39ed" # Windows Server 2012 R2 April 2016
[...]
user_data = "${template_file.user_data.rendered}"
vpc_security_group_ids = ["${aws_security_group.machine.id}"]

connection {
type = "winrm"
user = "administrator"
password = "${var.management_password}"
}

provisioner "file" {
source = "cookbooks"
destination = "C:/Windows/Temp/cookbooks"
}

resource "aws_security_group" machine" {
name = "machine_sg"
description = "Security group for instance which allows WinRM and RDP"
vpc_id = "${aws_vpc.vpc.id}"
}

resource "aws_security_group_rule" "machine_rdp_in" {
type = "ingress"
from_port = 3389
to_port = 3389
protocol = "tcp"
cidr_blocks = ["${split(",",var.management_ips)}"]
security_group_id = "${aws_security_group.machine.id}"
}

resource "aws_security_group_rule" "machine_winrm_in" {
type = "ingress"
from_port = 5985
to_port = 5985
protocol = "tcp"
cidr_blocks = ["${split(",",var.management_ips)}"]
security_group_id = "${aws_security_group.machine.id}"
}

resource "aws_security_group_rule" "machine_out" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "${aws_security_group.machine.id}"
}

# templates/userdata.ps1 - userdata file.
<powershell>
# Sets the admin password on the local machine.
$admin = [adsi]("WinNT://./Administrator, user")
$admin.psbase.invoke("SetPassword", "${password}")

# Turn on WinRM, settings here are required to get files copied to the box.
winrm qc -q
winrm set winrm/config '@{MaxTimeoutms="1800000"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'
winrm set winrm/config/winrs '@{MaxShellsPerUser="50"}'
Set-Item wsman:localhost\client\trustedhosts -value * -force

# Allow WinRM through Windows firewall
netsh advfirewall firewall add rule name="WinRM-HTTP Exception" dir=in localport=5985 protocol=TCP action=allow

# Stop the WinRM service, make sure it autostarts on reboot, and start it
net stop winrm
sc.exe config winrm start=auto
net start winrm

# Install chef client
. { iwr -useb http://omnitruck.chef.io/install.ps1 } | iex; install -channel stable -project chef
</powershell>

________________________________________
From: terrafo...@googlegroups.com [terrafo...@googlegroups.com] on behalf of Aman Sharma [amansh...@gmail.com]
Sent: 02 May 2016 20:18
To: Terraform

[Image removed by sender.]

Now you see that the difference in these rules is the profile they are assigned to. The rule used for this kind of public traffic is of course the one assigned to the Public profile. If you have a look at this rule you’ll see that it only allows traffic from it's local subnet:

[Image removed by sender.]

TCP 0.0.0.0:5985<http://0.0.0.0:5985/> 0.0.0.0:0<http://0.0.0.0:0/> LISTENING

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/9c5e3f16-b3cb-43db-973a-994db34d429b%40googlegroups.com<https://groups.google.com/d/msgid/terraform-tool/9c5e3f16-b3cb-43db-973a-994db34d429b%40googlegroups.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.


--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/31d16bd8-827a-4afa-8333-dc556edae92d%40googlegroups.com<https://groups.google.com/d/msgid/terraform-tool/31d16bd8-827a-4afa-8333-dc556edae92d%40googlegroups.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/2a239937-0850-4f66-b25b-aff60192e5c0%40googlegroups.com<https://groups.google.com/d/msgid/terraform-tool/2a239937-0850-4f66-b25b-aff60192e5c0%40googlegroups.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/57184B4C-8B2D-45ED-BBA8-CC7A032F7071%40xanzy.io<https://groups.google.com/d/msgid/terraform-tool/57184B4C-8B2D-45ED-BBA8-CC7A032F7071%40xanzy.io?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.


--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Terraform" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/terraform-tool/wCvlMkE-Nww/unsubscribe.
To unsubscribe from this group and all its topics, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/FA6CEEB3-8B3B-47E6-A372-FCB53B32E445%40xanzy.io<https://groups.google.com/d/msgid/terraform-tool/FA6CEEB3-8B3B-47E6-A372-FCB53B32E445%40xanzy.io?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/9D87DD5A-7F4C-4E92-B619-1362B940B272%40gmail.com<https://groups.google.com/d/msgid/terraform-tool/9D87DD5A-7F4C-4E92-B619-1362B940B272%40gmail.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/67b715d8-bbe7-4a08-8e2a-9194105d45f6%40googlegroups.com<https://groups.google.com/d/msgid/terraform-tool/67b715d8-bbe7-4a08-8e2a-9194105d45f6%40googlegroups.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com<mailto:terraform-too...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/158845ea-ba49-4bbc-bf34-8a04c9b9a38d%40googlegroups.com<https://groups.google.com/d/msgid/terraform-tool/158845ea-ba49-4bbc-bf34-8a04c9b9a38d%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Aman Sharma]

Thanks for this. It works. However, I would also like to be able to bootstrap the instance with a Chef server and run chef-client on the node. Do you know how I could do this? The chef provisioner provided by Terraform seems to do that, but I run into the above issue. What do you mean when you say "move away from winRM"? What alternative is there?

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com<mailto:terraform-tool+unsubscribe@googlegroups.com>.

[Andrew Hodgson]

Hi,

 

I found the Chef provisioner on Windows quite buggy and haven’t used it.  If you want to go that route you will need to open WinRM on the hosts, and ensure you have the administrator account password.  I am not sure if Terraform supports the AWS way of doing this, whereby the admin password is available with the management key after several minutes; I tend to reset this through user_data and provide it to Terraform as part of the WinRM connection.

 

I am currently using the Chef server through user_data, my script writes client.rb and gets the pem files via S3, as I don’t want to open WinRM at all if I can help it.

 

Hope this gives you some pointers.

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com<mailto:terraform-too...@googlegroups.com>.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/158845ea-ba49-4bbc-bf34-8a04c9b9a38d%40googlegroups.com<https://groups.google.com/d/msgid/terraform-tool/158845ea-ba49-4bbc-bf34-8a04c9b9a38d%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/38375aff-1982-4d8f-9bd5-b470c21687a5%40googlegroups.com.