SSH Proxy Support

[phinze]

I've been working on this already, but kicking off an issue so interested parties can track when it's done.

We'd like Terraform's remote-exec provisioner to support infrastructures with bastion hosts, which means we need SSH proxy support.

Go's crypto/ssh doesn't support openssh options, so we'll need to bake in our own proxy support along the lines of this example from the golang-nuts ML.

Tentative syntax for the feature:

resource "aws_instance" "public" {
  ami           = "${module.ami.ami_id}"
  instance_type = "${var.instance_type}"
  key_name      = "${var.key_name}"
  subnet_id     = "${element(split(",", module.vpc.public_subnets), count.index)}"

  vpc_security_group_ids = [
    "${aws_security_group.allow_internal_traffic.id}",
    "${aws_security_group.allow_ssh_from_world.id}",
  ]

  connection {
    user  = "ubuntu"
    agent = true
  }

  tags {
    Name = "public-instance"
  }
}


resource "aws_instance" "private" {
  ami           = "${module.ami.ami_id}"
  instance_type = "${var.instance_type}"
  key_name      = "${var.key_name}"
  subnet_id     = "${element(split(",", module.vpc.private_subnets), count.index)}"

  vpc_security_group_ids = [
    "${aws_security_group.allow_internal_traffic.id}",
  ]

  tags {
    Name = "private-instance"
  }


  /******************************
    vvv THIS WILL NOT WORK vvv
  *******************************/
  connection {
    user  = "ubuntu"
    agent = true
    proxy_hosts = [
      "ubuntu@${aws_instance.public.id}:22",
    ]
  }

  provisioner "remote-exec" {
    inline = "echo remote-exec works >> /tmp/remote-exec"
  }
  /******************************
    ^^^ LET'S MAKE IT WORK ^^^
  *******************************/
}

[radeksimko]

FYI: CoreOS team has been solving the same issue: https://github.com/coreos/fleet/blob/19f0423fce91d6b50d6a4ab8b63f65970d83a5c5/ssh/ssh.go#L224-264

Another issue, which I'm surprised nobody brought here yet is SSH-agent (key forwarding), which makes me think that everyone just use ssh -i or nobody manages too many boxes to get annoyed about giant ~/.ssh/config 😃
It will become more important in these cases, when you probably don't want to see anyone uploading their private keys to the bastion host...

[phinze]

Cool thanks for that link! Will definitely take a look.

Re agent-forwarding: I didn't say it out loud, but I sort of consider agent-forwarding to be a required piece of this feature. Will update the title to reflect. 👌

[phinze]

Oh nevermind we already have an issue to track the agent forwarding side of things #1630

[radeksimko]

Oh nevermind we already have an issue to track the agent forwarding side of things #1630

Ah, so it was just me being blind... 🙈

[progrium]

+1

[josharian]

Possibly helpful: http://godoc.org/dev.justinjudd.org/justin/easyssh.

@phinze I recently spent a bit of time puzzling through some SSH server code while writing https://github.com/josharian/packer-provisioner-tunnel/, and this is something our team is excited about, so please let me know if I can help in any way.

[progrium]

Glider Labs can implement this if somebody is willing to sponsor.

[nadnerb]

+1

[pikeas]

+1, this is a blocker for our use of Terraform.

[ketzacoatl]

@pikeas, it seems like you could come up with a temporary workaround to start putting Terraform to use (you'll start reaping back rewards in saved time), while knowing you'll have a solution for the long-haul?

[mrwacky42]

@phinze,
Perhaps it would be better to teach Go's crypto/ssh to interpret ssh config files, and not have to add new syntax to Terraform?

[svanharmelen]

@mrwacky42 think you have a point...

[ketzacoatl]

@mrwacky42 you really are onto something here.. in an instant.. you have made me realize how frustrating it is when tools either do not do this, or do not play nice with SSH at all.

++ to reading SSH configs, and for that to support specifing the path to the SSH config file to use.

[josharian]

@hanwen thoughts?

[hanwen]

There is no need to change the ssh package. You can write your config parser as a separate package.

[gtmtech]

+1 for the ssh proxy and options support. Without this, half of terraform is unfortunately unusable for me.

[markhuge]

+1

[khoerling]

+1

[phinze]

This has hung out for some time while I percolated on the proper abstraction for config, and I ended up deciding that I'd rather get the basic functionality out to users in the forthcoming 0.6 release rather than wait for the perfect idea to strike.

I agree that extending crypto/ssh to parse SSH configs is probably better UX for this, but for now - let's just get it working! 😀

PR pushed over here #2425 - should make it in for 0.6.0. Feel free to take it for a spin!

And if any of you want to take a stab at SSH options support / config parsing - I'm sure both the Terraform and the Go communities would be excited to hear it. 👍

[ketzacoatl]

\o/

Will surely take this for a spin! Thanks @phinze for choosing to take action on what was simple and clear..

[chiefy]

thanks @phinze and team! can't wait to try this out.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.