Terraform: Support SSH over HTTP Proxy

Created on 6 Jan 2016  路  18Comments  路  Source: hashicorp/terraform

There are some discussions about ssh proxy support through bastion box: https://github.com/hashicorp/terraform/issues/1709

But my request is different. We are behind the corporate proxy, I need to deploy an ec2 instance into vpc.

Refer the terraform example https://github.com/hashicorp/terraform/blob/master/examples/aws-two-tier/main.tf

But in our current environment, we don't have bastion box, or if I need to deploy the first bastion box.

I stuck at the proxy setting to run remote-exe commands after ec2 instance has been created by terraform

Here is my try

resource "aws_instance" "web01_np" { 
 connection {
    type = "ssh"
    user = "ubuntu"
    private_key = "${var.private_key_path}"
    options    = "ProxyCommand=nc -X connect -x proxy_server:3128 %h %p"
  }
...
}

It is not successful, and get i/o timeout error

* dial tcp 54.26.2.6:22: i/o timeout
2016/01/06 01:45:36 [ERROR] root: eval: *terraform.EvalOpFilter, err: 1 error(s) occurred:

How to fix this issue?

enhancement provisioneremote-exec
Source
picture ozbillwang
👍13

Most helpful comment

How about an option (either in configuration or as a command line argument) to use the local ssh binary instead of the native Go implementation?

This is how Docker Machine solves the same problem (actually, Docker Machine will use the local ssh binary unless explicitly instructed to use crypto/ssh via the --native-ssh option).

https://docs.docker.com/machine/reference/ssh/

picture dangregorysony on 6 Dec 2017
👍3

All 18 comments

An update. After the ec2 instance is created by terraform, I can login with ~/.ssh/config setting, such as ssh 54.26.2.6:22

$ cat ~/.ssh/config

Host ec2*
  ProxyCommand nc -X connect -x proxy_server:3128 %h %p
  User ubuntu
  IdentityFile ~/.ssh/ec2.pem

Host 5*
  ProxyCommand nc -X connect -x proxy_server:3128 %h %p
  User ubuntu
  IdentityFile ~/.ssh/ec2.pem

But run terraform apply, it gives up at remote-exec

ozbillwang picture ozbillwang on 6 Jan 2016

Hi @SydOps, Terraform uses Go's crypto/ssh package, which does not do anything with the OpenSSH config file. It also doesn't support the OpenSSH config options like ProxyCommand etc.

It looks like what you're looking for is HTTP proxy support similar to what's described in this article:

https://www.perkin.org.uk/posts/ssh-via-http-proxy-in-osx.html

We'd have to investigate how this might be possible via Go. Any expertise from the community here would be welcome!

In the meantime, I'll update the title of this issue to reflect that it's SSH over an HTTP Proxy.

phinze picture phinze on 6 Jan 2016
👍2

Thanks, @phinze

May not related with this topic. Any chance or how hard to switch from Go's crypto/ssh package to OpenSSH, which is more mature and popular tool.

ozbillwang picture ozbillwang on 6 Jan 2016

Just ran into this issue, although I'm using corkscrew to poke through the proxy. I can SSH to the provisioned hosts, but Terraform can't.

Resisting the urge to rant about language-specific reimplementations of tools that don't implement all of said tools features... :speak_no_evil:

bodgit picture bodgit on 22 Dec 2016

+1 for ssh over HTTP proxy.
This would be appreciated by all terraform users who work behind a corporate firewall.

toedter picture toedter on 23 Feb 2017

+1
We are running terraform into a ad-hoc vm, but would be awesome to avoid that by running it directly from our Jenkins (connecting using ssh over HTTP Proxy). Hopefully this will be there!

koalalorenzo picture koalalorenzo on 18 May 2017

+1
Same issue here. SSH via corkscrew works, but Terraform provisioners don't. I also agree with @bodgit about implementing things differently that are already there. But that seems to be the Go way anyways.. *cough* openssl *cough*. Any news on this topic?

Crapworks picture Crapworks on 24 Aug 2017
😄2

+1, I've just started to run recently terraform in OCI ( Oracle Cloud Infrastructure) and I ran into this 1st issue myself. I know many customers are behind proxies and therefore they can ssh strictly over http proxy so it will be nice to include it into _provisioner "remote-exec" connection_

options = "ProxyCommand=nc -X connect -x proxyServer:proxyPort %h %p"

It will be nice to have it there already.

edivaserman picture edivaserman on 17 Oct 2017
👍2

How about an option (either in configuration or as a command line argument) to use the local ssh binary instead of the native Go implementation?

This is how Docker Machine solves the same problem (actually, Docker Machine will use the local ssh binary unless explicitly instructed to use crypto/ssh via the --native-ssh option).

https://docs.docker.com/machine/reference/ssh/

dangregorysony picture dangregorysony on 6 Dec 2017
👍3

+1

said026 picture said026 on 11 May 2018

Is there any solution to have use ssh with http proxy in terraform yet?

mictchen picture mictchen on 28 May 2018

+1

tomiloza picture tomiloza on 21 Sep 2018

+1
This is a blocker for using Terraform behind our corporate proxy. For provisioning I always have to change connection to a mobile hotspot.

nodomain picture nodomain on 27 Nov 2018
😄1

Also a blocker here, unfortunately.

voyera picture voyera on 25 Apr 2019

Blocker here also.

joshua-tianci picture joshua-tianci on 31 Jul 2019

is there any options to use ssh proxy in terraform? any update?

Muneeshd picture Muneeshd on 17 Aug 2019

Extreme blocker!

wilderrodrigues picture wilderrodrigues on 30 Mar 2020

Hi all,
I have implemented support for SSH over HTTP proxy like below.
https://github.com/htamakos/terraform/commit/dd9f7075f3b68217ad17c141fb243107ba343486

How about this?
I'll submit a PR about support for SSH over HTTP proxy.

htamakos picture htamakos on 8 Apr 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

thebenwaters picture thebenwaters  路  3Comments
franklinwise picture franklinwise  路  3Comments
darron picture darron  路  3Comments
shanmugakarna picture shanmugakarna  路  3Comments
rjinski picture rjinski  路  3Comments