Terraform: Terraform provisioner does not gracefully handle sudo passwords.
Description
The chef and remote-exec provisioners do not appear to gracefully handle running as a non-root user. With chef it correctly prepends sudo to the commands to install the chef client, but it does not provide the user's password again at the sudo prompt. I've only tested with azurerm, so maybe the problem is limited to Azure resources. I've found a number of examples online where sudo is used successfully, but not with Azure.
Terraform Version
0.6.15
Affected Resource(s)
- azurerm_virtual_machine
- chef provisioner
- remote-exec provisioner
Terraform Configuration Files (cut down to just the provisioner block)
provisioner "remote-exec" {
connection {
type = "ssh"
user = "testadmin"
password = "something"
host = "${azurerm_public_ip.test-vm_pub_ip.ip_address}"
}
inline = ["sudo sed -i 's/testadmin ALL = (ALL) ALL/testadmin ALL=(ALL) NOPASSWD:ALL' /etc/sudoers.d/waagent"]
}
Debug Output
azurerm_virtual_machine.test-vm: Provisioning with 'remote-exec'... azurerm_virtual_machine.test-vm (remote-exec): Connecting to remote host via SSH... azurerm_virtual_machine.test-vm (remote-exec): Host:azurerm_virtual_machine.test-vm (remote-exec): User: testadmin azurerm_virtual_machine.test-vm (remote-exec): Password: true azurerm_virtual_machine.test-vm (remote-exec): Private key: false azurerm_virtual_machine.test-vm (remote-exec): SSH Agent: true azurerm_virtual_machine.test-vm (remote-exec): Connected! azurerm_virtual_machine.test-vm (remote-exec): We trust you have received the usual lecture from the local System azurerm_virtual_machine.test-vm (remote-exec): Administrator. It usually boils down to these three things: azurerm_virtual_machine.test-vm (remote-exec): #1) Respect the privacy of others. azurerm_virtual_machine.test-vm (remote-exec): #2) Think before you type. azurerm_virtual_machine.test-vm (remote-exec): #3) With great power comes great responsibility. azurerm_virtual_machine.test-vm (remote-exec): [sudo] password for testadmin:
Expected Behavior
I think it would be safe to expect a privileged account to be used in the connection info, but the provisioner should handle entering the supplied password a second time to start a sudo session.
There are plenty of images that come with the root account disabled out of the box or with ssh disabled for the root account. The default behavior for sudo is to ask for a password, so I think it would be best if Terraform can handle that situation. Maybe define a sudo_password option in the connection info?
Actual Behavior
The apply stalls at the sudo prompt
Steps to Reproduce
Deploy a VM in Azure with a provisioner associated with it that does not use the root account
cchildress
All 8 comments
@cchildress if you use only a private key, without a password this should be fine. I've had this before!
https://azure.microsoft.com/en-gb/documentation/articles/virtual-machines-linux-use-root-privileges/
ghost
on 17 Jun 2016
@tasquith Issue #6541 prevented us from using keys.
cchildress
on 17 Jun 2016
We shouldn't have to set a root password. Sudo works when manually ssh'ing into the box and typing sudo -s without a password for the admin account on Azure. Unfortunately, the provisioner doesn't work and prompts the user for a password. This is still an issue in v0.7.2.
ndouba
on 2 Sep 2016
Hi, I believe this is still an issue in 0.10.7. Any update on the status of this?
kcheemz
on 21 Oct 2017
We can work around sudo password prompt by using one of below commands
echo ${var.ssh_pass} | sudo -S ${var.Command}
(or)
sudo -S <<< ${var.ssh_pass} ${var.Command}
We can even consolidate all commands in script file and execute in this way without password prompt.
But looking for cleaner way of doing this in remote-exec
ponvino
on 19 Jul 2018
We can work around sudo password prompt by using one of below commands
echo ${var.ssh_pass} | sudo -S ${var.Command}
(or)
sudo -S <<< ${var.ssh_pass} ${var.Command}
This does not help the Chef provisioner as far as I can tell. It only helps when running commands via the remote-exec provisioner.
I am having the same issue with the current version.
revelnode
on 1 Apr 2019
Hello! :robot:
This issue relates to an older version of Terraform that is no longer in active development, and because the area of Terraform it relates to has changed significantly since the issue was opened we suspect that the issue is either fixed or that the circumstances around it have changed enough that we'd need an updated issue report in order to reproduce and address it.
If you're still seeing this or a similar issue in the latest version of Terraform, please do feel free to open a new bug report! Please be sure to include all of the information requested in the template, even if it might seem redundant with the information already shared in _this_ issue, because the internal details relating to this problem are likely to be different in the current version of Terraform.
Thanks!
hashibot
on 27 Aug 2019
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 27 Sep 2019
Related issues
franklinwise
ยท
3Comments
thebenwaters
ยท
3Comments
ketzacoatl
ยท
3Comments
rnowosielski
ยท
3Comments
pawelsawicz
ยท
3Comments
Most helpful comment
We shouldn't have to set a root password. Sudo works when manually ssh'ing into the box and typing sudo -s without a password for the admin account on Azure. Unfortunately, the provisioner doesn't work and prompts the user for a password. This is still an issue in v0.7.2.