Terraform: Add support to remote-exec for calls with "sudo" mode

Created on 7 Nov 2014  路  29Comments  路  Source: hashicorp/terraform

I am coming to terraform from an ansible background. Ansible has a really slick way of specifying certain actions/scripts that need to be run with elevated privileges that the ssh client doesn't have by default. You can see a nice example at:

http://docs.ansible.com/playbooks_intro.html

- hosts: webservers
  remote_user: yourname
  sudo: yes
  sudo_user: postgres

I have many commands that I need to run as root (at least until I get Packer to pre-run these into images) The only way I can convince remote-exec to run all commands with root privs via sudo is something like this:

#!/bin/bash
sudo -s "
echo 'something' >>/etc/hosts
 ... many more things ...
"

but the downside of this technique are that I don't get to see the STDOUT of the commands being executed also I feel like this is the first steps down into shell quoting hell.

Is there an easier way to do what I need with the existing remote-exec? or is it trivial to add a sudo/sudo_user attribute to remote-exec?

Thanks,
Chris

enhancement provisioneremote-exec
Source
picture cbrinker
👍59

Most helpful comment

There is a workaround which you can use until sudo support is implemented in remote-exec. Add this at the beginning of your script (it assumes bash) instead of sudo -i:

if [[ $EUID -ne 0 ]]; then
    sudo $(realpath "$0")
    exit
fi

It re-executes itself with sudo if the script was run by non-root user.

picture racbart on 12 May 2019
👍4 🎉2

All 29 comments

:+1:

I would like this as well.

clstokes picture clstokes on 25 Feb 2015

+1 on this request. Currently I am adding 'sudo' to each line.

phobos182 picture phobos182 on 19 Aug 2015
👍1

+1 as well.

tomhogans picture tomhogans on 5 Sep 2015

I would like this as well.

OleksandrBerchenko picture OleksandrBerchenko on 22 Oct 2015

:+1:

comerford picture comerford on 16 Feb 2016

@cbrinker in most cases writing "sudo" on the front of the command would work, but I notice this case is trickier because you're using I/O redirection, and so it's actually the non-root shell that's dealing with that interpolation. As a workaround in a couple places I use sudo bash -c ... but that's not too different than the workaround you mentioned.

So it looks like the subtlety of this request, that makes it different than just putting sudo on each line, is that you want the shell itself to be run under sudo, effectively having Terraform internally run sudo bash -c ....

apparentlymart picture apparentlymart on 16 Feb 2016

packer has an elegant way of handling this via execute_command attribute
https://www.packer.io/docs/provisioners/shell.html

it would be nice to lift some of the attributes from packer's shell provisioners for terraform's remote-exec.

billf picture billf on 17 Feb 2016
👍2

:+1:

jumping picture jumping on 24 Mar 2016

:+1:

gservat picture gservat on 28 Mar 2016

@bliff That idea sounds good to me. :+1:

cmosetick picture cmosetick on 11 Apr 2016

馃憤

Shruti29 picture Shruti29 on 21 Apr 2016

:+1:

chris-redekop picture chris-redekop on 2 Jun 2016

馃憤

emptyhammond picture emptyhammond on 10 Jun 2016

+1

AlexShemeshWix picture AlexShemeshWix on 21 Sep 2016

馃憤

agsmith picture agsmith on 29 Sep 2016

馃憤

terminalninja picture terminalninja on 21 Dec 2016

:thumbsup:

dimon222 picture dimon222 on 21 Dec 2016

馃憤

saurabh-hirani picture saurabh-hirani on 28 Mar 2017

馃憤

gordcorp picture gordcorp on 6 Jul 2017

+1

ghovat picture ghovat on 22 Jan 2018
👎1

plus one

brendandebeasi picture brendandebeasi on 20 Mar 2018

+1

dot1q picture dot1q on 26 Mar 2018
👎1

+1

giladsh1 picture giladsh1 on 12 Apr 2018
👎1

馃憤

rooty0 picture rooty0 on 23 Aug 2018

+1

vahubert picture vahubert on 20 Sep 2018
👎1

Hi folks 馃憢 ! Thanks for the interest in this feature request.

Please do not post "+1" comments here, since it creates noise for others watching the issue and ultimately doesn't influence our prioritization because we can't actually report on these. Instead, react to the original issue comment with 馃憤, which we can and do report on during prioritization.

Thanks, and keep those 馃憤 coming!

mildwonkey picture mildwonkey on 20 Sep 2018
4

yes, I would like to add that it would be helpful if support is added for sudo -i to get the root shell. this currently seems to hang my remote-exec calls.

queglay picture queglay on 16 Jan 2019

There is a workaround which you can use until sudo support is implemented in remote-exec. Add this at the beginning of your script (it assumes bash) instead of sudo -i:

if [[ $EUID -ne 0 ]]; then
    sudo $(realpath "$0")
    exit
fi

It re-executes itself with sudo if the script was run by non-root user.

racbart picture racbart on 12 May 2019
👍4 🎉2

@racbart Thanks for the tips. Need to add "$@" to re-pass args on it too.
Here is a dash version of your solution. What do you think of it?

#!/bin/sh
if [ $(id -u) != 0 ]; then
  sudo -i $(realpath "$0") "$@"
  exit
fi
sticky-note picture sticky-note on 26 May 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pawelsawicz picture pawelsawicz  路  3Comments
jrnt30 picture jrnt30  路  3Comments
franklinwise picture franklinwise  路  3Comments
ketzacoatl picture ketzacoatl  路  3Comments
c4milo picture c4milo  路  3Comments