» Provisioner Connections

Many provisioners require access to the remote resource. For example, a provisioner may need to use SSH or WinRM to connect to the resource.

Terraform uses a number of defaults when connecting to a resource, but these can be overridden using a connection block in either a resource or provisioner. Any connection information provided in a resource will apply to all the provisioners, but it can be scoped to a single provisioner as well. One use case is to have an initial provisioner connect as the root user to setup user accounts, and have subsequent provisioners connect as a user with more limited permissions.

» Example usage 

# Copies the file as the root user using SSH
provisioner "file" {
  source      = "conf/myapp.conf"
  destination = "/etc/myapp.conf"

  connection {
    type     = "ssh"
    user     = "root"
    password = "${var.root_password}"
  }
}

# Copies the file as the Administrator user using WinRM
provisioner "file" {
  source      = "conf/myapp.conf"
  destination = "C:/App/myapp.conf"

  connection {
    type     = "winrm"
    user     = "Administrator"
    password = "${var.admin_password}"
  }
}

» Argument Reference

The following arguments are supported by all connection types:

  • type - The connection type that should be used. Valid types are ssh and winrm Defaults to ssh.

  • user - The user that we should use for the connection. Defaults to root when using type ssh and defaults to Administrator when using type winrm.

  • password - The password we should use for the connection. In some cases this is specified by the provider.

  • host - The address of the resource to connect to. This is usually specified by the provider.

  • port - The port to connect to. Defaults to 22 when using type ssh and defaults to 5985 when using type winrm.

  • timeout - The timeout to wait for the connection to become available. This defaults to 5 minutes. Should be provided as a string like 30s or 5m.

  • script_path - The path used to copy scripts meant for remote execution.

Additional arguments only supported by the ssh connection type:

  • private_key - The contents of an SSH key to use for the connection. These can be loaded from a file on disk using the file() interpolation function. This takes preference over the password if provided.

  • agent - Set to false to disable using ssh-agent to authenticate. On Windows the only supported SSH authentication agent is Pageant.

Additional arguments only supported by the winrm connection type:

  • https - Set to true to connect using HTTPS instead of HTTP.

  • insecure - Set to true to not validate the HTTPS certificate chain.

  • cacert - The CA certificate to validate against.

» Connecting through a Bastion Host with SSH

The ssh connection also supports the following fields to facilitate connnections via a bastion host.

  • bastion_host - Setting this enables the bastion Host connection. This host will be connected to first, and then the host connection will be made from there.

  • bastion_port - The port to use connect to the bastion host. Defaults to the value of the port field.

  • bastion_user - The user for the connection to the bastion host. Defaults to the value of the user field.

  • bastion_password - The password we should use for the bastion host. Defaults to the value of the password field.

  • bastion_private_key - The contents of an SSH key file to use for the bastion host. These can be loaded from a file on disk using the file() interpolation function. Defaults to the value of the private_key field.