» Provisioner Connections
Many provisioners require access to the remote resource. For example, a provisioner may need to use SSH or WinRM to connect to the resource.
Terraform uses a number of defaults when connecting to a resource, but these can
be overridden using a connection
block in either a resource
or
provisioner
. Any connection
information provided in a resource
will apply
to all the provisioners, but it can be scoped to a single provisioner as well.
One use case is to have an initial provisioner connect as the root
user to
setup user accounts, and have subsequent provisioners connect as a user with
more limited permissions.
» Example usage
# Copies the file as the root user using SSH
provisioner "file" {
source = "conf/myapp.conf"
destination = "/etc/myapp.conf"
connection {
type = "ssh"
user = "root"
password = "${var.root_password}"
}
}
# Copies the file as the Administrator user using WinRM
provisioner "file" {
source = "conf/myapp.conf"
destination = "C:/App/myapp.conf"
connection {
type = "winrm"
user = "Administrator"
password = "${var.admin_password}"
}
}
» Argument Reference
The following arguments are supported by all connection types:
type
- The connection type that should be used. Valid types aressh
andwinrm
Defaults tossh
.user
- The user that we should use for the connection. Defaults toroot
when using typessh
and defaults toAdministrator
when using typewinrm
.password
- The password we should use for the connection. In some cases this is specified by the provider.host
- The address of the resource to connect to. This is usually specified by the provider.port
- The port to connect to. Defaults to22
when using typessh
and defaults to5985
when using typewinrm
.timeout
- The timeout to wait for the connection to become available. This defaults to 5 minutes. Should be provided as a string like30s
or5m
.script_path
- The path used to copy scripts meant for remote execution.
Additional arguments only supported by the ssh
connection type:
private_key
- The contents of an SSH key to use for the connection. These can be loaded from a file on disk using thefile()
interpolation function. This takes preference over the password if provided.agent
- Set tofalse
to disable usingssh-agent
to authenticate. On Windows the only supported SSH authentication agent is Pageant.
Additional arguments only supported by the winrm
connection type:
https
- Set totrue
to connect using HTTPS instead of HTTP.insecure
- Set totrue
to not validate the HTTPS certificate chain.cacert
- The CA certificate to validate against.
» Connecting through a Bastion Host with SSH
The ssh
connection also supports the following fields to facilitate connnections via a
bastion host.
bastion_host
- Setting this enables the bastion Host connection. This host will be connected to first, and then thehost
connection will be made from there.bastion_port
- The port to use connect to the bastion host. Defaults to the value of theport
field.bastion_user
- The user for the connection to the bastion host. Defaults to the value of theuser
field.bastion_password
- The password we should use for the bastion host. Defaults to the value of thepassword
field.bastion_private_key
- The contents of an SSH key file to use for the bastion host. These can be loaded from a file on disk using thefile()
interpolation function. Defaults to the value of theprivate_key
field.