为什么无法使用提供的示例将 SSH 地球化到 EC2 实例？

我正在使用AWS双层示例，并且我直接复制粘贴了整个内容。 terraform apply一直工作到它尝试通过 SSH 连接到创建的 EC2 实例的位置。它循环几次给出此输出，最后失败。

aws_instance.web (remote-exec): Connecting to remote host via SSH...
aws_instance.web (remote-exec):   Host: 54.174.8.144
aws_instance.web (remote-exec):   User: ubuntu
aws_instance.web (remote-exec):   Password: false
aws_instance.web (remote-exec):   Private key: false
aws_instance.web (remote-exec):   SSH Agent: true

最终，它失败了 w/：

Error applying plan:
1 error(s) occurred:
* ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

我四处搜索并看到一些较旧的帖子/问题说翻转agent=false，我也尝试过没有更改或成功。我怀疑这个例子是开箱即用的，但我没有做任何可能破坏它的剪裁或修改。我正在使用通过OS X 10.10.5上的自制软件安装的terraform 0.6.11。

其他详细信息：

resource "aws_instance" "web" {
  # The connection block tells our provisioner how to
  # communicate with the resource (instance)
  connection {
    # The default username for our AMI
    user = "ubuntu"
    # The connection will use the local SSH agent for authentication.
    agent = false
  }
  instance_type = "t1.micro"
  # Lookup the correct AMI based on the region
  # we specified
  ami = "${lookup(var.aws_amis, var.aws_region)}"
  # The name of our SSH keypair we created above.
  key_name = "${aws_key_pair.auth.id}"
  # Our Security group to allow HTTP and SSH access
  vpc_security_group_ids = ["${aws_security_group.default.id}"]
  # We're going to launch into the same subnet as our ELB. In a production
  # environment it's more common to have a separate private subnet for
  # backend instances.
  subnet_id = "${aws_subnet.default.id}"
  # We run a remote provisioner on the instance after creating it.
  # In this case, we just install nginx and start it. By default,
  # this should be on port 80
  provisioner "remote-exec" {
    inline = [
      "sudo apt-get -y update",
      "sudo apt-get -y install nginx",
      "sudo service nginx start"
    ]
  }
}

从变量 tf 文件中：

variable "key_name" {
  description = "Desired name of AWS key pair"
  default = "test-keypair"
}
variable "key_path" {
  description = "key location"
  default = "/Users/n8/dev/play/.ssh/terraform.pub"
}

但是我可以使用以下命令进行ssh：

ssh -i ../.ssh/terraform ubuntu@w.x.y.z

您有两种可能性：

将您的密钥添加到您的ssh-agent：
```
ssh-add ../.ssh/terraform
```
并在配置中使用agent = true。该案例应该适合您
修改配置以直接使用
```
secret_key = "../.ssh/terraform"
```
左右。有关更具体的语法，请参阅文档。

我遇到了同样的问题，我做了以下配置

connection {
    type = "ssh"
    user = "ec2-user"
    private_key = "${file("*.pem")}"
    timeout = "2m"
    agent = false
}

下面是一个完整的独立resource "null_resource"，其中包含remote-exec SSH连接的配置器，包括ssh连接类型支持的必要参数：

private_key - 用于连接的 SSH 密钥的内容。可以使用 file 函数从磁盘上的文件加载这些内容。如果提供，这将优先于密码。
- 应使用的连接类型。有效类型为 ssh 和 winrm 默认为 ssh。
用户 - 我们应该用于连接的用户。使用 ssh 类型时默认为 root，使用 winrm 类型时默认为管理员。
host - 要连接到的资源的地址。这通常由提供程序指定。
端口 - 要连接到的端口。使用 ssh 类型时默认为 22，使用 winrm 类型时默认为 5985。
超时 - 等待连接可用的超时。这默认为 5 分钟。应以 30 秒或 5m 等字符串形式提供。
代理 - 设置为 false 可禁用使用 ssh 代理进行身份验证。在Windows上，唯一受支持的SSH身份验证代理是Pageant。

资源null_resource remote-exec以下示例代码：

resource "null_resource" "ec2-ssh-connection" {
  provisioner "remote-exec" {
    inline = [
      "sudo apt-get update",
      "sudo apt-get install -y python2.7 python-dev python-pip python-setuptools python-virtualenv libssl-dev vim zip"
    ]
    connection {
      host        = "100.20.30.5"  
      type        = "ssh"
      port        = 22
      user        = "ubuntu"
      private_key = "${file(/path/to/your/id_rsa_private_key)}"
      timeout     = "1m"
      agent       = false
    }
  }
}

https://stackoverflow.com/a/35382911/12880305 中提供的解决方案对我不起作用，所以我尝试了更多方法，发现问题出在我正在使用的密钥对类型上。

我正在使用 RSA 密钥对类型，因此出现错误

ssh：握手失败：ssh：无法进行身份验证，尝试的方法 [无公钥]，没有支持的方法

我创建了一个具有ED25519类型的新密钥对，它对我来说效果很好。https://aws.amazon.com/about-aws/whats-new/2021/08/amazon-ec2-customers-ed25519-keys-authentication/

我使用的连接块

connection {
  //Use the public IP of the instance to connect to it.
  host        = self.public_ip
  type        = "ssh"
  user        = "ubuntu"
  private_key = file("pemfile-location.pem")
  timeout     = "1m"
  agent       = true
}

检查基础映像中存在的用户名。例如，它可以ubuntu用于 Ubuntu 操作系统，也可以ec2-user用于 AWS images.
或者，大多数云提供商允许 Terraform 在云初始化配置的帮助下在第一个实例上创建新用户(查看您的提供商文档(：
```
metadata = {
    user-data = "${file("./user-meta-data.txt")}"
}
```
用户元数据.txt：
```
#cloud-config
users:
  - name: <NEW-USER-NAME>
    groups: sudo
    shell: /bin/bash
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    ssh-authorized-keys:
    - ssh-rsa <SSH-PUBLIC-KEY>
```

增加连接超时设置，有时使用 ssh 启动实例云网络需要 1-2 分钟。

connection {
   type = "ssh"
   user = "<USER_NAME>"
   private_key = "${file("pathto/id_rsa")}"
   timeout = "3m"
}

<小时 />

如果不起作用，请尝试通过 ssh 手动连接，并带有 -v for verbose

ssh -v -i <path_to_private_key/id_rsa> <USER_NAME>@<INSTANCE_IP>

the top answer  it does not work for me. 
the answer that use ed25519 does work for me. but not necessary to use PEM fortmat. 
here is working sample for me
  connection {
    host = "${aws_instance.example.public_ip}"
    type = "ssh"
    port = "22"
    user = "ubuntu"
    timeout = "120s"
    private_key = "${file("${var.key_location}")}"
    agent= false
  }
}
key_location="~/.ssh/id_ed25519"

相关内容

最新更新

热门标签：