github.com/hs0210/hashicorp-terraform@v0.11.12-beta1/website/docs/provisioners/connection.html.markdown (about)

     1  ---
     2  layout: "docs"
     3  page_title: "Provisioner Connections"
     4  sidebar_current: "docs-provisioners-connection"
     5  description: |-
     6    Managing connection defaults for SSH and WinRM using the `connection` block.
     7  ---
     8  
     9  # Provisioner Connections
    10  
    11  Many provisioners require access to the remote resource. For example,
    12  a provisioner may need to use SSH or WinRM to connect to the resource.
    13  
    14  Terraform uses a number of defaults when connecting to a resource, but these can
    15  be overridden using a `connection` block in either a `resource` or
    16  `provisioner`. Any `connection` information provided in a `resource` will apply
    17  to all the provisioners, but it can be scoped to a single provisioner as well.
    18  One use case is to have an initial provisioner connect as the `root` user to
    19  setup user accounts, and have subsequent provisioners connect as a user with
    20  more limited permissions.
    21  
    22  ## Example usage
    23  
    24  ```hcl
    25  # Copies the file as the root user using SSH
    26  provisioner "file" {
    27    source      = "conf/myapp.conf"
    28    destination = "/etc/myapp.conf"
    29  
    30    connection {
    31      type     = "ssh"
    32      user     = "root"
    33      password = "${var.root_password}"
    34    }
    35  }
    36  
    37  # Copies the file as the Administrator user using WinRM
    38  provisioner "file" {
    39    source      = "conf/myapp.conf"
    40    destination = "C:/App/myapp.conf"
    41  
    42    connection {
    43      type     = "winrm"
    44      user     = "Administrator"
    45      password = "${var.admin_password}"
    46    }
    47  }
    48  ```
    49  
    50  ## Argument Reference
    51  
    52  **The following arguments are supported by all connection types:**
    53  
    54  * `type` - The connection type that should be used. Valid types are `ssh` and `winrm`
    55    Defaults to `ssh`.
    56  
    57  * `user` - The user that we should use for the connection. Defaults to `root` when
    58    using type `ssh` and defaults to `Administrator` when using type `winrm`.
    59  
    60  * `password` - The password we should use for the connection. In some cases this is
    61    specified by the provider.
    62  
    63  * `host` - The address of the resource to connect to. This is usually specified by the provider.
    64  
    65  * `port` - The port to connect to. Defaults to `22` when using type `ssh` and defaults
    66    to `5985` when using type `winrm`.
    67  
    68  * `timeout` - The timeout to wait for the connection to become available. This defaults
    69    to 5 minutes. Should be provided as a string like `30s` or `5m`.
    70  
    71  * `script_path` - The path used to copy scripts meant for remote execution.
    72  
    73  **Additional arguments only supported by the `ssh` connection type:**
    74  
    75  * `private_key` - The contents of an SSH key to use for the connection. These can
    76    be loaded from a file on disk using the [`file()` interpolation
    77    function](/docs/configuration/interpolation.html#file_path_). This takes
    78    preference over the password if provided.
    79  
    80  * `agent` - Set to `false` to disable using `ssh-agent` to authenticate. On Windows the
    81    only supported SSH authentication agent is
    82    [Pageant](http://the.earth.li/~sgtatham/putty/0.66/htmldoc/Chapter9.html#pageant).
    83  
    84  * `agent_identity` - The preferred identity from the ssh agent for authentication.
    85  
    86  * `host_key` - The public key from the remote host or the signing CA, used to
    87    verify the connection.
    88  
    89  **Additional arguments only supported by the `winrm` connection type:**
    90  
    91  * `https` - Set to `true` to connect using HTTPS instead of HTTP.
    92  
    93  * `insecure` - Set to `true` to not validate the HTTPS certificate chain.
    94  
    95  * `use_ntlm` - Set to `true` to use NTLM authentication, rather than default (basic authentication), removing the requirement for basic authentication to be enabled within the target guest. Further reading for remote connection authentication can be found [here](https://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx).
    96  
    97  * `cacert` - The CA certificate to validate against.
    98  
    99  <a id="bastion"></a>
   100  ## Connecting through a Bastion Host with SSH
   101  
   102  The `ssh` connection also supports the following fields to facilitate connnections via a
   103  [bastion host](https://en.wikipedia.org/wiki/Bastion_host).
   104  
   105  * `bastion_host` - Setting this enables the bastion Host connection. This host
   106    will be connected to first, and then the `host` connection will be made from there.
   107  
   108  * `bastion_host_key` - The public key from the remote host or the signing CA,
   109    used to verify the host connection.
   110  
   111  * `bastion_port` - The port to use connect to the bastion host. Defaults to the
   112    value of the `port` field.
   113  
   114  * `bastion_user` - The user for the connection to the bastion host. Defaults to
   115    the value of the `user` field.
   116  
   117  * `bastion_password` - The password we should use for the bastion host.
   118    Defaults to the value of the `password` field.
   119  
   120  * `bastion_private_key` - The contents of an SSH key file to use for the bastion
   121    host. These can be loaded from a file on disk using the [`file()`
   122    interpolation function](/docs/configuration/interpolation.html#file_path_).
   123    Defaults to the value of the `private_key` field.