I trying to deploy some packages in windows OS through terraform 15.1 version.
And I am able to deploy successful deployment when I use this in provisioners
Connection {
type = winrm
user = administrator
password = ########
timeout = "3m"
port = 5986
https = true
insecure = true
host = self.access_ip_v4
}
but my goal to achieve is that the connection should be encrypted from where we are running terraform command to
remote windows machine
So, I want to use some thing like
connection {
type = winrm
user = administrator
password = ########
timeout = "3m"
port = 5986
https = true
**insecure = false**
**cacert = <from where I can this file or value >**
host = self.access_ip_v4
}
Remember that through terraform "user_data" I am using one Powershell script which create self certificate, open wirnrm https firewall port for winrm at the time of window provision.
I have not complete idea how to get this cacert for window.
Please can someone help me in this.
Related
How to make a SSH connection via pageant on terraform? I'm trying to provision files with file provisioner running on SSH connection. According to docs, on windows, only supported ssh agent is Pageant, but it does not explain how to configure it.
https://www.terraform.io/docs/provisioners/connection.html
Even after adding directory of PuTTY to the PATH env var (which is included in GitExtension), terraform does not seem to detect that, and keep failing to make SSH connection.
Connecting via plink.exe works, so my SSH key is correctly added to the Pageant.
plink core#<ip-address-of-host>
File provisioner works when I pass the content of private_key directly like this, but that's not what I want.
connection {
type = "ssh"
host = aws_instance.instance.public_ip
user = "core"
agent = false
private_key = file(var.private_key_path)
}
You have to set the agent parameter to true:
agent - Set to false to disable using ssh-agent to authenticate. On Windows the only supported SSH authentication agent is Pageant.
agent = true
I am setting up influx DB (InfluxDB shell version: v1.7.6).I have made changes in configuration file.But when I start service using command-
It gives me error that bind port 8086 is already in use & graphite service does not start
# Change this option to true to disable reporting.
reporting-disabled = false
hostname=""
join=""
# Bind address to use for the RPC service for backup and restore.
bind-address = ":8088"
###
### [meta]
###
### Controls the parameters for the Raft consensus group that stores metadata
### about the InfluxDB cluster.
###
This is configuration for meta tag
[meta]
dir = "/usr/local/var/influxdb/meta"
# Automatically create a default retention policy when creating a database.
retention-autocreate = true
# If log messages are printed for the meta service
logging-enabled = true
[[graphite]]
# Determines whether the graphite endpoint is enabled.
enabled = true
database = "jmeter"
retention-policy = ""
bind-address = ":2003"
protocol = "tcp"
consistency-level = "one
Above is the my influxdb properties.I have restarted service after configuration changes.
I am setting up influx DB (InfluxDB shell version: v1.7.6).I have made changes in configuration file.But when I start service using command-
It gives me error that bind port 8086 is already in use & graphite service does not start
# Change this option to true to disable reporting.
reporting-disabled = false
hostname=""
join=""
# Bind address to use for the RPC service for backup and restore.
bind-address = ":8088"
###
### [meta]
###
### Controls the parameters for the Raft consensus group that stores metadata
### about the InfluxDB cluster.
###
[meta]
# Where the metadata/raft database is stored
dir = "/usr/local/var/influxdb/meta"
# Automatically create a default retention policy when creating a database.
retention-autocreate = true
# If log messages are printed for the meta service
logging-enabled = true
[[graphite]]
# Determines whether the graphite endpoint is enabled.
enabled = true
database = "jmeter"
retention-policy = ""
bind-address = ":2003"
protocol = "tcp"
consistency-level = "one
Above is the my influxdb properties.I have restarted service after configuration changes.
Code is not needed for this
It is because another process is using the port 8086. You can find the process using following commands:
netstat -a | grep 8086
If you have root permission:
lsof -i:8086
Identify the other process id and kill it using
kill -9 <process id>
Or configure influx using another port.
restarting influxdb helped me
sudo systemctl restart influxd.service
sudo systemctl restart influxdb.service
I have Traefik (traefik:1.7.11-alpine) running in a Docker container with a number of services using Let's Encrypt to request certificates to secure them. This works like a charm.
I also have the Treafik web console enabled, but not exposed to the outside world. In other words it is running on localhost. In the log file I see that Traefik is trying to request a certificate for localhost. Is this normal? Can I disable this?
This is the error message
time="2019-05-27T07:03:45Z" level=error msg="Unable to obtain ACME certificate for domains \"localhost\" detected thanks to rule \"PathPrefixStrip:/traefik;Host:localhost\" : unable to generate a certificate for the domains [localhost]: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: Error creating new order :: DNS name does not have enough labels, url: "
What I find strange about this is that the web console is running on 8080 and not linked to the https entrypoint in anyway. So I would imagine that Traefik would ignore is when determining for which endpoint it needs to request certificates.
This is the config I'm using:
logLevel = "DEBUG"
[traefikLog]
[accessLog]
[accessLog.filters]
statusCodes = ["0-600"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
[entryPoints.traefik]
address=":8080"
[entryPoints.traefik.auth]
[entryPoints.traefik.auth.basic]
users = ["admin:$apr1$HR4Hj/Zy$fPwTS8LMBqKPpzdzGkyTa/"]
[api]
entrypoint="traefik"
dashboard = true
debug = false
[docker]
watch = true
exposedbydefault = false
domain = "domain.com"
network = "web"
[acme]
email = "info#domain.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
Just documenting the solution here for anyone that runs into this problem. The Traefik Docker Compose examples have the label traefik.enable=true set, which causes Traefik to try and request a certificate for the service if you enable Let's Encrypt. Even for localhost :-( Setting the value to false solves the problem.
I am trying to use terraform to build a simple aws ec2 instance running windows 2016 server. I successfully build the ec2 windows instance but I can't connect into the server. How do I set username and password after the server is built so I can RDP into it?
resource "aws_instance" "win2k" {
...
...
...
// Test connectivity to newly built ec2
connection {
type = "winrm"
user = "Administrator"
password = "${var.admin_password}"
}
# Set local admin user/pass
user_data = <<EOF
<script>
winrm quickconfig -q & winrm set winrm/config #{MaxTimeoutms="1800000"} & winrm set winrm/config/service #{AllowUnencrypted="true"} & winrm set winrm/config /service/auth #{Basic="true"}
</script>
<powershell>
netsh advfirewall firewall add rule name="WinRM in" protocol=TCP dir=in profile=any localport=5985 remoteip=any localip=any action=allow
# Set Administrator password
$admin = [adsi]("WinNT://./administrator, user")
$admin.psbase.invoke("SetPassword", "${var.admin_password}")
</powershell>
EOF
I got SSH working fine. But I am facing an issue with connecting via telnet.
sudo yum -y install telnet
This works for me after logging in to the EC2 instance
ssh is recommended over telnet, as telnet is not encrypted and is by default not installed in amazon instance.
However if needed, steps involved for Linux : Amazon Instance or Centos
Install telnet daemon in the instance: Install telnet-server using sudo yum install telnet-server . Package telnet is for the client program in case one want to connect using telnet client from the instance, not needed for the exercise.
Enable the telnet daemon service:
- By default the service is disabled in /etc/xinetd.d/telnet, The disable flag needs to be set to no.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = yes
}
Post change it should look like below
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
Verify the configuration in case of any edit related errors.
sudo chkconfig xinetd on
Bring up the telnet service:
Bring up the telnet daemon as root using sudo service xinetd restart command
Enable inbound telnet default port (23) on AWS Console:
In AWS Console EC2/Security Groups/<Your Security Group>/Inbound, set a rule
Type:Custom-TCP Rule
Protocol: TCP Range
Port Range: 23
Source: <As per your business requirement>
Test the telnet connection:
Test the telnet connection from any client enabled in the firewall.
>telnet ec2-XX-XX-XXX-XXX.region.compute.amazonaws.com.
Connected to ec2-XX-XX-XXX-XXX.region.compute.amazonaws.com.
Escape character is '^]'.
Password:
The steps(tools) will vary slightly for other linux variants.
PS: Referred http://aws-certification.blogspot.in/2016/01/install-and-setup-telnet-on-ec2-amazon.html, fixed few issues in the commands.