I’m using terraform 0.14.6 with provider registry.terraform.io/hashicorp/aws v3.26.0.
I have setup a VPC with a bastion server on a public subnet, and two EC2 instances on a private subnet. I’ve setup a security group that allows me to ssh into the bastion server, and from there, into the EC2 instances. I can manually connect to bastion and the EC2 instances no problem.
I have also created a SecretsManager secret to store the private key that allows ssh access into the bastion and EC2 instances. I read that secret string that contains the private key as a data block to provide that private key to the EC2 resource as a connection block. I’ve tried that particular secrets_version data block with arn and with name and regardless, unfortunately, when I try to provision the EC2 instances, I get the Failed to read private key: no key found error. At this point I’m simply trying to do the simplest remote-exec I can to see if I can get the connection working.
Everything works except the provisioning. What might I be doing wrong?
My EC2 main.tf:
resource "aws_instance" "app" {
count = var.instance_count
ami = "ami-0885b1f6bd170450c"
instance_type = var.instance_type
availability_zone = data.aws_availability_zones.available.names[0]
subnet_id = var.subnet_id
key_name = var.key_name
vpc_security_group_ids = var.security_group_ids
connection {
type = "ssh"
user = "ubuntu"
bastion_host = var.bastion_host
private_key = data.aws_secretsmanager_secret_version.bastion.secret_string
host = self.private_dns
}
provisioner "remote-exec" {
inline = ["sudo bash"]
on_failure = fail
}
}
data "aws_secretsmanager_secret" "bastion" {
name = "Bastion_private_key"
}
data "aws_secretsmanager_secret_version" "bastion" {
secret_id = data.aws_secretsmanager_secret.bastion.id
}