1

I am creating a Azure Linux VM using terraform through GitHub Actions. Once the VM gets created, I am using the outputs.tf file to get the Keys, FQDN, IP Address and user name, storing it in environment variables. Then i am trying to use these variables to SSH into the server in order to run remote commands on it. Here is my code

name: 'Terraform'

on:
  push:
    branches:
    - "development"
    paths:
     - 'Infrastructure/**'
  pull_request:

permissions:
  contents: read

jobs:
  terraform:
    name: 'Terraform'
    runs-on: ubuntu-latest
    defaults:
      run:
        shell: bash        
    env:
      ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
      ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
      ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
      ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
      ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }}
      
    steps:        
    # Checkout the repository to the GitHub Actions runner
    - name: Checkout
      uses: actions/checkout@v3
      with:
        repository: 'myrepo/ModernDelivery'       
        ref: 'development'
        
    # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
    - name: Terraform Create Infrastructure
      working-directory: ./Infrastructure
      run: |
        terraform init
        terraform validate        
        terraform plan -out "infra.tfplan"
        terraform apply "infra.tfplan"
        echo "SSH_USER=$(terraform output -raw linuxsrvusername | sed 's/\s*=\s*/=/g' | xargs)" >> $GITHUB_ENV
        echo "SSH_KEY=$(terraform output -raw tls_public_key | sed 's/\s*=\s*/=/g' | xargs)" >> $GITHUB_ENV
        echo "SSH_HOST=$(terraform output -raw linuxsrvpublicip | sed 's/\s*=\s*/=/g' | xargs)" >> $GITHUB_ENV
        echo "SSH_FQDN=$(terraform output -raw linuxsrvfqdn | sed 's/\s*=\s*/=/g' | xargs)" >> $GITHUB_ENV
        echo $SSH_USER
        echo $SSH_KEY
        echo $SSH_HOST
        echo $SSH_FQDN
        
    - name: Configure SSH and login
      shell: bash
      env:
        SSH_USER: ${{ env.SSH_USER }}
        SSH_KEY: ${{ env.SSH_KEY }}
        SSH_HOST: ${{ env.SSH_HOST }}
        SSH_FQDN: ${{ env.SSH_FQDN }}
      run: |
        sudo -i
        cd /home/runner
        sudo hostname $SSH_HOST
        mkdir -p /home/runner/ssh
        mv ssh .ssh
        echo "$SSH_KEY" > /home/runner/.ssh/authorized_keys
        chmod 0600 /home/runner/.ssh/authorized_keys
        cat >>/home/runner/.ssh/config <<END
        Host chefssh
          HostName $SSH_HOST
          User $SSH_USER
          IdentityFile /home/runner/.ssh/authorized_keys
          PubKeyAuthentication yes
          StrictHostKeyChecking no
        END
        ssh chefssh -t sudo -- "sh -c 'sudo apt-get update && sudo apt-get upgrade -y'"

I am getting the below error when Github actions run

Run sudo -i
Pseudo-terminal will not be allocated because stdin is not a terminal.
Warning: Permanently added '111.222.333.444' (ECDSA) to the list of known hosts.
Load key "/home/runner/.ssh/authorized_keys": invalid format
pha_xDuW3lc@111.222.333.444: Permission denied (publickey).
Error: Process completed with exit code 255.

This seems to tell me that the key passed in Authorized Keys is not valid. Which brings me to the question, which key is required. With terraform i have 4 keys which can be generated

  1. private_key_openssh - this is a Private Key data in OpenSSH PEM format
  2. private_key_pem - This is Private Key data in PEM(RFC 1421) format
  3. public_key_openssh - The public key data in "Authorized Keys" format.
  4. public_key_pem - This is Public Key data in PEM(RFC 1421) format

which among the 4 needs to be in authorized_keys. Also are any other keys need to be added under .ssh folder?

RAnand
  • 89
  • 2
  • 14

1 Answers1

0

A ssh testhost -tt would use the /home/current-user/.ssh/config file, which differs from sudo cat >>~/.ssh/config.

If your sudo commands are done with the user root, the config file modifed would be /home/root/.ssh/config.
That would explain your error message, where the right config file is not found, and the entry Host testhost is not found.

Instead of using ~, try and use the full path, or at least echo $HOME to make sure you are using the expected path.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • `~` is expanded by the shell to the current user’s home directory. It being used as an argument to `sudo` or the target of a redirection of the output of `sudo` won’t change whose home directory it expands to. – Biffen Sep 30 '22 at 08:14
  • @Biffen I agree. I just prefer to be explicit in this case. – VonC Sep 30 '22 at 08:33
  • I debugged this further and noticed that mkdir command did not work. i listed echo $HOME which gave me /home/runner. I then listed $PWD which gave me /home/runner/work/TSOModernDelivery/TSOModernDelivery. I then gave the command mkdir -p /home/runner/work/TSOModernDelivery/TSOModernDelivery/.ssh/, but .ssh folder was not created. I tried cd /home/runner and it gives me cd command not found. (so mkdir and cd commands are not working) – RAnand Sep 30 '22 at 14:48
  • 1
    @RAnand A `.ssh` folder should be in `/home/runner`, not in a subfolder. And with the [right permissions - `chmod`](https://stackoverflow.com/a/71615271/6309) – VonC Sep 30 '22 at 15:43
  • @VonC i navigated to /home/runner directory and did a dir and it gives factory perflog runners warmup work. there is no .ssh folder. Also i changed the /home/runner directory permissions to 777 and then did a dir. same result. no .ssh folder – RAnand Sep 30 '22 at 16:22
  • @RAnand Note that chmod 777 would make any `.ssh` subfolder inoperable. Any parent folder of a .ssh with write access for "all" would trigger a "Permissions are too open" error message. – VonC Sep 30 '22 at 18:05
  • @VonC - kindly see the edited post. I was able to move ahead but getting stuck with keys . Any idea which key needs to go where? – RAnand Sep 30 '22 at 19:39
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/248487/discussion-between-vonc-and-ranand). – VonC Sep 30 '22 at 20:24