Terraform how to do SSH in AWS EC2 instance?
This blog post will help you to understand how to do SSH into AWS EC2 instance using Terraform. It is quite often that you create your terraform script for setting up your EC2 instance but after starting your EC2 can not SSH into EC2 instance created with Terraform.
When you are working on the cloud (AWS, Google Cloud) you are not provided with a password for the root user. You have to use SSH key-pair(public key, private key) for authentication and after successful authentication, you can SSH into your EC2 machine using the private key.
In this blog post, we will go through the following steps -
- Generate key-pair(public key, private key) using ssh keygen
- Use public key to start EC2 instance
- Use the private key to SSH into EC2 instance
- Generate pem file from AWS console and use the file to SSH into EC2
(*Note - The first 3 steps in which we are going to generate the ssh key-pair manually and in the 4th step we will generate the key pair from AWS console.If you do not want to generate the SSH keys manually then you can refer to this blog post where I described on how to use terraform's tls_private_key module to generate and upload private, public key for AWS)
1. Generate key-pair(public key, private key) using ssh keygen
1.1 Generate the public key and private key
Before you start playing with AWS console and terraform script we need to first generate the key-pair(public key, private key) using ssh-keygen.
Later we are going to associate both public and private keys with AWS EC2 instances.
Let us generate the key pair using the following command
1ssh-keygen -t rsa -b 2048
By default, the above command will generate the public as well as private key at location '/home/
But we can override the end destination with a custom path. (I have assigned my custom path /home/rahul/Jhooq/keys/aws followed my key name .i.e. aws_key )
Here is the output along with a screenshot my terminal-
1Generating public/private RSA key pair.
2Enter file in which to save the key (/home/rahul/.ssh/id_rsa): /home/rahul/Jhooq/keys/aws/aws_key
3Enter passphrase (empty for no passphrase):
4Enter the same passphrase again:
5Your identification has been saved in /home/rahul/Jhooq/keys/aws/aws_key
6Your public key has been saved in /home/rahul/Jhooq/keys/aws/aws_key.pub
7The key fingerprint is:
8SHA256:sAOjXyvJc2gnMrvxXA+qiaU9pUEvwl5ZG9Y2kZqRf5M rahul@rahul-HP-ZBook-15-G2
9The key's randomart image is:
10+---[RSA 2048]----+
11| . . |
12| o o |
13| o B . . |
14| .. O B E |
15|....+ B S . |
16|..o=o= o |
17|..*=X * |
18| *oX O o |
19|o *++ . |
20+----[SHA256]-----+
1.2 Verify the generated public key and private key
In the previous step, we have generated the key-pair which we are going to use for provisioning the EC2 instance. But let us take a look at the keys and how it looks.
If you remember in the previous step we have generated the keys at path /home/rahul/Jhooq/keys/aws we should see two key files over there -
- aws_key (private key)
- aws_key.pub (public key)
We are going to use public key aws_key.pub inside the terraform file to provision/start the ec2 instance.
1.2.1 public key aws_key.pub
Here is the content of the public key aws_key.pub(you can open the file in any editor of your choice) -
1ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbvRN/gvQBhFe+dE8p3Q865T/xTKgjqTjj56p1IIKbq8SDyOybE8ia0rMPcBLAKds+wjePIYpTtRxT9UsUbZJTgF+SGSG2dC6+ohCQpi6F3xM7ryL9fy3BNCT5aPrwbR862jcOIfv7R1xVfH8OS0WZa8DpVy5kTeutsuH5FMAmEgba4KhYLTzIdhM7UKJvNoUMRBaxAqIAThqH9Vt/iR1WpXgazoPw6dyPssa7ye6tUPRipmPTZukfpxcPlsqytXWlXm7R89xAY9OXkdPPVsrQA0XFQnY8aFb9XaZP8cm7EOVRdxMsA1DyWMVZOTjhBwCHfEIGoePAS3jFMqQjGWQd rahul@rahul-HP-ZBook-15-G2
1.2.2 private key aws_key
Here is the content of the private key aws_key(you can open the file in any editor of your choice) -
1-----BEGIN OPENSSH PRIVATE KEY-----
2b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
3NhAAAAAwEAAQAAAQEA270Tf4L0AYRXvnRPKd0POuU/8UyoI6k44+eqdSCCm6vEg8jsmxPI
4mtKzD3ASwCnbPsI3jyGKU7UcU/VLFG2SU4BfkhkhtnQuvqIQkKYuhd8TO68i/X8twTQk+W
5j68G0fOto3DiH7+0dcVXx/DktFmWvA6VcuZE3rrbLh+RTAJhIG2uCoWC08yHYTO1CibzaF
6DEQWsQKiAE4ah/Vbf4kdVqV4Gs6D8Oncj7LGu8nurVD0YqZj02bpH6cXD5bKsrV1pV5u0f
7PcQGPTl5HTz1bK0ANFxUJ2PGhW/V2mT/HJuxDlUXcTLANQ8ljFWTk44QcAh3xCBqHjwEt4
8xTKkIxlkHQAAA9CsiPUKrIj1CgAAAAdzc2gtcnNhAAABAQDbvRN/gvQBhFe+dE8p3Q865T
9/xTKgjqTjj56p1IIKbq8SDyOybE8ia0rMPcBLAKds+wjePIYpTtRxT9UsUbZJTgF+SGSG2
10dC6+ohCQpi6F3xM7ryL9fy3BNCT5aPrwbR862jcOIfv7R1xVfH8OS0WZa8DpVy5kTeutsu
11H5FMAmEgba4KhYLTzIdhM7UKJvNoUMRBaxAqIAThqH9Vt/iR1WpXgazoPw6dyPssa7ye6t
12UPRipmPTZukfpxcPlsqytXWlXm7R89xAY9OXkdPPVsrQA0XFQnY8aFb9XaZP8cm7EOVRdx
13MsA1DyWMVZOTjhBwCHfEIGoePAS3jFMqQjGWQdAAAAAwEAAQAAAQB83JvPwSHWGtWhK4Yw
14S6Tz2oDTJLQGT4o8Ns/tbmPJAXnRSMLp+/vpvgBxrUV6XE5xAvt/IZfwqOFH9AKNwRV8zV
152BLzaw7qQBPyYai9Ozzmana4V+dl4RgwffkX/GTruIPac7KKR+zLXy/aNVBACwhUJBVYDP
16Dlf1g8hUOS5WcqpRpdzf3PWjAosC2sZUNtoU9wmMTOQMb96haWgdqQrdulzhBxMb7/hJQ5
17q11gGdTboFM2l8yKMbRsba1OG/0JR2cmSNoK2PDL8GxskolwveGjvzsYPUS0iQsvjqAWQX
18F3cW7lBq0eL23qkLFxAJxFQU4mB9yH5KCunU0K9am18hAAAAgAxkrreETLmI0snIX3uX+T
19ySTNTb0G9kya0G3TGpkjvZT8Ump/L8ysleidqK2VYVEPre6vfTECqzWhBL1BVT/howuacG
205LeEkgS/F8oQJ19iEKT4LXxTumlFJqIj7+9jjnD5Z+gxi/ttJVTWvN/L4Ho9ZbZ6SoUBIB
21hnb+tDP0+mAAAAgQDwFBx6E7dARqwOeN8byrmzsYmnr9a2jx4eXR1iDX7ZzPLjYoOCFiJP
223ahHhXSzPx5pJK4k8MRYUFNTjtl2K+cKgCZC75Dj5mfI/8l0pvmUrZ2e2GN1+ATUcQO7Dy
230j8124Bke0OkItBTfwQrsIOSyYzySOll88odoISNB2BdZsewAAAIEA6k+ljxLX1sfn8wOg
24l9zgXqoT64tiQIJ720WSHuc5xoslgHVdjeunVy1eAaZMDURn8sbedlGLaebaGdVZwidR04
25gpodkAZdkBm+tju2NRIxIhuDU02ddJFEGy/8lp+XqEm+YfbUpHrCSNOjYBDkdAp6umQFVq
26jQi2RBtpIsNFikcAAAAacmFodWxAcmFodWwtSFAtWkJvb2stMTUtRzIB
27-----END OPENSSH PRIVATE KEY-----
2. Use public key to start EC2 instance
Alright now we have the public key and the private key with us, let us create our terraform configuration file using the public key .i.e. aws_key.pub
(*Note - If this is your first time with terraform and you have not worked before then I would recommend you to go through an article on How to install terraform and How to create EC2 instance on AWS)
Here is the main.tf -
1provider "aws" {
2 region = "eu-central-1"
3 access_key = ""
4 secret_key = ""
5
6}
7
8resource "aws_instance" "ec2_example" {
9
10 ami = "ami-0767046d1677be5a0"
11 instance_type = "t2.micro"
12 key_name= "aws_key"
13 vpc_security_group_ids = [aws_security_group.main.id]
14
15 provisioner "remote-exec" {
16 inline = [
17 "touch hello.txt",
18 "echo helloworld remote provisioner >> hello.txt",
19 ]
20 }
21 connection {
22 type = "ssh"
23 host = self.public_ip
24 user = "ubuntu"
25 private_key = file("/home/rahul/Jhooq/keys/aws/aws_key")
26 timeout = "4m"
27 }
28}
29
30resource "aws_security_group" "main" {
31 egress = [
32 {
33 cidr_blocks = [ "0.0.0.0/0", ]
34 description = ""
35 from_port = 0
36 ipv6_cidr_blocks = []
37 prefix_list_ids = []
38 protocol = "-1"
39 security_groups = []
40 self = false
41 to_port = 0
42 }
43 ]
44 ingress = [
45 {
46 cidr_blocks = [ "0.0.0.0/0", ]
47 description = ""
48 from_port = 22
49 ipv6_cidr_blocks = []
50 prefix_list_ids = []
51 protocol = "tcp"
52 security_groups = []
53 self = false
54 to_port = 22
55 }
56 ]
57}
58
59
60resource "aws_key_pair" "deployer" {
61 key_name = "aws_key"
62 public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbvRN/gvQBhFe+dE8p3Q865T/xTKgjqTjj56p1IIKbq8SDyOybE8ia0rMPcBLAKds+wjePIYpTtRxT9UsUbZJTgF+SGSG2dC6+ohCQpi6F3xM7ryL9fy3BNCT5aPrwbR862jcOIfv7R1xVfH8OS0WZa8DpVy5kTeutsuH5suehdngba4KhYLTzIdhM7UKJvNoUMRBaxAqIAThqH9Vt/iR1WpXgazoPw6dyPssa7ye6tUPRipmPTZukfpxcPlsqytXWlXm7R89xAY9OXkdPPVsrQdkdfhnY8aFb9XaZP8cm7EOVRdxMsA1DyWMVZOTjhBwCHfEIGoePAS3jFMqQjGWQd rahul@rahul-HP-ZBook-15-G2"
63}
You can first verify the terraform configuration using the terraform plan and then finally you can apply it using terraform apply.
After applying the configuration you can verify the instance by going into the AWS console -
3. Use private key 'aws_key' to SSH into EC2 instance
In the previous step, we have started the EC2 instance, now we need to connect to EC2 instance using the private key.
You can find the connect command from the aws console -
Here is the SSH connect command for your reference-
(By default in the command you will see .pem extension in the private key file name but since we have created private with the name aws_key so we need to remove .pem extension from the file)
1ssh -i "aws_key" ubuntu@ec2-18-185-22-181.eu-central-1.compute.amazonaws.com
4. Generate pem file from AWS console and use the file to SSH into EC2
In this step, we are going to AWS's key pair utility to generate the keys for us.
Login to your AWS console and in the search bar type is key pair
Click on the Create Key pair
Now you need to supply the key name. You can choose the private key format .pem
As you will click on Create key pair you will be able to download the key and save it somewhere onto your disk.
Now you can simply use the key aws_key.pem by specifying the key name inside your terraform file.
Here is an example of terraform script -
1provider "aws" {
2 region = "eu-central-1"
3 access_key = "AKIATQ37NXB2BYDxxxxx"
4 secret_key = "JzZKiCia2vjbq4zGGGewdbOhnacm2QIMgcBxxxxx"
5
6}
7
8resource "aws_instance" "ec2_example" {
9
10 ami = "ami-0767046d1677be5a0"
11 instance_type = "t2.micro"
12 key_name= "aws_key"
13 vpc_security_group_ids = [aws_security_group.main.id]
14
15}
16
17resource "aws_security_group" "main" {
18 egress = [
19 {
20 cidr_blocks = [ "0.0.0.0/0", ]
21 description = ""
22 from_port = 0
23 ipv6_cidr_blocks = []
24 prefix_list_ids = []
25 protocol = "-1"
26 security_groups = []
27 self = false
28 to_port = 0
29 }
30 ]
31 ingress = [
32 {
33 cidr_blocks = [ "0.0.0.0/0", ]
34 description = ""
35 from_port = 22
36 ipv6_cidr_blocks = []
37 prefix_list_ids = []
38 protocol = "tcp"
39 security_groups = []
40 self = false
41 to_port = 22
42 }
43 ]
44}
Few points to pay attention for -
- You need to open port 22 for SSH
- For opening port 22 you need to create a security group and attach the security group to aws instance
Apply the Terraform configuration You can simply run the following commands in the same sequence one after another -
- terraform init
- terraform plan
- terraform apply
4.1 Verify the EC2 instance
After provisioning/starting the EC2 instance, we need to verify two things -
- EC2 instance running state
- SSH into EC2 instance using the
aws_key.pemkey
1. Verify EC2 instance running state
Go to your AWS console and look for the number of EC2 instances running. If you successfully started your EC2 instance then you will following under the EC2 dashboard of AWS -
2. SSH into EC2 instance using the aws_key.pem key
So till now we have created the key as well started the AWS ec2 instance which is also up and running.
Now we need to ssh into the ec2 instance so that we can verify that the keys which we have generated are working fine.
Let's first goto the AWS console and select the EC2 instance which we have created. Then click on connect.
After you click on the connection you will be prompted with different options to connect -
- EC2 Instance connect
- Session Manager
- SSH Client
- EC2 Serial Console
We are going to choose the option SSH Client
Open your terminal and go to the location where you have saved aws_key.pem key file. Because we need that private key file to connect with the EC2 instance.
Run the following command to change the permission of the file -
1chmod 400 aws_key.pem
Now use the following command to connect with the EC2 instance -
1ssh -i "aws_key.pem" ubuntu@ec2-52-58-111-83.eu-central-1.compute.amazonaws.com
After making the successful SSH connection you should see the following on you terminal -
Hope this blog post helps you to solve the issue Can't SSH into EC2 instance created with Terraform.
Read More - Terragrunt -
Posts in this Series
- Managing strings in Terraform: A comprehensive guide
- How to use terraform depends_on meta argument?
- What is user_data in Terraform?
- Why you should not store terraform state file(.tfstate) inside Git Repository?
- How to import existing resource using terraform import comand?
- Terraform - A detailed guide on setting up ALB(Application Load Balancer) and SSL?
- Testing Infrastructure as Code with Terraform?
- How to remove a resource from Terraform state?
- What is Terraform null Resource?
- In terraform how to skip creation of resource if the resource already exist?
- How to setup Virtual machine on Google Cloud Platform
- How to use Terraform locals?
- Terraform Guide - Docker Containers & AWS ECR(elastic container registry)?
- How to generate SSH key in Terraform using tls_private_key?
- How to fix-Terraform Error acquiring the state lock ConditionalCheckFiledException?
- Terraform Template - A complete guide?
- How to use Terragrunt?
- Terraform and AWS Multi account Setup?
- Terraform and AWS credentials handling?
- How to fix-error configuring S3 Backend no valid credential sources for S3 Backend found?
- Terraform state locking using DynamoDB (aws_dynamodb_table)?
- Managing Terraform states?
- Securing AWS secrets using HashiCorp Vault with Terraform?
- How to use Workspaces in Terraform?
- How to run specific terraform resource, module, target?
- How Terraform modules works?
- Terraform how to do SSH in AWS EC2 instance?
- What is terraform provisioner?
- Is terraform destroy needed before terraform apply?
- How to fix terraform error Your query returned no results. Please change your search criteria and try again?
- How to use Terraform Data sources?
- How to use Terraform resource meta arguments?
- How to use Terraform Dynamic blocks?
- Terraform - How to nuke AWS resources and save additional AWS infrastructure cost?
- Understanding terraform count, for_each and for loop?
- How to use Terraform output values?
- How to fix error configuring Terraform AWS Provider error validating provider credentials error calling sts GetCallerIdentity SignatureDoesNotMatch?
- How to fix Invalid function argument on line in provider credentials file google Invalid value for path parameter no file exists
- How to fix error value for undeclared variable a variable named was assigned on the command line?
- What is variable.tf and terraform.tfvars?
- How to use Terraform Variables - Locals,Input,Output
- Terraform create EC2 Instance on AWS
- How to fix Error creating service account googleapi Error 403 Identity and Access Management (IAM) API has not been used in project before or it is disabled
- Install terraform on Ubuntu 20.04, CentOS 8, MacOS, Windows 10, Fedora 33, Red hat 8 and Solaris 11