Does Terraform Deal with “known_hosts” upon changing infrastructure? If so, how?
Terraform does not run the ssh
command line tool nor use OpenSSH
as a library. Instead, it uses an alternative SSH client implementation written in Go.
By default this SSH client does not do any host verification, and Terraform does not override this default. Thus it is not necessary to verify the host id as you would on the first connection with ssh
. This SSH client library does not consider the OpenSSH configuration files, so setting options there regarding host checking will have no effect.
Terraform repeatedly tries to connect to the remote host until either it succeeds or until it hits a timeout. There are two common causes for timeouts:
- The security group rules for the target instance to not permit connections on TCP port 22 from the host where Terraform is running. This can be addressed by adding a new
ingress
rule to one of the instance's security groups. - Terraform is attempting to use the public IP address when the security groups expect private, or vice-versa. The
connection
block can be used to tell Terraform how to connect. For the public IP address use${self.public_ip}
, or for the private IP address use${self.private_ip}
, wherepublic_ip
andprivate_ip
are both attributes of theaws_instance
resource type.
Note that when Terraform connects to an instance's public IP address the security group must permit SSH connections from the public IP address of the host where Terraform is running (which might actually be the address of a NAT gateway) while for connecting to the private IP address the security group must permit either the private IP of the Terraform host (assuming it's running on an EC2 instance) or of the VPN gateway that is being used to tunnel to the private IP address from outside of EC2.
Most probable it is using the following ssh option:
-o 'StrictHostKeyChecking no'
Is the way to bypass the check. I would add it as a comment more than an answer, but I just can't