Does Terraform Deal with “known_hosts” upon changing infrastructure? If so, how?

Terraform does not run the ssh command line tool nor use OpenSSH as a library. Instead, it uses an alternative SSH client implementation written in Go.

By default this SSH client does not do any host verification, and Terraform does not override this default. Thus it is not necessary to verify the host id as you would on the first connection with ssh. This SSH client library does not consider the OpenSSH configuration files, so setting options there regarding host checking will have no effect.

Terraform repeatedly tries to connect to the remote host until either it succeeds or until it hits a timeout. There are two common causes for timeouts:

  • The security group rules for the target instance to not permit connections on TCP port 22 from the host where Terraform is running. This can be addressed by adding a new ingress rule to one of the instance's security groups.
  • Terraform is attempting to use the public IP address when the security groups expect private, or vice-versa. The connection block can be used to tell Terraform how to connect. For the public IP address use ${self.public_ip}, or for the private IP address use ${self.private_ip}, where public_ip and private_ip are both attributes of the aws_instance resource type.

Note that when Terraform connects to an instance's public IP address the security group must permit SSH connections from the public IP address of the host where Terraform is running (which might actually be the address of a NAT gateway) while for connecting to the private IP address the security group must permit either the private IP of the Terraform host (assuming it's running on an EC2 instance) or of the VPN gateway that is being used to tunnel to the private IP address from outside of EC2.


Most probable it is using the following ssh option:

-o 'StrictHostKeyChecking no'

Is the way to bypass the check. I would add it as a comment more than an answer, but I just can't