action #121222


coordination #127040: [epic] Scale out: Easier and automated disaster recovery deployments of openQA

action #118660: Basic terraform recipe to replace OSD w/ workers (in the cloud) size:M

Add ssh support to terraform recipe size:M

Added by robert.richardson over 1 year ago. Updated over 1 year ago.

Feature requests
Target version:
Start date:
Due date:
% Done:


Estimated time:



We have finished a basic terraform recipe in #118660 for provisioning an EC2 instance, but it is still missing ssh support.

Acceptance criteria

  • AC1: It is known how to enable SSH access in a terraform setup
  • AC2: An instance that is created allows access with an SSH key


Actions #1

Updated by okurz over 1 year ago

  • Project changed from 46 to QA
Actions #2

Updated by okurz over 1 year ago

  • Project changed from QA to openQA Project
  • Category set to Feature requests
Actions #4

Updated by livdywan over 1 year ago

osukup wrote: ?

That's something we tried out and it didn't work. It's totally possible that it wasn't added correctly, though. Or maybe the networking isn't setup correctly. Feel free to use the existing branch and try it out.

Actions #5

Updated by tinita over 1 year ago

  • Status changed from Workable to In Progress
  • Assignee set to tinita
Actions #6

Updated by tinita over 1 year ago

I made only very small progress. Before we had the problem that the specified key was created, but the instance didn't use it.

I solved this, see

We need to tell aws which key_name to use.
Then it also shows up in the AWS Console.

Still I couldn't ssh (permission denied).

What I did:

ssh-keygen -t rsa -m PEM -f webuidemo.pem
ssh-keygen -y -f webuidemo.pem >

I used the content of for the public_key value.

ssh -i webuidemo.pem -o IdentitiesOnly=yes ec2-user@ip -v
ssh -i webuidemo.pem -o IdentitiesOnly=yes root@ip -v

debug1: Next authentication method: publickey
debug1: Trying private key: webuidemo.pem
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
ec2-user@ip: Permission denied (publickey).

I also tried with a key that I created over the webui.

I had to comment out the usser_data because with it the instance
never opened its ssh port, so I assume user_data must have a
different type of content, or the script failed for some reason,
but we never see the output anywhere, so we can just guess.

Also I had to use a new image_id as it failed to find the one
we had before.

I also tried to create an instance from the image via the webui. It resulted in the same problem.
SSH port was open, but I got permission denied.

cd container/terraform
docker run --rm -it --name terraform -v $(pwd):/workspace -w /workspace hashicorp/terraform:light validate
docker run --rm -it --name terraform -v $(pwd):/workspace -w /workspace hashicorp/terraform:light init ## this needs to be run once; providers will be downloaded to a local folder
docker run --rm -it --name localstack -p 4566:4566 -p 4510-4559:4510-4559 -v $(pwd):/workspace -w /workspace localstack/localstack:latest
docker run --rm -it --network host --name terraform -v $(pwd):/workspace -w /workspace hashicorp/terraform:light apply # this will create the instance on aws
Actions #7

Updated by openqa_review over 1 year ago

  • Due date set to 2022-12-31

Setting due date based on mean cycle time of SUSE QE Tools

Actions #8

Updated by tinita over 1 year ago

I wanted to try out something else, but wasn't able to login because of Okta problems.

Actions #9

Updated by tinita over 1 year ago

  • Status changed from In Progress to Feedback

I got it working.
It turns out I used the wrong image all the time.
I looked at the "AMIs" in the navigation and found 3 images called "openqa-..." and I thought I had to use one of those. But instead we should use a Leap image.
I was pointed to®ion=eu-central-1&search=leap to find a supported image.

Like I assumed before, to get ssh working, the key_name was still missing in the aws_instance section.

With that also the user_data script is now working.
If you create the instance, you can download the webui-... key from the aws console (save as webuidemo.pem) and login via:

ssh -i webuidemo.pem -o IdentitiesOnly=yes ec2-user@ip

Then do

sudo bash
tail -f /var/log/cloud-init-output.log

to watch the openqa-bootstrap output.
When finished, you should be able to connect via http and see the webui.

Actions #10

Updated by tinita over 1 year ago

  • Status changed from Feedback to Resolved
Actions #11

Updated by okurz over 1 year ago

  • Due date deleted (2022-12-31)

Also available in: Atom PDF