Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Certificate Authentication for WinRM connection. #23096

Open
pateljin opened this issue Oct 16, 2019 · 1 comment
Open

Add Certificate Authentication for WinRM connection. #23096

pateljin opened this issue Oct 16, 2019 · 1 comment
Labels
enhancement provisioner/winrm

Comments

@pateljin
Copy link

pateljin commented Oct 16, 2019
edited

Reading from existing provisioner docs , WinRM only work with user and password type authentication.

it would be nice if terraform can allow authenticating using client certificate based auth which winrm supports.
this link is just for reference from Microsoft (https://docs.microsoft.com/en-us/windows/win32/winrm/authentication-for-remote-connections#client-certificate-based-authentication)

Current Terraform Version

Terraform v0.11.11
+ provider.external v1.2.0
+ provider.local v1.4.0
+ provider.null v2.1.0
+ provider.random v2.1.0

Use-cases

to have password less authentication with WinRM just like ssh private_key.

this also solves the issue where if someone change user's password, which on Windows OS is quite normal, having certificate based authentication can still allow terraform to manage resources via WinRM.

Attempted Solutions

Nothing comes in mind to use passwordless auth for WinRM via terraform.

one way to solve is to install openssh service on Windows OS and use normal SSH connection instead of WinRM.

Proposal

if certificate based auth is allowed via connection block for WinRM , it might looks like below

resource "null_resource" "test" {
    connection {
            type         = "winrm"
            timeout      = "10m"
            user         = "${var.admin_user}"
            private_cert = "${file(/path/to/cert.pfx)}"
            host         = "${var.ipv4}"
            port         = 5986
            https        = true
            insecure     = true
        } 
        
        provisioner "remote-exec" {
            inline = [
                "powershell.exe -ExecutionPolicy Bypass -File c:\\script.ps1 -markFinish"
            ]
        }    
}

my goal is password less auth so skipping cert_password attr, but that can be included for completeness, as pfx certs can be password protected.

References

https://cloudbase.it/windows-without-passwords-in-openstack/

not related to terraform or solution, but above link has quick setup on how to setup WinRM for cert based auth and how to use that from linux system.
@pateljin
Copy link
Author

anyone else interested in getting this feature ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement provisioner/winrm
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hashibot @pateljin