Ask questionsremote-exec provisioner fails with 'bash: Permission denied'

I'm trying to provision a RHEL 7 EC2 instance on AWS and kick off a script using the remote-exec provisioner.

After ssh successfully connects, remote-exec fails with a 'Bash: Permission denied' error as shown in the following log extract:

aws_instance.jenkins_slave (remote-exec):   Host: ***.***.***.***
aws_instance.jenkins_slave (remote-exec):   User: ec2-user
aws_instance.jenkins_slave (remote-exec):   Password: false
aws_instance.jenkins_slave (remote-exec):   Private key: true
aws_instance.jenkins_slave (remote-exec):   SSH Agent: false
←[0m←[0maws_instance.jenkins_slave (remote-exec): Connected!
←[0m←[0maws_instance.jenkins_slave (remote-exec): bash: /tmp/ Permission denied
←[31mError applying plan:

1 error(s) occurred:

* Script exited with non-zero exit status: 126

The sample remote-exec I'm using for debugging is very simple:

    provisioner "remote-exec" {
        inline = "whoami > /tmp/whoami.txt"

The issue occurred with Terraform v0.6.6 and v0.6.12. I'm running Terraform from Win 7.

The AMI used to create the EC2 instance has been hardened with the recommendations from Center for Internet Security, more specifically CIS Red Hat Enterprise Linux 7 Benchmark

Part of the hardening process sets the noexec option for the /tmp partition, which prevents scripts being run from /tmp.

Currently, Terraform generates a temporary script from the information in the Terraform file. It then copies it to /tmp using scp and does a chmod to 777 to allow everyone to read and execute it.

If finally tries to execute it by calling it directly, e.g. /tmp/ in the example above.

Trying to run the script fails because of the noexec option of the file system the script resides on.

However, it is possible to read the file, and /bin/sh /tmp/ works.

So can you please amend the Terraform code to run the script using ssh by calling /bin/sh /tmp/ instead of /tmp/

Thanks Nico


Answer questions Dineshk77

Adding the script path works

connection { host = element(var.private_ip,count.index) type = var.login_type user = var.user_name password = var.instance_password port = var.port https = "true" insecure = "true" timeout = "20m" script_path = "${some_remote_location}" (should be a file ex: /home/myuser/ }

Github User Rank List