opentofu/website/docs/provisioners/connection.html.markdown

---
layout: "docs"
page_title: "Provisioner Connections"
sidebar_current: "docs-provisioners-connection"
description: |-
  Managing connection defaults for SSH and WinRM using the `connection` block.
---

# Provisioner Connections

Many provisioners require access to the remote resource. For example,
a provisioner may need to use SSH or WinRM to connect to the resource.

Terraform uses a number of defaults when connecting to a resource, but these can
be overridden using a `connection` block in either a `resource` or
`provisioner`. Any `connection` information provided in a `resource` will apply
to all the provisioners, but it can be scoped to a single provisioner as well.
One use case is to have an initial provisioner connect as the `root` user to
setup user accounts, and have subsequent provisioners connect as a user with
more limited permissions.

## Example usage

```hcl
# Copies the file as the root user using SSH
provisioner "file" {
  source      = "conf/myapp.conf"
  destination = "/etc/myapp.conf"

  connection {
    type     = "ssh"
    user     = "root"
    password = "${var.root_password}"
  }
}

# Copies the file as the Administrator user using WinRM
provisioner "file" {
  source      = "conf/myapp.conf"
  destination = "C:/App/myapp.conf"

  connection {
    type     = "winrm"
    user     = "Administrator"
    password = "${var.admin_password}"
  }
}
```

## Argument Reference

**The following arguments are supported by all connection types:**

* `type` - The connection type that should be used. Valid types are `ssh` and `winrm`
  Defaults to `ssh`.

* `user` - The user that we should use for the connection. Defaults to `root` when
  using type `ssh` and defaults to `Administrator` when using type `winrm`.

* `password` - The password we should use for the connection. In some cases this is
  specified by the provider.

* `host` - The address of the resource to connect to. This is usually specified by the provider.

* `port` - The port to connect to. Defaults to `22` when using type `ssh` and defaults
  to `5985` when using type `winrm`.

* `timeout` - The timeout to wait for the connection to become available. This defaults
  to 5 minutes. Should be provided as a string like `30s` or `5m`.

* `script_path` - The path used to copy scripts meant for remote execution.

**Additional arguments only supported by the `ssh` connection type:**

* `private_key` - The contents of an SSH key to use for the connection. These can
  be loaded from a file on disk using
  [the `file` function](/docs/configuration/functions/file.html). This takes
  preference over the password if provided.

* `agent` - Set to `false` to disable using `ssh-agent` to authenticate. On Windows the
  only supported SSH authentication agent is
  [Pageant](http://the.earth.li/~sgtatham/putty/0.66/htmldoc/Chapter9.html#pageant).

* `agent_identity` - The preferred identity from the ssh agent for authentication.

* `host_key` - The public key from the remote host or the signing CA, used to
  verify the connection.

**Additional arguments only supported by the `winrm` connection type:**

* `https` - Set to `true` to connect using HTTPS instead of HTTP.

* `insecure` - Set to `true` to not validate the HTTPS certificate chain.

* `use_ntlm` - Set to `true` to use NTLM authentication, rather than default (basic authentication), removing the requirement for basic authentication to be enabled within the target guest. Further reading for remote connection authentication can be found [here](https://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx).

* `cacert` - The CA certificate to validate against.

<a id="bastion"></a>

## Connecting through a Bastion Host with SSH

The `ssh` connection also supports the following fields to facilitate connnections via a
[bastion host](https://en.wikipedia.org/wiki/Bastion_host).

* `bastion_host` - Setting this enables the bastion Host connection. This host
  will be connected to first, and then the `host` connection will be made from there.

* `bastion_host_key` - The public key from the remote host or the signing CA,
  used to verify the host connection.

* `bastion_port` - The port to use connect to the bastion host. Defaults to the
  value of the `port` field.

* `bastion_user` - The user for the connection to the bastion host. Defaults to
  the value of the `user` field.

* `bastion_password` - The password we should use for the bastion host.
  Defaults to the value of the `password` field.

* `bastion_private_key` - The contents of an SSH key file to use for the bastion
  host. These can be loaded from a file on disk using
  [the `file` function](/docs/configuration/functions/file.html).
  Defaults to the value of the `private_key` field.
website: Document provisioners 2014-07-23 11:40:15 -05:00			`---`
			`layout: "docs"`
			`page_title: "Provisioner Connections"`
			`sidebar_current: "docs-provisioners-connection"`
Add meta descriptions to all pages 2014-10-21 22:21:56 -05:00			`description: \|-`
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			Managing connection defaults for SSH and WinRM using the `connection` block.
website: Document provisioners 2014-07-23 11:40:15 -05:00			`---`

			`# Provisioner Connections`

			`Many provisioners require access to the remote resource. For example,`
Updating the docs 2015-04-10 14:28:28 -05:00			`a provisioner may need to use SSH or WinRM to connect to the resource.`
website: Document provisioners 2014-07-23 11:40:15 -05:00
Add HCL syntax highlighting for everything but providers 2017-04-05 10:29:27 -05:00			`Terraform uses a number of defaults when connecting to a resource, but these can`
			be overridden using a `connection` block in either a `resource` or
			`provisioner`. Any `connection` information provided in a `resource` will apply
			`to all the provisioners, but it can be scoped to a single provisioner as well.`
			One use case is to have an initial provisioner connect as the `root` user to
			`setup user accounts, and have subsequent provisioners connect as a user with`
			`more limited permissions.`
website: Document provisioners 2014-07-23 11:40:15 -05:00
			`## Example usage`

Add HCL syntax highlighting for everything but providers 2017-04-05 10:29:27 -05:00			```hcl
Updating the docs 2015-04-10 14:28:28 -05:00			`# Copies the file as the root user using SSH`
website: Document provisioners 2014-07-23 11:40:15 -05:00			`provisioner "file" {`
website/docs: Run `terraform fmt` on code examples (#12075) * docs/vsphere: Fix code block * docs: Convert `...` to `# ...` to allow `terraform fmt`ing * docs: Trim trailing whitespace * docs: First-pass run of `terraform fmt` on code examples 2017-02-18 16:48:50 -06:00			`source = "conf/myapp.conf"`
			`destination = "/etc/myapp.conf"`

			`connection {`
			`type = "ssh"`
			`user = "root"`
			`password = "${var.root_password}"`
			`}`
website: Document provisioners 2014-07-23 11:40:15 -05:00			`}`
Updating the docs 2015-04-10 14:28:28 -05:00
			`# Copies the file as the Administrator user using WinRM`
			`provisioner "file" {`
website/docs: Run `terraform fmt` on code examples (#12075) * docs/vsphere: Fix code block * docs: Convert `...` to `# ...` to allow `terraform fmt`ing * docs: Trim trailing whitespace * docs: First-pass run of `terraform fmt` on code examples 2017-02-18 16:48:50 -06:00			`source = "conf/myapp.conf"`
			`destination = "C:/App/myapp.conf"`

			`connection {`
			`type = "winrm"`
			`user = "Administrator"`
			`password = "${var.admin_password}"`
			`}`
Updating the docs 2015-04-10 14:28:28 -05:00			`}`
website: Document provisioners 2014-07-23 11:40:15 -05:00			```

			`## Argument Reference`

Updating the docs 2015-04-10 14:28:28 -05:00			`The following arguments are supported by all connection types:`
website: Document provisioners 2014-07-23 11:40:15 -05:00
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			* `type` - The connection type that should be used. Valid types are `ssh` and `winrm`
			Defaults to `ssh`.
website: Document provisioners 2014-07-23 11:40:15 -05:00
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			* `user` - The user that we should use for the connection. Defaults to `root` when
			using type `ssh` and defaults to `Administrator` when using type `winrm`.
website: Document provisioners 2014-07-23 11:40:15 -05:00
Updating the docs 2015-04-10 14:28:28 -05:00			* `password` - The password we should use for the connection. In some cases this is
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			`specified by the provider.`
Updating the docs 2015-04-10 14:28:28 -05:00
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			* `host` - The address of the resource to connect to. This is usually specified by the provider.
Updating the docs 2015-04-10 14:28:28 -05:00
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			* `port` - The port to connect to. Defaults to `22` when using type `ssh` and defaults
			to `5985` when using type `winrm`.
Updating the docs 2015-04-10 14:28:28 -05:00
			* `timeout` - The timeout to wait for the connection to become available. This defaults
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			to 5 minutes. Should be provided as a string like `30s` or `5m`.
Updating the docs 2015-04-10 14:28:28 -05:00
Fixed typos in remote.html.markdown and connection.html.markdown. (#6195) 2016-04-15 17:05:49 -05:00			* `script_path` - The path used to copy scripts meant for remote execution.
Updating the docs 2015-04-10 14:28:28 -05:00
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			Additional arguments only supported by the `ssh` connection type:
website: Document provisioners 2014-07-23 11:40:15 -05:00
ssh: accept private key contents instead of path We've been moving away from config fields expecting file paths that Terraform will load, instead prefering fields that expect file contents, leaning on `file()` to do loading from a path. This helps with consistency and also flexibility - since this makes it easier to shift sensitive files into environment variables. Here we add a little helper package to manage the transitional period for these fields where we support both behaviors. Also included is the first of several fields being shifted over - SSH private keys in provisioner connection config. We're moving to new field names so the behavior is more intuitive, so instead of `key_file` it's `private_key` now. Additional field shifts will be included in follow up PRs so they can be reviewed and discussed individually. 2015-11-12 14:39:41 -06:00			* `private_key` - The contents of an SSH key to use for the connection. These can
website: Fix references to the now-defunct "Interpolation" page This has been replaced with an "Expressions" page. Also includes a number of changes to Markdown style to conform to our usual conventions, applied automatically by my editor while making these changes. 2018-05-13 18:59:18 -05:00			`be loaded from a file on disk using`
			[the `file` function](/docs/configuration/functions/file.html). This takes
ssh: accept private key contents instead of path We've been moving away from config fields expecting file paths that Terraform will load, instead prefering fields that expect file contents, leaning on `file()` to do loading from a path. This helps with consistency and also flexibility - since this makes it easier to shift sensitive files into environment variables. Here we add a little helper package to manage the transitional period for these fields where we support both behaviors. Also included is the first of several fields being shifted over - SSH private keys in provisioner connection config. We're moving to new field names so the behavior is more intuitive, so instead of `key_file` it's `private_key` now. Additional field shifts will be included in follow up PRs so they can be reviewed and discussed individually. 2015-11-12 14:39:41 -06:00			`preference over the password if provided.`
website: Document provisioners 2014-07-23 11:40:15 -05:00
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			* `agent` - Set to `false` to disable using `ssh-agent` to authenticate. On Windows the
Add SSH agent support for Windows The Windows support is limited to the Pageant SSH authentication agent. This fixes #3423 2015-12-15 09:39:23 -06:00			`only supported SSH authentication agent is`
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			`[Pageant](http://the.earth.li/~sgtatham/putty/0.66/htmldoc/Chapter9.html#pageant).`
Add documentation for ssh-agent 2015-03-15 18:37:33 -05:00
add agent_identity in the connection docs 2018-01-08 16:12:55 -06:00			* `agent_identity` - The preferred identity from the ssh agent for authentication.

add host_key and bastion_host_key to the docs 2018-02-14 14:30:18 -06:00			* `host_key` - The public key from the remote host or the signing CA, used to
			`verify the connection.`

Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			Additional arguments only supported by the `winrm` connection type:
website: Document provisioners 2014-07-23 11:40:15 -05:00
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			* `https` - Set to `true` to connect using HTTPS instead of HTTP.
website: Document provisioners 2014-07-23 11:40:15 -05:00
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			* `insecure` - Set to `true` to not validate the HTTPS certificate chain.
website: Document provisioners 2014-07-23 11:40:15 -05:00
first attempt at supporting NTLM authentication in Terraform 2018-03-30 20:11:53 -05:00			* `use_ntlm` - Set to `true` to use NTLM authentication, rather than default (basic authentication), removing the requirement for basic authentication to be enabled within the target guest. Further reading for remote connection authentication can be found [here](https://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx).

Updating the docs 2015-04-10 14:28:28 -05:00			* `cacert` - The CA certificate to validate against.
communicator/ssh: bastion host support * adds `bastion_` fields to `connection` which add configuration for a bastion host if `bastion_host` is set, connect to that host first, then jump through it to make the SSH connection to `host` * enables SSH Agent forwarding by default 2015-06-22 11:34:02 -05:00
			`<a id="bastion"></a>`
website: Fix references to the now-defunct "Interpolation" page This has been replaced with an "Expressions" page. Also includes a number of changes to Markdown style to conform to our usual conventions, applied automatically by my editor while making these changes. 2018-05-13 18:59:18 -05:00
communicator/ssh: bastion host support * adds `bastion_` fields to `connection` which add configuration for a bastion host if `bastion_host` is set, connect to that host first, then jump through it to make the SSH connection to `host` * enables SSH Agent forwarding by default 2015-06-22 11:34:02 -05:00			`## Connecting through a Bastion Host with SSH`

Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			The `ssh` connection also supports the following fields to facilitate connnections via a
			`[bastion host](https://en.wikipedia.org/wiki/Bastion_host).`
communicator/ssh: bastion host support * adds `bastion_` fields to `connection` which add configuration for a bastion host if `bastion_host` is set, connect to that host first, then jump through it to make the SSH connection to `host` * enables SSH Agent forwarding by default 2015-06-22 11:34:02 -05:00
			* `bastion_host` - Setting this enables the bastion Host connection. This host
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			will be connected to first, and then the `host` connection will be made from there.
communicator/ssh: bastion host support * adds `bastion_` fields to `connection` which add configuration for a bastion host if `bastion_host` is set, connect to that host first, then jump through it to make the SSH connection to `host` * enables SSH Agent forwarding by default 2015-06-22 11:34:02 -05:00
add host_key and bastion_host_key to the docs 2018-02-14 14:30:18 -06:00			* `bastion_host_key` - The public key from the remote host or the signing CA,
			`used to verify the host connection.`

communicator/ssh: bastion host support * adds `bastion_` fields to `connection` which add configuration for a bastion host if `bastion_host` is set, connect to that host first, then jump through it to make the SSH connection to `host` * enables SSH Agent forwarding by default 2015-06-22 11:34:02 -05:00			* `bastion_port` - The port to use connect to the bastion host. Defaults to the
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			value of the `port` field.
communicator/ssh: bastion host support * adds `bastion_` fields to `connection` which add configuration for a bastion host if `bastion_host` is set, connect to that host first, then jump through it to make the SSH connection to `host` * enables SSH Agent forwarding by default 2015-06-22 11:34:02 -05:00
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			* `bastion_user` - The user for the connection to the bastion host. Defaults to
			the value of the `user` field.
communicator/ssh: bastion host support * adds `bastion_` fields to `connection` which add configuration for a bastion host if `bastion_host` is set, connect to that host first, then jump through it to make the SSH connection to `host` * enables SSH Agent forwarding by default 2015-06-22 11:34:02 -05:00
			* `bastion_password` - The password we should use for the bastion host.
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			Defaults to the value of the `password` field.
communicator/ssh: bastion host support * adds `bastion_` fields to `connection` which add configuration for a bastion host if `bastion_host` is set, connect to that host first, then jump through it to make the SSH connection to `host` * enables SSH Agent forwarding by default 2015-06-22 11:34:02 -05:00
ssh: accept private key contents instead of path We've been moving away from config fields expecting file paths that Terraform will load, instead prefering fields that expect file contents, leaning on `file()` to do loading from a path. This helps with consistency and also flexibility - since this makes it easier to shift sensitive files into environment variables. Here we add a little helper package to manage the transitional period for these fields where we support both behaviors. Also included is the first of several fields being shifted over - SSH private keys in provisioner connection config. We're moving to new field names so the behavior is more intuitive, so instead of `key_file` it's `private_key` now. Additional field shifts will be included in follow up PRs so they can be reviewed and discussed individually. 2015-11-12 14:39:41 -06:00			* `bastion_private_key` - The contents of an SSH key file to use for the bastion
website: Fix references to the now-defunct "Interpolation" page This has been replaced with an "Expressions" page. Also includes a number of changes to Markdown style to conform to our usual conventions, applied automatically by my editor while making these changes. 2018-05-13 18:59:18 -05:00			`host. These can be loaded from a file on disk using`
			[the `file` function](/docs/configuration/functions/file.html).
Updates to the Connection docs 1. Updated formatting. 2. Updated some grammar and structure. 2016-10-09 10:42:43 -05:00			Defaults to the value of the `private_key` field.