Support for multiple bastion hosts

[tomwganem]

My use case is this: our terraform cluster is only accessible through a bastion host, and that bastion host is only accessible from our office network. Currently, if I ever need to do provisioning outside the office, I configure my ~/.ssh/ssh_config to support multiple jumps, and in terraform use the "local-exec" provisioner to do my provisioning using my system's ssh . It would be cleaner though if I could specify multiple bastion hosts.

[apparentlymart]

Hi @tomwganem! Thanks for this feature request.

Over in #8367 we were discussing a generalized feature for tunneling connections through bastion servers. Although in that discussion the use-case we had in mind was non-SSH services like Consul and MySQL, it could presumably also be used to tunnel an SSH connection through an SSH connection, which is not exactly the same as accessing a bastion through a bastion but could perhaps achieve the same result.

[rmanz]

Hello,

I've just submitted a PR #16933 which is related to the issue.
@apparentlymart may I ask you to take a short look at it?
I flagged it WIP because I am really not sure if this approach is right; if it turns out to be wrong, pls. tell me and I will delete it again.

Thanks!

[vadixidav]

Bump. This is important to me as I currently also have to use local-exec due to corporate security which requires me to hit a jump host to the internet before the bastion. It would be ideal if connection automatically could use rules in my ~/.ssh/config.

[clausa20]

+1 , There was some news about this change? Is it supported in some version. Thanks.

[rafalwrzeszcz]

+1, this is required to work eg. with RDS instances in private subnets (outside -> bastion -> service node -> servive db)

[RomanManz]

We could write a small library that parses an ssh-config file for 'ProxyJump' hops and then call this library from within TF to create the ssh session. This would be a more reusable approach and easier to integrate probably.