Trouble creating vm templates

[maskudo]

I am trying to create vm templates based on the example in the docs.
I either run into errors about access control list or just plain connecting to the server errors.
Could someone tell me if its the username and password combination I'm supposed to input for ssh is one of

1. of the main user in host machine
2. the proxmox user

When I use the username and password of the host user I'm connecting via ssh, I get:
Error:

╷
│ Error: creating custom disk: ipcc_send_rec[1] failed: Unknown error -1
│ ipcc_send_rec[2] failed: Unknown error -1
│ ipcc_send_rec[3] failed: Unknown error -1
│ Unable to load access control list: Unknown error -1
│
│
│   with module.ubuntu_template.proxmox_virtual_environment_vm.ubuntu-template,
│   on modules/ubuntu_template/main.tf line 10, in resource "proxmox_virtual_environment_vm" "ubuntu-template":
│   10: resource "proxmox_virtual_environment_vm" "ubuntu-template" {
│
╵

When I use the username and password of the pve user with 'root@pam` username, I get:

│ Error: creating custom disk: unable to authenticate user "root" over SSH to "192.168.1.67:22". Please verify that ssh-agent is correctly loaded with an authorized key via 'ssh-add -L' (NOTE: configurations in ~/.ssh/config are not considered by the provider): failed to dial 192.168.1.67:22: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain
│
│   with module.ubuntu_template.proxmox_virtual_environment_vm.ubuntu-template,
│   on modules/ubuntu_template/main.tf line 10, in resource "proxmox_virtual_environment_vm" "ubuntu-template":
│   10: resource "proxmox_virtual_environment_vm" "ubuntu-template" {
│

The terraform code for reference:

# main.tf
provider "proxmox" {
  endpoint  = var.api_url
  api_token = var.api_token

  insecure = true

  random_vm_ids      = true
  random_vm_id_start = 90000
  random_vm_id_end   = 90999

  ssh {
    agent    = true
    username = "username"
    password = "******"
    node {
      name    = var.proxmox_host
      address = "192.168.1.67"
    }
  }
}


# modules/ubuntu-template/main.tf
resource "proxmox_virtual_environment_vm" "ubuntu-template" {
  name      = var.name
  node_name = var.node_name

  template = true
  started  = false

  machine     = "q35"
  bios        = "ovmf"
  description = "Managed by Terraform"

  cpu {
    cores = 2
  }

  memory {
    dedicated = 2048
  }

  efi_disk {
    datastore_id = var.datastore_id
    type         = "4m"
  }

  disk {
    datastore_id = var.datastore_id
    file_id      = proxmox_virtual_environment_download_file.ubuntu_cloud_image.id
    interface    = "virtio0"
    iothread     = true
    discard      = "on"
    size         = 20
  }

  initialization {
    datastore_id = var.datastore_id

    user_account {
      keys     = [var.ssh_key]
      username = var.username
      password = ""
    }

    ip_config {
      ipv4 {
        address = "dhcp"
      }
    }
  }

  network_device {
    bridge = "vmbr0"
  }
}

resource "proxmox_virtual_environment_download_file" "ubuntu_cloud_image" {
  content_type = "iso"
  datastore_id = var.datastore_id
  node_name    = var.node_name

  url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img"
}

[bpg]

Hey @maskudo 👋🏼

1. of the main user in host machine
2. the proxmox user

Not sure what do you mean by each "user" here 😅, Let's assume you have privileged "root" and unprivileged "username" OS-level (aka PAM) user accounts on the PVE host.

  ssh {
    agent    = true
    username = "username"
    password = "******"
    node {
      name    = var.proxmox_host
      address = "192.168.1.67"
    }
  }

agent = true means the provider will be using SSH Agent on the machine where you're running terraform from to authenticate over SSH with the PVE host. Do you have the agent up and running with keys loaded?

Also from the doc:

The SSH agent authentication takes precedence over the private_key and password authentication.

So the password field is ignored when agent = true, as the ssh agent takes over the authentication.

However, the username is still used, as it needed to select the user account on the PVE host to authenticate as.
In your example, the "username" user must exist on the PVE host and must have required permissions, or be set up with sudoers as explained here.

Then according to the configuration above, you should be able to ssh to PVE as "username" without asking for a password, and should be able to run commands either derectly (ssh username@<target-node> pvesm apiinfo) or via sudo (ssh username@<target-node> pvesm apiinfo) in order to make everything work for the provider.

You still have an option to use "root" user instead of "username", but again, you should be able ssh to PVE as root without the password.

If you don't want to use the ssh agent, then set it to false, and use the password instead.

[maskudo]

I am using a nixos flavour of proxmox and I seem to have gotten my sshd permissions wrong. Wasn't allowing password based ssh connection.
Thank you for the help and the awesome provider!