MM-60255: Address once and for all the remote-exec error (#973)

* Migrate instance provisioning to cloud-init

Replace Terraform `file` + `remote-exec` provisioner blocks across all
instance types (app, metrics, proxy, agent, job, keycloak, etc.) with a
single `user_data.sh.tpl` template that embeds the provisioner scripts
inline via cloud-init. This eliminates the need for SSH connection
blocks during `terraform apply` and makes provisioning more reliable.

* Set USER and HOME in cloud-init user_data template

Cloud-init runs user_data as root with a minimal environment, so
$HOME and $USER are unset or point to root. Export them as the AMI
user so provisioner scripts (nvm, otel-collector, keycloak) install
files to the correct locations. Also replaces `$(whoami)` calls in
RHEL scripts with `${USER}` for consistency.

* Upload license via SSH instead of file provisioner

Replace the Terraform `file` provisioner blocks for the license file
on app and job servers with an explicit SSH upload in `setupAppServer`.

* Remove connection blocks from Terraform instances

These `connection` blocks were used by `remote-exec` and `file`
provisioners which have been replaced by cloud-init user_data.
They are now unused and can be safely removed.

* Remove connection blocks from Terraform instances

These `connection` blocks were used by `remote-exec` and `file`
provisioners which have been replaced by cloud-init user_data.
They are now unused and can be safely removed.

* Use templated user for otelcol-contrib service

The sed commands that configure the otelcol-contrib systemd service
were hardcoding User=ubuntu and Group=ubuntu. Use ${USER} instead
so the service runs as the same runtime user as the rest of the
provisioner script.

* Write failure sentinel when provisioner.sh exits non-zero

On failure, write the exit code to provisioning-exitcode and touch
provisioning-failed. The waitForProvisioning poller now checks for
the failure sentinel each iteration and aborts immediately instead
of waiting for the full timeout.

* Add per-attempt dial timeout to SSH retry loop

NewClientWithRetry now computes remaining time each iteration and
passes min(backoff, remaining) as the dial timeout via a new
newClientWithTimeout helper that sets ssh.ClientConfig.Timeout,
preventing a single ssh.Dial from blocking past the deadline.

* Capture provisioner exit code before branching

Run /tmp/provisioner.sh with || to capture its exit code into a
variable before the conditional, rather than relying on $? inside the
else branch which is fragile if any command is inserted between the
condition and the echo.

* Use ${USER} in Debian provisioner sed commands

The agent.sh and rhel/common.sh provisioners already use ${USER} for the
otelcol-contrib service unit. Apply the same pattern to proxy.sh, job.sh,
and app.sh so the service runs as the configured AMI user.

* Fix double-budget issue in provisioning timeout

Track elapsed time during SSH connection so the polling loop uses only
the remaining budget instead of starting a fresh full timeout.

Author: agarciamontoro

deployment/terraform/assets/cluster.tf

@@ -51,12 +51,6 @@ resource "aws_instance" "app_server" {
     Name = "${var.cluster_name}-app-${count.index}"
   }
 
-  connection {
-    type = "ssh"
-    host = var.connection_type == "public" ? self.public_ip : self.private_ip
-    user = var.aws_ami_user
-  }
-
   ami                  = var.aws_ami
   instance_type        = var.app_instance_type
   key_name             = aws_key_pair.key.id
@@ -75,29 +69,12 @@ resource "aws_instance" "app_server" {
     volume_type = var.block_device_type
   }
 
-  provisioner "file" {
-    source      = var.mattermost_license_file
-    destination = "/home/${var.aws_ami_user}/mattermost.mattermost-license"
-  }
-
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/common.sh"
-    destination = "/tmp/common.sh"
-  }
-
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/app.sh"
-    destination = "/tmp/provisioner.sh"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "cd /tmp",
-      "chmod +x /tmp/common.sh",
-      "chmod +x /tmp/provisioner.sh",
-      "/tmp/provisioner.sh",
-    ]
-  }
+  user_data_replace_on_change = true
+  user_data = templatefile("${path.module}/user_data.sh.tpl", {
+    common_sh      = file("${path.module}/provisioners/${var.operating_system_kind}/common.sh")
+    provisioner_sh = file("${path.module}/provisioners/${var.operating_system_kind}/app.sh")
+    ami_user       = var.aws_ami_user
+  })
 }
 data "aws_vpc" "selected" {
   tags = {
@@ -204,12 +181,6 @@ resource "aws_instance" "metrics_server" {
     Name = "${var.cluster_name}-metrics"
   }
 
-  connection {
-    type = "ssh"
-    host = var.connection_type == "public" ? self.public_ip : self.private_ip
-    user = var.aws_ami_user
-  }
-
   ami               = var.aws_ami
   instance_type     = var.metrics_instance_type
   count             = var.enable_metrics_instance ? 1 : 0
@@ -228,25 +199,12 @@ resource "aws_instance" "metrics_server" {
     volume_type = var.block_device_type
   }
 
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/common.sh"
-    destination = "/tmp/common.sh"
-  }
-
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/metrics.sh"
-    destination = "/tmp/provisioner.sh"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "cd /tmp",
-      "chmod +x /tmp/common.sh",
-      "chmod +x /tmp/provisioner.sh",
-      "/tmp/provisioner.sh",
-    ]
-  }
-
+  user_data_replace_on_change = true
+  user_data = templatefile("${path.module}/user_data.sh.tpl", {
+    common_sh      = file("${path.module}/provisioners/${var.operating_system_kind}/common.sh")
+    provisioner_sh = file("${path.module}/provisioners/${var.operating_system_kind}/metrics.sh")
+    ami_user       = var.aws_ami_user
+  })
 }
 
 resource "aws_instance" "proxy_server" {
@@ -271,31 +229,12 @@ resource "aws_instance" "proxy_server" {
     volume_type = var.block_device_type
   }
 
-  connection {
-    type = "ssh"
-    user = var.aws_ami_user
-    host = var.connection_type == "public" ? self.public_ip : self.private_ip
-  }
-
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/common.sh"
-    destination = "/tmp/common.sh"
-  }
-
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/proxy.sh"
-    destination = "/tmp/provisioner.sh"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "cd /tmp",
-      "chmod +x /tmp/common.sh",
-      "chmod +x /tmp/provisioner.sh",
-      "/tmp/provisioner.sh",
-    ]
-  }
-
+  user_data_replace_on_change = true
+  user_data = templatefile("${path.module}/user_data.sh.tpl", {
+    common_sh      = file("${path.module}/provisioners/${var.operating_system_kind}/common.sh")
+    provisioner_sh = file("${path.module}/provisioners/${var.operating_system_kind}/proxy.sh")
+    ami_user       = var.aws_ami_user
+  })
 }
 
 resource "aws_iam_user" "s3user" {
@@ -448,12 +387,6 @@ resource "aws_instance" "loadtest_agent" {
     Name = "${var.cluster_name}-agent-${count.index}"
   }
 
-  connection {
-    type = "ssh"
-    host = var.connection_type == "public" ? self.public_ip : self.private_ip
-    user = var.aws_ami_user
-  }
-
   ami           = var.aws_ami
   instance_type = var.agent_instance_type
   key_name      = aws_key_pair.key.id
@@ -470,38 +403,19 @@ resource "aws_instance" "loadtest_agent" {
     volume_type = var.block_device_type
   }
 
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/common.sh"
-    destination = "/tmp/common.sh"
-  }
-
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/agent.sh"
-    destination = "/tmp/provisioner.sh"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "cd /tmp",
-      "chmod +x /tmp/common.sh",
-      "chmod +x /tmp/provisioner.sh",
-      "/tmp/provisioner.sh",
-    ]
-  }
-
+  user_data_replace_on_change = true
+  user_data = templatefile("${path.module}/user_data.sh.tpl", {
+    common_sh      = file("${path.module}/provisioners/${var.operating_system_kind}/common.sh")
+    provisioner_sh = file("${path.module}/provisioners/${var.operating_system_kind}/agent.sh")
+    ami_user       = var.aws_ami_user
+  })
 }
 
 resource "aws_instance" "loadtest_browser_agent" {
   tags = {
     Name = "${var.cluster_name}-browser-agent-${count.index}"
   }
 
-  connection {
-    type = "ssh"
-    host = var.connection_type == "public" ? self.public_ip : self.private_ip
-    user = var.aws_ami_user
-  }
-
   ami           = var.aws_ami
   instance_type = var.browser_agent_instance_type
   key_name      = aws_key_pair.key.id
@@ -518,25 +432,12 @@ resource "aws_instance" "loadtest_browser_agent" {
     volume_type = var.block_device_type
   }
 
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/common.sh"
-    destination = "/tmp/common.sh"
-  }
-
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/agent.sh"
-    destination = "/tmp/provisioner.sh"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "cd /tmp",
-      "chmod +x /tmp/common.sh",
-      "chmod +x /tmp/provisioner.sh",
-      "/tmp/provisioner.sh",
-    ]
-  }
-
+  user_data_replace_on_change = true
+  user_data = templatefile("${path.module}/user_data.sh.tpl", {
+    common_sh      = file("${path.module}/provisioners/${var.operating_system_kind}/common.sh")
+    provisioner_sh = file("${path.module}/provisioners/${var.operating_system_kind}/agent.sh")
+    ami_user       = var.aws_ami_user
+  })
 }
 
 resource "aws_security_group" "app" {
@@ -936,12 +837,6 @@ resource "aws_instance" "job_server" {
     Name = "${var.cluster_name}-job-server-${count.index}"
   }
 
-  connection {
-    type = "ssh"
-    host = var.connection_type == "public" ? self.public_ip : self.private_ip
-    user = var.aws_ami_user
-  }
-
   ami               = var.aws_ami
   instance_type     = var.job_server_instance_type
   key_name          = aws_key_pair.key.id
@@ -958,30 +853,12 @@ resource "aws_instance" "job_server" {
     volume_type = var.block_device_type
   }
 
-  provisioner "file" {
-    source      = var.mattermost_license_file
-    destination = "/home/${var.aws_ami_user}/mattermost.mattermost-license"
-  }
-
-
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/common.sh"
-    destination = "/tmp/common.sh"
-  }
-
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/job.sh"
-    destination = "/tmp/provisioner.sh"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "cd /tmp",
-      "chmod +x /tmp/common.sh",
-      "chmod +x /tmp/provisioner.sh",
-      "/tmp/provisioner.sh",
-    ]
-  }
+  user_data_replace_on_change = true
+  user_data = templatefile("${path.module}/user_data.sh.tpl", {
+    common_sh      = file("${path.module}/provisioners/${var.operating_system_kind}/common.sh")
+    provisioner_sh = file("${path.module}/provisioners/${var.operating_system_kind}/job.sh")
+    ami_user       = var.aws_ami_user
+  })
 }
 
 locals {
@@ -1002,12 +879,6 @@ resource "aws_instance" "keycloak" {
     Name = "${var.cluster_name}-keycloak"
   }
 
-  connection {
-    type = "ssh"
-    host = var.connection_type == "public" ? self.public_ip : self.private_ip
-    user = var.aws_ami_user
-  }
-
   ami               = var.aws_ami
   instance_type     = var.keycloak_instance_type
   count             = var.keycloak_enabled ? 1 : 0
@@ -1024,24 +895,12 @@ resource "aws_instance" "keycloak" {
     volume_type = var.block_device_type
   }
 
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/common.sh"
-    destination = "/tmp/common.sh"
-  }
-
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/keycloak.sh"
-    destination = "/tmp/provisioner.sh"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "cd /tmp",
-      "chmod +x /tmp/common.sh",
-      "chmod +x /tmp/provisioner.sh",
-      "/tmp/provisioner.sh",
-    ]
-  }
+  user_data_replace_on_change = true
+  user_data = templatefile("${path.module}/user_data.sh.tpl", {
+    common_sh      = file("${path.module}/provisioners/${var.operating_system_kind}/common.sh")
+    provisioner_sh = file("${path.module}/provisioners/${var.operating_system_kind}/keycloak.sh")
+    ami_user       = var.aws_ami_user
+  })
 }
 
 resource "aws_security_group" "keycloak" {

deployment/terraform/assets/ldap.tf

@@ -4,12 +4,6 @@ resource "aws_instance" "openldap" {
     Name = "${var.cluster_name}-openldap"
   }
 
-  connection {
-    type = "ssh"
-    host = var.connection_type == "public" ? self.public_ip : self.private_ip
-    user = var.aws_ami_user
-  }
-
   ami               = var.aws_ami
   instance_type     = var.openldap_instance_type
   count             = var.openldap_enabled ? 1 : 0
@@ -26,24 +20,12 @@ resource "aws_instance" "openldap" {
     volume_type = var.block_device_type
   }
 
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/common.sh"
-    destination = "/tmp/common.sh"
-  }
-
-  provisioner "file" {
-    source      = "provisioners/${var.operating_system_kind}/openldap.sh"
-    destination = "/tmp/provisioner.sh"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "cd /tmp",
-      "chmod +x /tmp/common.sh",
-      "chmod +x /tmp/provisioner.sh",
-      "/tmp/provisioner.sh",
-    ]
-  }
+  user_data_replace_on_change = true
+  user_data = templatefile("${path.module}/user_data.sh.tpl", {
+    common_sh      = file("${path.module}/provisioners/${var.operating_system_kind}/common.sh")
+    provisioner_sh = file("${path.module}/provisioners/${var.operating_system_kind}/openldap.sh")
+    ami_user       = var.aws_ami_user
+  })
 }
 
 resource "aws_security_group" "openldap" {

deployment/terraform/assets/provisioners/debian/agent.sh

@@ -2,12 +2,6 @@
 
 set -euo pipefail
 
-# Wait for boot to be finished (e.g. networking to be up).
-while [ ! -f /var/lib/cloud/instance/boot-finished ]; do
-	echo 'Waiting for cloud-init...'
-	sleep 1
-done
-
 # Retry loop (up to 3 times)
 n=0
 until [ "$n" -ge 3 ]; do
@@ -26,12 +20,13 @@ until [ "$n" -ge 3 ]; do
 		nvm install 24.11 &&
 		nvm use 24.11 &&
 		echo "Node.js installed successfully with version $(node --version)" &&
-		# Install OpenTelemetry collector, using ubuntu user to avoid permission issues
+		# Install OpenTelemetry collector, using current user to avoid permission issues
 		wget https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/v0.120.0/otelcol-contrib_0.120.0_linux_amd64.deb &&
 		sudo dpkg -i otelcol-contrib_0.120.0_linux_amd64.deb &&
-		sudo sed -i 's/User=.*/User=ubuntu/g' /lib/systemd/system/otelcol-contrib.service &&
-		sudo sed -i 's/Group=.*/Group=ubuntu/g' /lib/systemd/system/otelcol-contrib.service &&
+		sudo sed -i "s/User=.*/User=${USER}/g" /lib/systemd/system/otelcol-contrib.service &&
+		sudo sed -i "s/Group=.*/Group=${USER}/g" /lib/systemd/system/otelcol-contrib.service &&
 		sudo systemctl daemon-reload && sudo systemctl restart otelcol-contrib &&
+		sudo chown -R ${USER}:${USER} ${HOME}/.nvm &&
 		exit 0
 	n=$((n + 1))
 	sleep 2