From 9c1aa0077510d448f468eb63bacb62cb2113f318 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 25 Apr 2023 17:50:02 +0200 Subject: [PATCH] support multiple SSH CA key pairs --- files/get_cert.sh | 4 ++-- main.tf | 11 ++++++----- variables.tf | 44 +++++++++++++++++++++++++------------------- 3 files changed, 33 insertions(+), 26 deletions(-) diff --git a/files/get_cert.sh b/files/get_cert.sh index a223bf3..38e8581 100755 --- a/files/get_cert.sh +++ b/files/get_cert.sh @@ -2,11 +2,11 @@ set -euo pipefail IFS=$'\n\t' -eval "$(jq -r '@sh "PUBKEY=\(.pubkey) HOST=\(.host) CAHOST=\(.cahost) CASCRIPT=\(.cascript)"')" +eval "$(jq -r '@sh "PUBKEY=\(.pubkey) HOST=\(.host) CAHOST=\(.cahost) CASCRIPT=\(.cascript) CAKEY=\(.cakey)"')" # TODO: Can this be done more eye-pleasingly? set +e -CERT=$(ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@$CAHOST '"'"$CASCRIPT"'" host "'"$PUBKEY"'" "'"$HOST"'".dmz') +CERT=$(ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@$CAHOST '"'"$CASCRIPT"'" "'"$CAKEY"'" host "'"$PUBKEY"'" "'"$HOST"'".dmz') retval=$? set -e diff --git a/main.tf b/main.tf index 4ceedfc..f5bce34 100644 --- a/main.tf +++ b/main.tf @@ -35,10 +35,11 @@ data "external" "cert" { program = ["bash", "${path.module}/files/get_cert.sh"] query = { - pubkey = trimspace(data.tls_public_key.debian.public_key_openssh) - host = var.name - cahost = var.ca_host + pubkey = trimspace(data.tls_public_key.debian.public_key_openssh) + host = var.name + cahost = var.ca_host cascript = var.ca_script + cakey = var.ca_key } } @@ -51,9 +52,9 @@ resource "null_resource" "cert" { ignore_changes = [ triggers ] - + postcondition { - condition = data.external.cert.result["cert"] != "" || !var.use_host_cert + condition = data.external.cert.result["cert"] != "" || !var.use_host_cert error_message = "Error retrieving host certificate." } } diff --git a/variables.tf b/variables.tf index b5909f7..0e388e8 100644 --- a/variables.tf +++ b/variables.tf @@ -8,40 +8,46 @@ variable "admin_authorized_keys" { } variable "disk_pool" { - type = string + type = string description = "Libvirt volume pool for the machine's main disk." } variable "disk_base" { - type = string + type = string description = "Base image for the machine's operating system." } variable "disk_base_pool" { - type = string + type = string description = "Libvirt volume pool for the base image of the machine's operating system." } variable "cloudinit_pool" { - type = string + type = string description = "Libvirt volume pool for the machine's Cloud-init image." } variable "bridge_name" { - type = string + type = string description = "Host bridge to connect the machine's network interface to." } variable "ca_host" { - type = string + type = string description = "Host to contact when fetching a SSH host certificate." } variable "ca_script" { - type = string + type = string description = "Script to call when fetching a SSH host certificate." } +variable "ca_key" { + type = string + default = "" + description = "File name of the SSH CA key pair." +} + variable "domain_name" { type = string default = null @@ -61,32 +67,32 @@ variable "memory" { } variable "mac" { - type = string - default = null + type = string + default = null description = "MAC address of the machine's network interface." } variable "insecure_password" { - type = bool - default = false + type = bool + default = false description = "Whether to enable insecure password (for testing purposes). Allows logging in via SSH with `root:root` credentials." } variable "use_host_cert" { - type = bool - default = false + type = bool + default = false description = "Whether this machine should receive a SSH host certificate." } variable "data_disk" { - type = string - default = null + type = string + default = null description = "Identifier of the machine's persistent data disk." } variable "fixed_address" { - type = string - default = "" + type = string + default = "" description = "Fixed IPv4 address the machine should have." } @@ -96,7 +102,7 @@ variable "ansible_command" { } variable "fixed_dns" { - type = string - default = "" + type = string + default = "" description = "Fixed DNS server the machine should have." }