support multiple SSH CA key pairs

files/get_cert.sh

@@ -2,11 +2,11 @@
 set -euo pipefail
 IFS=$'\n\t'
 
-eval "$(jq -r '@sh "PUBKEY=\(.pubkey) HOST=\(.host) CAHOST=\(.cahost) CASCRIPT=\(.cascript)"')"
+eval "$(jq -r '@sh "PUBKEY=\(.pubkey) HOST=\(.host) CAHOST=\(.cahost) CASCRIPT=\(.cascript) CAKEY=\(.cakey)"')"
 
 # TODO: Can this be done more eye-pleasingly?
 set +e
-CERT=$(ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@$CAHOST '"'"$CASCRIPT"'" host "'"$PUBKEY"'" "'"$HOST"'".dmz')
+CERT=$(ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@$CAHOST '"'"$CASCRIPT"'" "'"$CAKEY"'" host "'"$PUBKEY"'" "'"$HOST"'".dmz')
 retval=$?
 set -e
 

main.tf

@@ -35,10 +35,11 @@ data "external" "cert" {
   program = ["bash", "${path.module}/files/get_cert.sh"]
 
   query = {
-    pubkey = trimspace(data.tls_public_key.debian.public_key_openssh)
+    pubkey   = trimspace(data.tls_public_key.debian.public_key_openssh)
-    host   = var.name
+    host     = var.name
-    cahost = var.ca_host
+    cahost   = var.ca_host
     cascript = var.ca_script
+    cakey    = var.ca_key
   }
 }
 
@@ -51,9 +52,9 @@ resource "null_resource" "cert" {
     ignore_changes = [
       triggers
     ]
-    
+
     postcondition {
-      condition = data.external.cert.result["cert"] != "" || !var.use_host_cert
+      condition     = data.external.cert.result["cert"] != "" || !var.use_host_cert
       error_message = "Error retrieving host certificate."
     }
   }

variables.tf

@@ -8,40 +8,46 @@ variable "admin_authorized_keys" {
 }
 
 variable "disk_pool" {
-  type = string
+  type        = string
   description = "Libvirt volume pool for the machine's main disk."
 }
 
 variable "disk_base" {
-  type = string
+  type        = string
   description = "Base image for the machine's operating system."
 }
 
 variable "disk_base_pool" {
-  type = string
+  type        = string
   description = "Libvirt volume pool for the base image of the machine's operating system."
 }
 
 variable "cloudinit_pool" {
-  type = string
+  type        = string
   description = "Libvirt volume pool for the machine's Cloud-init image."
 }
 
 variable "bridge_name" {
-  type = string
+  type        = string
   description = "Host bridge to connect the machine's network interface to."
 }
 
 variable "ca_host" {
-  type = string
+  type        = string
   description = "Host to contact when fetching a SSH host certificate."
 }
 
 variable "ca_script" {
-  type = string
+  type        = string
   description = "Script to call when fetching a SSH host certificate."
 }
 
+variable "ca_key" {
+  type        = string
+  default     = ""
+  description = "File name of the SSH CA key pair."
+}
+
 variable "domain_name" {
   type        = string
   default     = null
@@ -61,32 +67,32 @@ variable "memory" {
 }
 
 variable "mac" {
-  type    = string
+  type        = string
-  default = null
+  default     = null
   description = "MAC address of the machine's network interface."
 }
 
 variable "insecure_password" {
-  type    = bool
+  type        = bool
-  default = false
+  default     = false
   description = "Whether to enable insecure password (for testing purposes). Allows logging in via SSH with `root:root` credentials."
 }
 
 variable "use_host_cert" {
-  type    = bool
+  type        = bool
-  default = false
+  default     = false
   description = "Whether this machine should receive a SSH host certificate."
 }
 
 variable "data_disk" {
-  type    = string
+  type        = string
-  default = null
+  default     = null
   description = "Identifier of the machine's persistent data disk."
 }
 
 variable "fixed_address" {
-  type    = string
+  type        = string
-  default = ""
+  default     = ""
   description = "Fixed IPv4 address the machine should have."
 }
 
@@ -96,7 +102,7 @@ variable "ansible_command" {
 }
 
 variable "fixed_dns" {
-  type    = string
+  type        = string
-  default = ""
+  default     = ""
   description = "Fixed DNS server the machine should have."
 }