Upload git ssh public key to git user

We want to upload the generated SSH key to the created git user. We use the resource `aws_iam_user_ssh_key` from terraform, implemented in hashicorp/terraform#5744 so this requires an updated version of terraform. We retrieve the generated key as a s3 resource and pass it to terraform as a TF_VAR_ variable. After the key is uploaded, AWS assigns it a unique id which must be used as user for SSH when connecting to the codecommit git repositories. We render and output a full url with that ssh_key_id and the ssh url of the repository, using scp like connect strings.
alphagov · Mar 23, 2016 · 5434142 · 5434142
1 parent b09ef37
commit 5434142
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 0 deletions.
diff --git a/concourse/pipelines/create-deployer.yml b/concourse/pipelines/create-deployer.yml
@@ -66,6 +66,13 @@ resources:
       versioned_file: id_rsa
       region_name: {{aws_region}}
 
+  - name: git-ssh-public-key
+    type: s3-iam
+    source:
+      bucket: {{state_bucket}}
+      versioned_file: git_id_rsa.pub
+      region_name: {{aws_region}}
+
   - name: concourse-cert
     type: s3-iam
     source:
@@ -217,6 +224,7 @@ jobs:
       passed: [vpc]
     - get: concourse-terraform-state
     - get: concourse-cert
+    - get: git-ssh-public-key
 
     - task: vpc-terraform-outputs-to-sh
       config:
@@ -270,6 +278,7 @@ jobs:
         - name: vpc-terraform-outputs
         - name: concourse-terraform-state
         - name: generate-concourse-cert
+        - name: git-ssh-public-key
         params:
           VAGRANT_IP: {{vagrant_ip}}
           TF_VAR_env: {{deploy_env}}
@@ -283,6 +292,7 @@ jobs:
           - |
             cp generate-concourse-cert/concourse.crt generate-concourse-cert/concourse.key .
             . vpc-terraform-outputs/tfvars.sh
+            export TF_VAR_git_rsa_id_pub=$(<git-ssh-public-key/git_id_rsa.pub)
             terraform_params=${VAGRANT_IP:+-var vagrant_cidr=$VAGRANT_IP/32}
             terraform apply ${terraform_params} \
               -var-file=paas-cf/terraform/{{aws_account}}.tfvars \

diff --git a/terraform/concourse/codecommit.tf b/terraform/concourse/codecommit.tf
@@ -30,3 +30,9 @@ resource "aws_iam_user" "git" {
 #    ]
 #    append = true
 #}
+
+resource "aws_iam_user_ssh_key" "git" {
+  username = "${aws_iam_user.git.name}"
+  encoding = "PEM"
+  public_key = "${var.git_rsa_id_pub}"
+}
diff --git a/terraform/concourse/git_ssh_key_id b/terraform/concourse/git_ssh_key_id
@@ -0,0 +1 @@
+Empty file git_ssh_key_id to avoid terraform fail during the first run.
diff --git a/terraform/concourse/outputs.tf b/terraform/concourse/outputs.tf
@@ -17,3 +17,8 @@ output "concourse_elb_name" {
 output "concourse_dns_name" {
   value = "${aws_route53_record.deployer-concourse.fqdn}"
 }
+
+output "git_concourse_pool_clone_full_url_ssh" {
+  # convert the ssh:// url to a scp like connect string and add the git user
+  value = "${aws_iam_user_ssh_key.git.ssh_public_key_id}@${replace(aws_codecommit_repository.concourse-pool.clone_url_ssh, "/^ssh://([^/]+)//", "$1:")}"
+}
diff --git a/terraform/concourse/variables.tf b/terraform/concourse/variables.tf
@@ -5,3 +5,7 @@ variable "system_dns_zone_id" {
 variable "system_dns_zone_name" {
   description = "Amazon Route53 DNS zone name for the provisioned environment."
 }
+
+variable "git_rsa_id_pub" {
+  description = "Public SSH key for the git user"
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Empty file git_ssh_key_id to avoid terraform fail during the first run.