Add ed25519 SSH Key support (#14)

* SSH: support ed25519 keys Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de> * SSH: support ed25519 keys Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de> * Set min azurerm version to 4.1 Signed-off-by: Roman Schwarz <rs@cloudeteer.de> * Use ed25519 key in local tests Signed-off-by: Roman Schwarz <rs@cloudeteer.de> * Use `SSH` auth on remote test Signed-off-by: Roman Schwarz <rs@cloudeteer.de> * Remote line break from ssh key Signed-off-by: Roman Schwarz <rs@cloudeteer.de> * Improve variable description Signed-off-by: Roman Schwarz <rs@cloudeteer.de> --------- Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de> Signed-off-by: Roman Schwarz <rs@cloudeteer.de> Co-authored-by: Roman Schwarz <rs@cloudeteer.de>
cloudeteer · Sep 20, 2024 · ebd71a4 · ebd71a4
1 parent c78a6cc
commit ebd71a4
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -112,7 +112,7 @@ The following providers are used by this module:
 
 - <a name="provider_azapi"></a> [azapi](#provider\_azapi) (>= 1.14)
 
-- <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) (>= 3.111)
+- <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) (>= 4.1)
 
 - <a name="provider_random"></a> [random](#provider\_random) (>= 3.0)
 
@@ -239,9 +239,17 @@ Type: `string`
 
 Default: `null`
 
+### <a name="input_admin_ssh_key_algorithm"></a> [admin\_ssh\_key\_algorithm](#input\_admin\_ssh\_key\_algorithm)
+
+Description: Algorithm for the admin SSH key pair, used only if `authentication_type` is `SSH` and no `admin_ssh_public_key` is provided. Valid values: `RSA`, `ED25519`.
+
+Type: `string`
+
+Default: `"ED25519"`
+
 ### <a name="input_admin_ssh_public_key"></a> [admin\_ssh\_public\_key](#input\_admin\_ssh\_public\_key)
 
-Description: Public key to use for SSH authentication. Must be at least 2048-bit and in ssh-rsa format.
+Description: Public key to use for SSH authentication. Must be at least 2048-bit and in ssh-rsa or ssh-ed25519 format.
 
 Type: `string`
 

diff --git a/r-authentication.tf b/r-authentication.tf
@@ -11,7 +11,7 @@ locals {
     null
   )
 
-  admin_ssh_private_key = local.create_ssh_key_pair ? one(tls_private_key.this[*].private_key_openssh) : null
+  admin_ssh_private_key = local.create_ssh_key_pair ? trimspace(one(tls_private_key.this[*].private_key_openssh)) : null
   create_password       = strcontains(var.authentication_type, "Password") && var.admin_password == null
   create_ssh_key_pair   = strcontains(var.authentication_type, "SSH") && var.admin_ssh_public_key == null
 }
@@ -23,8 +23,8 @@ resource "random_password" "this" {
 
 resource "tls_private_key" "this" {
   count     = local.create_ssh_key_pair ? 1 : 0
-  algorithm = "RSA"
-  rsa_bits  = 4096
+  algorithm = var.admin_ssh_key_algorithm
+  rsa_bits  = var.admin_ssh_key_algorithm == "RSA" ? 4096 : null
 }
 
 #trivy:ignore:avd-azu-0017

diff --git a/tests/local/input_authentication.tftest.hcl b/tests/local/input_authentication.tftest.hcl
@@ -148,7 +148,7 @@ run "should_input_admin_ssh_public_key_output_same_value_on_linux" {
   command = plan
 
   variables {
-    admin_ssh_public_key      = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDwVwmmz4jNNg5oQYVjpaer8R86TgyI3Ge+NqdFksjAHFO5ZK/Ds2PQb06jXeH/OS2iNBQEBcGiAob6Vx15mJd0iByGcmsHmFkTJeZND84JQ3oUT7jZwoF6Rofe1bW2N6tVRINJYB1qGFLSu1vx4jd4OuWQRh3tzmWy686WCy4XEaVNqYXPVocvHU7XM27wMPOvsAV+JlRXmfSYKvAqH/wCV7FzPsWq7cu7zGH2nuvFWGwtJt+Q5Nxh6V6C/5j4ZF/5/q9tBzpR39uPPtzGEBc5572G7BX0Rl5RbfvLBRTTI54K7DwujJ5l9E24VThqIRh/WqHTvfHJ85sQudRrS0V/ example"
+    admin_ssh_public_key      = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPAi7Yj75umWSxD0r73EZhbuIDJzD5bfBwRIJmrm8oj example"
     authentication_type       = "SSH"
     image                     = "Ubuntu2204"
     operating_system          = "Linux"

diff --git a/tests/remote/main.tf b/tests/remote/main.tf
@@ -69,9 +69,10 @@ module "tftest_02" {
   location            = azurerm_resource_group.tftest.location
   resource_group_name = azurerm_resource_group.tftest.name
 
-  backup_policy_id = local.backup_policy_id
-  computer_name    = "tftest"
-  image            = "Ubuntu2204"
-  key_vault_id     = local.key_vault_id
-  subnet_id        = local.subnet_id
+  authentication_type = "SSH"
+  backup_policy_id    = local.backup_policy_id
+  computer_name       = "tftest"
+  image               = "Ubuntu2204"
+  key_vault_id        = local.key_vault_id
+  subnet_id           = local.subnet_id
 }
diff --git a/tests/remote/terraform.tf b/tests/remote/terraform.tf
@@ -9,7 +9,7 @@ terraform {
 
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.111"
+      version = "~> 4.1"
     }
 
     random = {

diff --git a/variables.tf b/variables.tf
@@ -54,8 +54,14 @@ variable "admin_password" {
   type        = string
 }
 
+variable "admin_ssh_key_algorithm" {
+  description = "Algorithm for the admin SSH key pair, used only if `authentication_type` is `SSH` and no `admin_ssh_public_key` is provided. Valid values: `RSA`, `ED25519`."
+  default     = "ED25519"
+  type        = string
+}
+
 variable "admin_ssh_public_key" {
-  description = "Public key to use for SSH authentication. Must be at least 2048-bit and in ssh-rsa format."
+  description = "Public key to use for SSH authentication. Must be at least 2048-bit and in ssh-rsa or ssh-ed25519 format."
   default     = null
   type        = string
 }

diff --git a/versions.tf b/versions.tf
@@ -9,7 +9,7 @@ terraform {
 
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.111"
+      version = ">= 4.1"
     }
 
     random = {