From ebd71a40515306c0b941a5592783aa9df7ed1f71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Fri, 20 Sep 2024 09:34:28 +0200 Subject: [PATCH] Add ed25519 SSH Key support (#14) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * SSH: support ed25519 keys Signed-off-by: Jan-Otto Kröpke * SSH: support ed25519 keys Signed-off-by: Jan-Otto Kröpke * Set min azurerm version to 4.1 Signed-off-by: Roman Schwarz * Use ed25519 key in local tests Signed-off-by: Roman Schwarz * Use `SSH` auth on remote test Signed-off-by: Roman Schwarz * Remote line break from ssh key Signed-off-by: Roman Schwarz * Improve variable description Signed-off-by: Roman Schwarz --------- Signed-off-by: Jan-Otto Kröpke Signed-off-by: Roman Schwarz Co-authored-by: Roman Schwarz --- README.md | 12 ++++++++++-- r-authentication.tf | 6 +++--- tests/local/input_authentication.tftest.hcl | 2 +- tests/remote/main.tf | 11 ++++++----- tests/remote/terraform.tf | 2 +- variables.tf | 8 +++++++- versions.tf | 2 +- 7 files changed, 29 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 68acf87..2dd4c4a 100644 --- a/README.md +++ b/README.md @@ -112,7 +112,7 @@ The following providers are used by this module: - [azapi](#provider\_azapi) (>= 1.14) -- [azurerm](#provider\_azurerm) (>= 3.111) +- [azurerm](#provider\_azurerm) (>= 4.1) - [random](#provider\_random) (>= 3.0) @@ -239,9 +239,17 @@ Type: `string` Default: `null` +### [admin\_ssh\_key\_algorithm](#input\_admin\_ssh\_key\_algorithm) + +Description: Algorithm for the admin SSH key pair, used only if `authentication_type` is `SSH` and no `admin_ssh_public_key` is provided. Valid values: `RSA`, `ED25519`. + +Type: `string` + +Default: `"ED25519"` + ### [admin\_ssh\_public\_key](#input\_admin\_ssh\_public\_key) -Description: Public key to use for SSH authentication. Must be at least 2048-bit and in ssh-rsa format. +Description: Public key to use for SSH authentication. Must be at least 2048-bit and in ssh-rsa or ssh-ed25519 format. Type: `string` diff --git a/r-authentication.tf b/r-authentication.tf index fe54d8f..24525fe 100644 --- a/r-authentication.tf +++ b/r-authentication.tf @@ -11,7 +11,7 @@ locals { null ) - admin_ssh_private_key = local.create_ssh_key_pair ? one(tls_private_key.this[*].private_key_openssh) : null + admin_ssh_private_key = local.create_ssh_key_pair ? trimspace(one(tls_private_key.this[*].private_key_openssh)) : null create_password = strcontains(var.authentication_type, "Password") && var.admin_password == null create_ssh_key_pair = strcontains(var.authentication_type, "SSH") && var.admin_ssh_public_key == null } @@ -23,8 +23,8 @@ resource "random_password" "this" { resource "tls_private_key" "this" { count = local.create_ssh_key_pair ? 1 : 0 - algorithm = "RSA" - rsa_bits = 4096 + algorithm = var.admin_ssh_key_algorithm + rsa_bits = var.admin_ssh_key_algorithm == "RSA" ? 4096 : null } #trivy:ignore:avd-azu-0017 diff --git a/tests/local/input_authentication.tftest.hcl b/tests/local/input_authentication.tftest.hcl index 9b33502..65ecc7b 100644 --- a/tests/local/input_authentication.tftest.hcl +++ b/tests/local/input_authentication.tftest.hcl @@ -148,7 +148,7 @@ run "should_input_admin_ssh_public_key_output_same_value_on_linux" { command = plan variables { - admin_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDwVwmmz4jNNg5oQYVjpaer8R86TgyI3Ge+NqdFksjAHFO5ZK/Ds2PQb06jXeH/OS2iNBQEBcGiAob6Vx15mJd0iByGcmsHmFkTJeZND84JQ3oUT7jZwoF6Rofe1bW2N6tVRINJYB1qGFLSu1vx4jd4OuWQRh3tzmWy686WCy4XEaVNqYXPVocvHU7XM27wMPOvsAV+JlRXmfSYKvAqH/wCV7FzPsWq7cu7zGH2nuvFWGwtJt+Q5Nxh6V6C/5j4ZF/5/q9tBzpR39uPPtzGEBc5572G7BX0Rl5RbfvLBRTTI54K7DwujJ5l9E24VThqIRh/WqHTvfHJ85sQudRrS0V/ example" + admin_ssh_public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPAi7Yj75umWSxD0r73EZhbuIDJzD5bfBwRIJmrm8oj example" authentication_type = "SSH" image = "Ubuntu2204" operating_system = "Linux" diff --git a/tests/remote/main.tf b/tests/remote/main.tf index 3ff8c3d..d4452c2 100644 --- a/tests/remote/main.tf +++ b/tests/remote/main.tf @@ -69,9 +69,10 @@ module "tftest_02" { location = azurerm_resource_group.tftest.location resource_group_name = azurerm_resource_group.tftest.name - backup_policy_id = local.backup_policy_id - computer_name = "tftest" - image = "Ubuntu2204" - key_vault_id = local.key_vault_id - subnet_id = local.subnet_id + authentication_type = "SSH" + backup_policy_id = local.backup_policy_id + computer_name = "tftest" + image = "Ubuntu2204" + key_vault_id = local.key_vault_id + subnet_id = local.subnet_id } diff --git a/tests/remote/terraform.tf b/tests/remote/terraform.tf index f58c198..fb9dca1 100644 --- a/tests/remote/terraform.tf +++ b/tests/remote/terraform.tf @@ -9,7 +9,7 @@ terraform { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.111" + version = "~> 4.1" } random = { diff --git a/variables.tf b/variables.tf index dc0241d..111f6b0 100644 --- a/variables.tf +++ b/variables.tf @@ -54,8 +54,14 @@ variable "admin_password" { type = string } +variable "admin_ssh_key_algorithm" { + description = "Algorithm for the admin SSH key pair, used only if `authentication_type` is `SSH` and no `admin_ssh_public_key` is provided. Valid values: `RSA`, `ED25519`." + default = "ED25519" + type = string +} + variable "admin_ssh_public_key" { - description = "Public key to use for SSH authentication. Must be at least 2048-bit and in ssh-rsa format." + description = "Public key to use for SSH authentication. Must be at least 2048-bit and in ssh-rsa or ssh-ed25519 format." default = null type = string } diff --git a/versions.tf b/versions.tf index 1e00fed..3444340 100644 --- a/versions.tf +++ b/versions.tf @@ -9,7 +9,7 @@ terraform { azurerm = { source = "hashicorp/azurerm" - version = ">= 3.111" + version = ">= 4.1" } random = {