Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssh_key_file bootstrap problem #74

Open
scottbot95 opened this issue Jan 28, 2023 · 1 comment
Open

ssh_key_file bootstrap problem #74

scottbot95 opened this issue Jan 28, 2023 · 1 comment

Comments

@scottbot95
Copy link

Context

I am attempting to migrate my infrastructure from NixOps to Terraform to be able to use a more mature deployment system. I have been loosely following this tutorial on nix.dev, with the addition of using terranix to generate my terraform config.

Problem

It does not appear to be possible to use ssh_key_file with a file generated by terraform (ie tls_private_key + local_sensitive_file) due to limitations on the file() function. In my attempts, I always get the following:

│ Error: Invalid function argument
│
│   on .terraform/modules/deploy_nixos/main.tf line 91, in locals:
│   91:   ssh_private_key      = local.ssh_private_key_file == "-" ? var.ssh_private_key : file(local.ssh_private_key_file)
│     ├────────────────
│     │ while calling file(path)
│     │ local.ssh_private_key_file is "./id_rsa"
│
│ Invalid value for "path" parameter: no file exists at "./id_rsa"; this function works only with files that are distributed as part
│ of the configuration source code, so if this file will be created by a resource in this configuration you must instead obtain this
│ result from an attribute of that resource.

Workarounds

  1. It is somewhat possible to workaround this by doing a terraform apply without the deploy_nixos module to first generate the file, then a second terraform apply, however doing so is not ideal for CI/CD workflows as it would require maintaining multiple terraform config files.
  2. Alternatively one could simply use ssh_key instead which does work properly with terraforms dependency system. However this also is problematic because it means that the output from deploy_nixos gets omitted by default since it will print the contents of the ssh private key to stdout.

Questions

  1. I seem to be the only one having issues with this; is there a better approach that would allow me to have terraform manage my ssh key used for deployment? If not it seems like workaround (1) is probably my best option.
  2. Should I just not even be attempting to manage the ssh key used for deployment with IaC and use some sort of out-of-band method for distributing ssh keys to my deployer hosts instead?
@scottbot95
Copy link
Author

Although I'm also just now realizing that ssh_key_file will also just print the contents of the private key to stdout so it's effectively the same as just using ssh_key with unsensitive if the contents of the file are already available within terraform.

So perhaps my real ask here is to add a mechanism to read the ssh_key_file from within nixos-deploy.sh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@scottbot95