ED25519 EC2 Key Pair is not in valid OpenSSH public key format

[blobcode]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Affected Resource(s)

• aws_key_pair

Terraform Configuration Files

resource "tls_private_key" "state_ssh_key" {
    algorithm = "ED25519"
}


resource "aws_key_pair" "generated_key" {
    key_name   = "generated-key-${sha256(tls_private_key.state_ssh_key.public_key_openssh)}"
    public_key = tls_private_key.state_ssh_key.public_key_openssh
}

Debug Output

debug output

Expected Behavior

A ED25519 EC2 keypair should have been created.

Actual Behavior

Errored out.

Steps to Reproduce

1. terraform apply

Important Factoids

This seems to work with algorithm = "RSA"

[mcfedr]

I was able to work around with trim like so

resource "aws_key_pair" "key" {
  key_name   = "key"
  public_key = trimspace(tls_private_key.bastion.public_key_openssh)
}

[akornatskyy]

I was able to work around with trim like so

resource "aws_key_pair" "key" {
  key_name   = "key"
  public_key = trimspace(tls_private_key.bastion.public_key_openssh)
}

yes, it works with trimspace.

[justinretzolk]

Hey @blobcode 👋 It looks like this is ultimately a result of the TLS provider adding a newline at the end of the public_key_openssh attribute of tls_private_key resource when using ED25519, rather than an issue with the AWS Provider. If you feel the behavior that the TLS provider is doing there isn't what you'd expect, I'd recommend opening an issue in the TLS provider repository.

That said, in addition to the trimspace() recommendation above, I've tested using chomp(), which worked successfully.

Given that there's a couple of workarounds here, and the note above regarding the TLS provider, we'll close this issue for now. If you feel we've done this in error, please do let us know!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.