Ssh key support (#12)

* add support to enable uploading public ssh key to IAM users * make ssh key uploading an toggalable option * Add details of ssh key managment to README
terraform-aws-modules · Aug 19, 2018 · 48bd8f9 · 48bd8f9
1 parent 98a23a7
commit 48bd8f9
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 0 deletions.
diff --git a/modules/iam-user/README.md b/modules/iam-user/README.md
@@ -33,6 +33,9 @@ This module outputs commands and PGP messages which can be decrypted either usin
 | password_reset_required | Whether the user should be forced to reset the generated password on first login. | string | `true` | no |
 | path | Desired path for the IAM user | string | `/` | no |
 | pgp_key | Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key. | string | `` | no |
+| ssh_key_encoding | Which encoding format the uploaded SSH key is in. `SSH` for ssh-rsa or `PEM` for pem. | string | `SSH` | no |
+| ssh_public_key | Public key that is to be attached to this IAM account | string | - | no |
+| upload_ssh_key | Whether to upload and manage users public SSH key. | string | `false` | no |
 
 ## Outputs
 
@@ -48,6 +51,7 @@ This module outputs commands and PGP messages which can be decrypted either usin
 | this_iam_access_key_key_fingerprint | The fingerprint of the PGP key used to encrypt the secret |
 | this_iam_access_key_ses_smtp_password | The secret access key converted into an SES SMTP password |
 | this_iam_access_key_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
+| this_iam_ssh_public_key_id | The AWS ID for the public key |
 | this_iam_user_arn | The ARN assigned by AWS for this user |
 | this_iam_user_login_profile_encrypted_password | The encrypted password, base64 encoded |
 | this_iam_user_login_profile_key_fingerprint | The fingerprint of the PGP key used to encrypt the password |

diff --git a/modules/iam-user/main.tf b/modules/iam-user/main.tf
@@ -21,3 +21,11 @@ resource "aws_iam_access_key" "this" {
   user    = "${aws_iam_user.this.name}"
   pgp_key = "${var.pgp_key}"
 }
+
+resource "aws_iam_user_ssh_key" "this" {
+  count = "${var.upload_ssh_key}"
+
+  username = "${aws_iam_user.this.name}"
+  encoding = "${var.ssh_key_encoding}"
+  public_key = "${var.ssh_public_key}"
+}
diff --git a/modules/iam-user/outputs.tf b/modules/iam-user/outputs.tf
@@ -86,3 +86,7 @@ ${element(concat(aws_iam_access_key.this.*.encrypted_secret, list("")), 0)}
 -----END PGP MESSAGE-----
 EOF
 }
+
+output "this_iam_ssh_public_key_id" {
+  value = "SSH Key ID: ${element(concat(aws_iam_user_ssh_key.this.*.ssh_public_key_id, list("")), 0)}"
+}
diff --git a/modules/iam-user/variables.tf b/modules/iam-user/variables.tf
@@ -41,3 +41,16 @@ variable "password_length" {
   description = "The length of the generated password"
   default     = 20
 }
+
+variable "upload_ssh_key" {
+  description = "Whether to upload a public ssh key to the IAM user"
+  default     = false
+}
+variable "ssh_key_encoding" {
+  description = "Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM"
+  default = "SSH"
+}
+
+variable "ssh_public_key" {
+  description = "Public SSH key"
+}